Manual review finds what scanners miss.
Automated scanners catch what they can pattern-match. Expert manual review finds what they miss: business-logic flaws, broken access control paths, cryptographic misuse, and multi-step abuse chains that only become visible when you understand what the code is supposed to do.
Typical turnaround: 24–48 hours for PR-level reviews up to ~2,000 lines of touched code in supported languages. Module deep-dives and full-codebase audits run on a scoped throughput rate (5–10 kLOC per reviewer-day for security-focused review), with staged findings and interim delivery for large codebases. All findings are CWE-tagged, CVSSv4-scored, and include reproduction steps and remediation guidance.
What we review and where.
What We Review — Always
- Authentication & authorisation — broken access control (OWASP #1), IDOR, privilege escalation paths, session management, OAuth/OIDC flow correctness, and JWT pitfalls
- Injection flaws — SQL/NoSQL/LDAP/OS command injection, SSTI, SSRF, XXE, and prototype pollution across all supported languages
- Cryptography — algorithm selection, key derivation (PBKDF2, Argon2, bcrypt), nonce and IV handling, timing side-channels, and TLS configuration
- Input validation & output encoding — XSS, unsafe deserialization, path traversal, and format string vulnerabilities
- Secrets & sensitive data — hardcoded credentials, secrets in logs, insecure storage, and data exposure through error handling
- Supply chain & dependencies — SBOM impact, transitive risk, licence obligations, and dependency confusion risk
Platforms & Artifacts
- Web & APIs — major server-side languages and runtimes; REST, GraphQL, and gRPC interfaces
- Frontend — SPA and SSR frameworks; browser security model, CSP, trusted types, and subresource integrity
- Mobile — iOS and Android source, build pipelines, and compiled application packages
- Desktop & drivers — Windows/macOS/Linux applications, kernel modules, and driver code with emphasis on memory safety
- Embedded & firmware — C/C++ MCU code, bootloaders, RTOS applications, and secure update handler logic
- Cloud & IaC — IaC templates and modules; Kubernetes manifests, Helm charts, and policy-as-code
- CI/CD — pipeline configurations; pipeline isolation, secret handling, and workflow injection risk
What scanners cannot find.
The most impactful vulnerabilities in production systems are rarely the ones that pattern-match to a known CWE. They require understanding intent.
Business Logic Flaws
- Authorisation checks that exist but are enforced in the wrong layer or bypass-able via alternative API paths
- Race conditions in financial transactions, inventory, or quota-enforcement logic
- Multi-tenant data boundaries that hold under normal use but fail under specific request sequences
- Privilege escalation that requires chaining multiple individually low-severity operations
Cryptographic Misuse
- Correct algorithm, wrong usage: ECB mode, static IVs, nonce reuse in stream ciphers
- Homegrown padding schemes, MAC construction errors, and length extension vulnerabilities
- Token signing with weak keys, algorithm confusion (RS256 vs. HS256), and missing signature verification
- Timing side-channels in comparison functions for secrets and MACs
Access Control Architecture
- IDOR patterns hidden behind non-sequential IDs or GUIDs that are still guessable or enumerable
- Authorisation enforced at the controller but missing at the service or data layer
- OAuth scope misconfigurations granting broader access than the application UI implies
- JWT claims trusted without re-validation against a source of truth on each request
Automated where it helps. Human where it matters.
Automation in Reviews
- Tuned SAST/SCA — language-specific tools configured to suppress noise from known false-positive patterns in your codebase; every finding is manually triaged before delivery and the false-positive rate is reported alongside the results
- Policy-as-code for admission control and CI gate enforcement
- Pre-commit hooks and language-specific linters integrated without disrupting developer workflow
- Required status checks and branch protection configuration in major SCM platforms
- Works with monorepos; per-service scope filtering to avoid alert flooding
Deliverables
- Inline PR comments — findings anchored directly to the affected lines of code; reviewers see context without switching tools
- Summary report — CWE-tagged, CVSSv4-scored findings with reproduction steps, impact description, and remediation guidance
- Proof-of-concept code where reproduction aids clarity — scoped to demonstrate the vulnerability, not to provide a weaponised exploit
- Secure coding patterns and referenced documentation for the recommended fix
- Retest confirmation on remediated findings upon request
- Enablement documentation: reviewer prompts, security champion guide, and recommended automation configuration
