Farros logo

Security

Security Assessment & Risk Review

Leveraging my experience as a cybersecurity writer and researcher, I identify critical security gaps in your systems before they can be exploited by attackers.

Service inclusions

  • Web application pentesting
  • Infrastructure security review
  • Risk mitigation roadmap
  • Security writing & documentation
Engagement
1–4 weeks per engagement
Investment
Project-based, typically $1k–$6k
Security Assessment & Risk Review

Process

How the engagement runs

A short, written loop with a clear end-of-engagement artefact at every step.

  1. 01

    Scope definition

    We agree on the targets in writing: which apps, which infrastructure, and which kinds of issues you want surfaced. No vague "test everything" briefs.

  2. 02

    Recon & threat model

    I map the attack surface, identify the most likely attacker profiles, and produce a short threat model that drives the rest of the engagement.

  3. 03

    Hands-on testing

    Manual and assisted testing against the agreed scope, with weekly progress notes so you are never surprised by what the final report says.

  4. 04

    Report & walkthrough

    A written report prioritised by impact, plus a live walkthrough with your engineering team to make sure the fixes are actually actionable.

Deliverables

What you walk away with

Concrete artefacts in your own repository, not slides that age out of relevance.

  • Written report ranked by severity and exploitability
  • Reproduction steps for every confirmed finding
  • Remediation guidance mapped to your current stack
  • A 30-minute walkthrough call with your engineering team
  • Optional re-test 30 days after fixes land

Fit check

Is this the right engagement for you?

Good fit

  • You ship a web product and want a fresh set of eyes before launch
  • Your team has limited offensive security experience
  • You want a written artefact to share with investors, partners, or auditors
  • You prefer a small, written engagement over a long retainer

Probably not a fit

  • You need a continuous 24/7 monitoring or SOC offering
  • You are looking for compliance certification (SOC 2, ISO 27001) execution
  • Your environment requires on-site physical access testing

FAQ

Common questions

Do you run automated scanners or is this manual?

Both, but the value is in the manual review. Automated scanners produce most of their findings from public signature databases; the manual layer is what catches business-logic and chained-vulnerability issues.

Will the report name a CVSS score for each issue?

Yes, with a caveat: severity is rated by exploitability and business impact, not just the raw CVSS. I find that a CVSS-only ranking often buries the issues that actually matter to your product.

Can you sign an NDA?

Yes. I am happy to sign your mutual NDA before any scope document is exchanged, and the report itself is delivered only to the contacts you nominate.

Do you help with remediation?

The report includes remediation guidance for every finding, and a 30-minute walkthrough is included. I can quote a separate remediation sprint if your team would rather hand the fixes to me.

Ready when you are

Let's map your engagement

Share a short brief by email or WhatsApp and I will reply within one business day with a proposed scope and a time to talk.