Security Engineering

ArchitectsWho Attack

Findings are temporary. Controls are permanent. We spent years breaking systems; now we build the controls that make entire classes of vulnerability impossible, shipped alongside your developers.

  • Attacker Mindset
  • Secure by Default
  • CI/CD Security Gates
threat-model.dwgtrust boundaries
boundary · public
Edge / CDN + WAF
boundary · authn
API
Auth
boundary · data
Encrypted Store · KMS
  • T1 · Untrusted IngressSTRIDE: Spoofing → mTLS + WAF

  • T2 · Auth BoundaryTampering → signed JWT, short TTL

  • T3 · Data at RestDisclosure → KMS envelope crypto

rev. C — secure by defaultsigned · drano gate ✓

// The Principle

Classes, not instances.

A pentest hands you a list of instances: this endpoint, that parameter, this one repo. We go after the class. Fix the instance and it returns next sprint. Kill the class and the entire category of bug stops being possible. Findings are temporary, controls are permanent, so we build the controls and ship them alongside your developers, where the secure path becomes the default path.

Fix the instance, it comes back. Kill the class, it's gone.

// The Closed Loop

Attack. Build. Re-Test.

Most firms stop at the finding. We run the whole loop. Our offensive team proves a class is exploitable, our engineers build the control that erases it, then we turn the same playbook back on the control to prove the category is dead. The people who can break it are the ones who sign off that it's fixed.

02

Build

We engineer the control that makes the class impossible: a CI/CD gate, a paved road, a safe-by-default library. Then we backfill the existing instances.

The work on this page
03

Re-Test

We run the original offensive playbook against the new control to prove the category is gone, and the gate keeps it gone on every future commit.

Validated, not assumed

// Case Studies

Classes We've Killed

Real engagements, real numbers, each one framed by the category of bug it took off the board for good.

FeaturedClass killed: Hardcoded secrets

Secrets Die at the Keyboard

Fast-growing tech company (1,200+ employees)

Problem

Hardcoded secrets scattered across 500+ repos. Cleanup was endless whack-a-mole because nothing stopped the next one from landing.

Solution

Drano framework: a commit-time gate that blocks secrets before they ever reach the remote.

How we built it

GitLab CI plus a server-side pre-receive hook. Detection layers regex signatures, Shannon-entropy scoring, and live credential verification (the scanner calls the provider to confirm a key is active), holding false positives under ~2%. A blocked push auto-opens a remediation MR. Polyglot coverage across JS/TS, Python, Go, and Java.

Cleaning up backwards doesn't work unless you prevent it forward.

// By the numbers

0

New hardcoded secrets in 18 months

100%

Commits scanned before merge

500+

Repos protected

Access in Minutes, Not Days

Enterprise tech company (20,000 employees)

Class killed: Standing privilege

AWS privileged access took 3 to 5 business days, so developers built workarounds and standing access piled up.

Self-service just-in-time access with automated, tag-routed approvals.

How we built it

A Slack-native request bot brokers short-lived, scoped credentials through AWS IAM Identity Center and STS, with 15 to 60 minute TTLs and approvals routed by resource tag. Shipped as Terraform modules so every new account inherits JIT by default, with a full audit trail streamed to the SIEM.

3-5d → 5m

Access provisioning time

90%

Reduction in standing privileges

0

Productivity loss for engineers

Developers stopped working around controls because they didn't need to.

Stop Breached Credentials at Login

B2B SaaS platform

Class killed: Account takeover via known-breached passwords

Account takeovers using credentials from public breaches, with no signal at the auth layer to catch them.

Real-time breached-credential screening wired into the login and password-set flows.

How we built it

k-anonymity range queries against a HaveIBeenPwned-style breached-hash corpus (only a 5-character SHA-1 prefix ever leaves the perimeter), backed by an internal bloom filter of org-specific leaks. A Go service behind edge middleware adds under 100ms at p95.

15,000+

Compromised credentials blocked (month 1)

73%

Reduction in ATO attempts

<100ms

Added latency (zero friction)

We blocked more compromised credentials in month one than we expected in a year.

From Role Sprawl to Least Privilege

Cloud-native tech company

Class killed: Over-privileged, ad-hoc IAM roles

400+ ad-hoc IAM roles with wildcard actions. No one could say who had access to what.

Usage-mined permission bundles, codified and gated so sprawl can't return.

How we built it

We mined 90 days of CloudTrail with IAM Access Analyzer and Access Advisor to compute least-privilege policies, collapsed 400+ roles into 12 permission-set bundles, and codified them in Terraform. Policy-as-code gates (OPA/Conftest) now fail any PR that introduces a wildcard action.

400+ → 12

Roles consolidated to bundles

85%

Reduction in over-privileged access

Auto

Access reviews & compliance

We finally know who has access to what, and can prove it to auditors.

AppSec Program from Zero

Series B startup scaling fast

Class killed: No SDLC guardrails (whole-program gap)

No security program, ad-hoc vuln handling, and auditors starting to ask hard questions.

A full AppSec program: governance, SDLC integration, and triage that runs itself.

