Security
Security Assessment & Risk Review
Leveraging my experience as a cybersecurity writer and researcher, I identify critical security gaps in your systems before they can be exploited by attackers.
Service inclusions
- Web application pentesting
- Infrastructure security review
- Risk mitigation roadmap
- Security writing & documentation
- Engagement
- 1â4 weeks per engagement
- Investment
- Project-based, typically $1kâ$6k
Process
How the engagement runs
A short, written loop with a clear end-of-engagement artefact at every step.
- 01
Scope definition
We agree on the targets in writing: which apps, which infrastructure, and which kinds of issues you want surfaced. No vague "test everything" briefs.
- 02
Recon & threat model
I map the attack surface, identify the most likely attacker profiles, and produce a short threat model that drives the rest of the engagement.
- 03
Hands-on testing
Manual and assisted testing against the agreed scope, with weekly progress notes so you are never surprised by what the final report says.
- 04
Report & walkthrough
A written report prioritised by impact, plus a live walkthrough with your engineering team to make sure the fixes are actually actionable.
Deliverables
What you walk away with
Concrete artefacts in your own repository, not slides that age out of relevance.
- Written report ranked by severity and exploitability
- Reproduction steps for every confirmed finding
- Remediation guidance mapped to your current stack
- A 30-minute walkthrough call with your engineering team
- Optional re-test 30 days after fixes land
Fit check
Is this the right engagement for you?
Good fit
- You ship a web product and want a fresh set of eyes before launch
- Your team has limited offensive security experience
- You want a written artefact to share with investors, partners, or auditors
- You prefer a small, written engagement over a long retainer
Probably not a fit
- You need a continuous 24/7 monitoring or SOC offering
- You are looking for compliance certification (SOC 2, ISO 27001) execution
- Your environment requires on-site physical access testing
FAQ
Common questions
Do you run automated scanners or is this manual?
Both, but the value is in the manual review. Automated scanners produce most of their findings from public signature databases; the manual layer is what catches business-logic and chained-vulnerability issues.
Will the report name a CVSS score for each issue?
Yes, with a caveat: severity is rated by exploitability and business impact, not just the raw CVSS. I find that a CVSS-only ranking often buries the issues that actually matter to your product.
Can you sign an NDA?
Yes. I am happy to sign your mutual NDA before any scope document is exchanged, and the report itself is delivered only to the contacts you nominate.
Do you help with remediation?
The report includes remediation guidance for every finding, and a 30-minute walkthrough is included. I can quote a separate remediation sprint if your team would rather hand the fixes to me.
Ready when you are
Let's map your engagement
Share a short brief by email or WhatsApp and I will reply within one business day with a proposed scope and a time to talk.