Embedded engineering. Original research. Formal methods.

Security built in from first principles — not bolted on at the end. We integrate research and engineering across the full development lifecycle: from threat-modelled architecture and security-native implementation through expert code review, original vulnerability research, and formal verification for systems where failure is not an option.

NIST SSDFOWASP SAMMIEC 62443Common CriteriaFIPS 140-3SLSADO-178C
STANDARDS

What we hold the work to.

Development Standards

  • NIST SP 800-218 (SSDF) Secure Software Development Framework: prepare, protect, produce, respond
  • OWASP SAMM v2 Software Assurance Maturity Model for benchmarking and roadmap planning
  • NIST SP 800-160 Vol. 1 & 2 Systems security engineering and cyber-resiliency engineering
  • ISO/IEC 27034 Application security controls and organisational normative framework
  • SLSA Framework Supply chain levels for software artifacts: provenance, build integrity, source control
  • CIS Benchmarks Hardening baselines for OS, container, cloud, and network configurations

High-Assurance Frameworks

  • Common Criteria (ISO/IEC 15408) EAL evaluation support, protection profile authoring, assurance activity planning
  • FIPS 140-3 cryptographic module design, implementation guidance, pre-validation readiness
  • DO-178C / DO-326A avionics software assurance and airworthiness security process considerations
  • IEC 62443 industrial automation and control system security for OT/ICS environments
  • UNECE WP.29 / ISO 21434 automotive cybersecurity engineering and vehicle type approval
  • IEC 62368-1 / ETSI EN 303 645 consumer and IoT device security baseline requirements

Supply Chain & Pipelines

  • SBOM generation & analysis CycloneDX and SPDX formats; dependency risk assessment and licence compliance
  • Artifact provenance SLSA build levels, in-toto attestations, cryptographic artifact signing
  • CI/CD hardening pipeline isolation, secret management, ephemeral build environments, admission gates
  • Dependency pinning & SCA transitive risk analysis, vulnerability triage, automated update policy
  • Policy-as-code admission controller policies for Kubernetes and cloud environments
  • VEX statements Vulnerability Exploitability eXchange for downstream consumer communication
CAPABILITIES

Research, embedded, high-assurance.

Vulnerability Research

  • Targeted vulnerability research deep investigation of specific components, protocols, or systems to surface novel, previously unknown vulnerabilities
  • Exploit development proof-of-concept exploit construction to validate severity, confirm exploitability, and support remediation prioritisation
  • Fuzzing campaigns coverage-guided fuzzing and grammar-based fuzzing for protocol and parser targets
  • Binary & protocol analysis reverse engineering of closed-source components, proprietary protocols, and compiled binaries
  • Custom security tooling bespoke scanners, fuzzers, detection rules, and research instrumentation built to your requirements
  • All findings handled under a documented Coordinated Vulnerability Disclosure (CVD) process

Embedded, IoT & OT Security

  • Secure boot & firmware integrity chain of trust design, bootloader hardening, measured boot, anti-rollback mechanisms
  • TrustZone & OP-TEE trusted execution environment design, Trusted Application development, secure world isolation
  • HSM & secure element integration key provisioning, attestation, hardware-bound credential management
  • Firmware security review static analysis, JTAG/SWD debug access assessment, binary hardening verification
  • Secure OTA update architecture signed update manifests, delta patching, rollback protection, update server security
  • IEC 62443 / UNECE WP.29 industrial and automotive security process alignment and gap assessment

High-Assurance & Formal Methods

  • Formal specification & model checking tools for protocol correctness and security property verification
  • Common Criteria readiness security target authoring, protection profile analysis, assurance activity support for EAL evaluation
  • FIPS 140-3 preparation cryptographic module boundary definition, algorithm selection, pre-validation documentation
  • Safety-security co-engineering DO-178C / DO-326A for avionics; IEC 61508 / IEC 62443 for safety-critical industrial systems
  • Memory-safe language migration migration strategy, safe wrapper design, incremental rewrite planning for legacy codebases
HOW WE ENGAGE

Embedded or project-based.

Embedded Engineering

  • Dedicated engineer(s) allocated to your team for the engagement duration
  • Participation in sprint planning, design sessions, and retrospectives
  • Continuous PR review and security advisory throughout development
  • Threat modelling and architecture review at each feature milestone
  • Knowledge transfer and security champion enablement as a built-in outcome
  • Weekly written summary of findings, decisions, and open risks

Project-Based & Advisory

  • Defined scope, timeline, and deliverables agreed before work begins
  • Interim findings issued during engagement for high-severity issues — no waiting for the final report
  • Parallel workstreams across architecture, code, and verification available for large scopes
  • Accelerated scheduling available for pre-release or compliance deadlines
  • Retainer option for ongoing vulnerability research or periodic review cycles
  • Advisory-only engagements available for design review and threat modelling without full implementation access
DELIVERABLES

What ships at the end.

Architecture & Design

  • Threat model document with STRIDE/PASTA analysis, data-flow diagrams, and mitigations mapped to controls
  • Architecture decision records (ADRs) with security rationale
  • Reference architecture diagrams and trust-boundary specifications
  • Secure-by-default IaC modules and application framework templates
  • Security requirements specification tied to assurance level

Review & Research

  • Code review report: CWE-tagged findings, CVSSv4 severity, reproduction steps, remediation guidance
  • Vulnerability research report with technical write-up and proof-of-concept
  • Fuzzing campaign report: crash triage, root cause analysis, coverage metrics
  • SBOM (CycloneDX / SPDX) with risk assessment and VEX statements
  • Binary analysis report for closed-source or firmware targets

Engineering & Assurance

  • Secure coding standard and developer guidance documentation
  • CI/CD security gate configuration and policy-as-code rules
  • Custom security tooling with source code and documentation
  • Verification & validation report with test evidence for sign-off
  • Common Criteria security target or protection profile (where applicable)
IP, NDA & DISCLOSURE

Yours by default.

Work produced under engagement belongs to the client upon payment. Vulnerabilities found in third-party components handled under a documented CVD process.

Intellectual Property

  • Work-for-hire by default all code, tooling, documentation, and research produced under engagement belongs entirely to the client upon payment
  • No Grilli Security background IP is incorporated into client deliverables without explicit written disclosure and licence grant
  • Open-source components used in deliverables are identified with licence obligations documented in the SBOM
  • IP terms are finalised and signed before any work begins — no ambiguity at project close

Confidentiality

  • Mutual NDA executed before any code, architecture, or system information is shared
  • Source code and proprietary information handled on isolated, access-controlled systems — never stored in shared or cloud-sync environments without explicit agreement
  • All research artefacts (exploits, PoCs, vulnerability details) treated as strictly confidential and returned or destroyed at engagement close
  • No publication, blog post, or public disclosure of client-specific findings without explicit written consent

Coordinated Vulnerability Disclosure

  • CVD process vulnerabilities discovered in third-party components handled aligned with ISO/IEC 29147 and 30111
  • Client is notified immediately upon discovery; disclosure timeline and approach agreed jointly before any vendor contact
  • CVE assignment support provided where applicable; advisory drafted in CSAF/CVRF format
  • No unilateral disclosure — the client's operational and legal interests are factored into every disclosure decision
ACTIVE INCIDENT?