How we built it

SAST with custom Semgrep rulesets, SCA and SBOM via Syft and Grype, DAST in staging, and secret scanning, all wired as required CI gates. Severity-routed triage opens tickets with SLAs, and per-service threat-model templates make design review repeatable.

6 mo

To SOC 2 Type II

Weeks → 48h

Critical vuln resolution

Enabler

Security became, not blocker

Security went from 'that thing we need to do' to a competitive advantage.

// The Catalog

Programs We Build

Named, repeatable engagements that map to our offensive-plus-build DNA. Each one comes with a problem it solves, what we build, and the proof it worked.

Flagship

Class-Kill Sprints

Our flagship. The thesis, productized.

Problem
One vulnerability class keeps coming back no matter how many tickets you close.
What we build
A fixed-scope sprint that picks one class (secrets, SSRF, insecure deserialization, IDOR, over-privileged IAM) and eliminates it across the whole codebase: a gate to stop new instances, a backfill to clear the existing ones, and developer enablement so it never returns.
Proof
The class stops showing up in your pentests. You keep the gate, the before/after counts, and the runbook.

AI & Agent Security Engineering

Own the build side before competitors do.

Problem

You're shipping LLM and agentic features faster than anyone can secure them.

Build

LLM guardrail frameworks for prompt-injection and output filtering, least-privilege tool and sandbox design for agents, RAG pipelines hardened against retrieval injection and data poisoning, and continuous AI red-team harnesses run as code.

Proof

Guardrails with test coverage, an agent permission model, and a red-team harness that re-runs on every model or prompt change.

Supply Chain & Build Integrity

Post-xz, post-SolarWinds catnip.

Problem

A dependency or build server is your softest path straight to production.

Build

SLSA-style provenance, artifact signing with Sigstore and cosign, SBOM pipelines, hermetic and reproducible builds, and dependency-confusion defenses.

Proof

Signed, verifiable artifacts, an SBOM for every release, and a build you can prove was never tampered with.

Paved Roads & Golden Paths

Platform engineering meets security.

Problem

Security depends on every engineer remembering to do the right thing.

Build

Secure-by-default service templates, a scaffolder so the secure path is the default path, and policy-as-code gates that fail the build on deviation.

Proof

Every new service is born compliant. Staying secure is automatic; deviating takes deliberate effort.

Identity Modernization

Standing access is your widest blast radius.

Problem

Standing privilege and password sprawl still own your largest attack surface.

Build

Workload identity with SPIFFE and SPIRE, passwordless authentication, and standing-privilege elimination, run as a recurring program instead of a one-off.

Proof

Short-lived workload credentials, fewer standing roles every quarter, and an access trail auditors trust.

Detection-as-Code & Purple Automation

The defensive expression of our offensive tooling.

Problem

You have alerts, but no proof they fire on a real attack.

Build

Detections written as version-controlled code, mapped to MITRE ATT&CK, and validated by running our own offensive tools (Hawk, Spoofy) as the adversary inside CI.

Proof

Every detection ships with a test that a real attack triggers it, and coverage is tracked against ATT&CK.

// How We Engage

Two Ways to Work With Us

It comes down to one decision: do you have a defined project, or an ongoing capability gap?

Defined project

Project-Based Deliverables

2 to 8 weeks, typical

Pick a program from the catalog or bring your own scope. Fixed objectives, clear acceptance criteria, and your team owns it when we leave.

  • Scoped deliverables with acceptance criteria up front
  • Pulls directly from the catalog, or your own target
  • Re-test included to prove the control holds
  • Knowledge transfer so your team owns it after
Ongoing capability gap

Embedded Talent

3 to 12 months

A senior security engineer joins your team, learns your stack, and ships alongside your developers. Pick the archetype that fits the gap.

AppSec Lead

SDLC gates, threat modeling, triage.

Cloud / Platform Security

IAM, IaC, Kubernetes hardening.

Detection & Response

Detection-as-code, purple automation.

AI Security Engineer

Guardrails, agent and RAG hardening.

A typical first 90 days

  1. First 30

    Map the stack, the threat model, and the highest-leverage class to kill first.

  2. By 60

    Ship the first controls and gates, and backfill the worst existing instances.

  3. By 90

    Hand off paved roads and runbooks so your team runs it without us.

Embedded engineer vs. hiring an FTE

EmbeddedHire an FTE
Time to productive
Days
3 to 6 months to source, hire, and ramp
Loaded cost
Monthly retainer, no benefits, equity, or severance
~$220k to $320k+ fully loaded for a senior security engineer
Ramp risk
Senior from day one
Hope the hire works out
Flexibility
Scale up, down, or end clean
Hiring and firing overhead
Knowledge transfer
Built into the engagement
Walks out the door when they leave

Cost figures are illustrative market ranges, not a quote. Verify before publishing.

Need to stand up an entire platform-security org, not fill one seat?

See our Platform Security practice

Ready to Kill a Class?

Tell us which category of bug keeps coming back, or where security is slowing your engineers down. We'll design the control that makes the secure path the easy path, and ship it with your team.