Embedded engineering. Original research. Formal methods.
Security built in from first principles — not bolted on at the end. We integrate research and engineering across the full development lifecycle: from threat-modelled architecture and security-native implementation through expert code review, original vulnerability research, and formal verification for systems where failure is not an option.
NIST SSDFOWASP SAMMIEC 62443Common CriteriaFIPS 140-3SLSADO-178C
STANDARDS
What we hold the work to.
Development Standards
- NIST SP 800-218 (SSDF) — Secure Software Development Framework: prepare, protect, produce, respond
- OWASP SAMM v2 — Software Assurance Maturity Model for benchmarking and roadmap planning
- NIST SP 800-160 Vol. 1 & 2 — Systems security engineering and cyber-resiliency engineering
- ISO/IEC 27034 — Application security controls and organisational normative framework
- SLSA Framework — Supply chain levels for software artifacts: provenance, build integrity, source control
- CIS Benchmarks — Hardening baselines for OS, container, cloud, and network configurations
High-Assurance Frameworks
- Common Criteria (ISO/IEC 15408) — EAL evaluation support, protection profile authoring, assurance activity planning
- FIPS 140-3 — cryptographic module design, implementation guidance, pre-validation readiness
- DO-178C / DO-326A — avionics software assurance and airworthiness security process considerations
- IEC 62443 — industrial automation and control system security for OT/ICS environments
- UNECE WP.29 / ISO 21434 — automotive cybersecurity engineering and vehicle type approval
- IEC 62368-1 / ETSI EN 303 645 — consumer and IoT device security baseline requirements
Supply Chain & Pipelines
- SBOM generation & analysis — CycloneDX and SPDX formats; dependency risk assessment and licence compliance
- Artifact provenance — SLSA build levels, in-toto attestations, cryptographic artifact signing
- CI/CD hardening — pipeline isolation, secret management, ephemeral build environments, admission gates
- Dependency pinning & SCA — transitive risk analysis, vulnerability triage, automated update policy
- Policy-as-code — admission controller policies for Kubernetes and cloud environments
- VEX statements — Vulnerability Exploitability eXchange for downstream consumer communication
CAPABILITIES
Research, embedded, high-assurance.
Vulnerability Research
- Targeted vulnerability research — deep investigation of specific components, protocols, or systems to surface novel, previously unknown vulnerabilities
- Exploit development — proof-of-concept exploit construction to validate severity, confirm exploitability, and support remediation prioritisation
- Fuzzing campaigns — coverage-guided fuzzing and grammar-based fuzzing for protocol and parser targets
- Binary & protocol analysis — reverse engineering of closed-source components, proprietary protocols, and compiled binaries
- Custom security tooling — bespoke scanners, fuzzers, detection rules, and research instrumentation built to your requirements
- All findings handled under a documented Coordinated Vulnerability Disclosure (CVD) process
Embedded, IoT & OT Security
- Secure boot & firmware integrity — chain of trust design, bootloader hardening, measured boot, anti-rollback mechanisms
- TrustZone & OP-TEE — trusted execution environment design, Trusted Application development, secure world isolation
- HSM & secure element integration — key provisioning, attestation, hardware-bound credential management
- Firmware security review — static analysis, JTAG/SWD debug access assessment, binary hardening verification
- Secure OTA update architecture — signed update manifests, delta patching, rollback protection, update server security
- IEC 62443 / UNECE WP.29 — industrial and automotive security process alignment and gap assessment
High-Assurance & Formal Methods
- Formal specification & model checking — tools for protocol correctness and security property verification
- Common Criteria readiness — security target authoring, protection profile analysis, assurance activity support for EAL evaluation
- FIPS 140-3 preparation — cryptographic module boundary definition, algorithm selection, pre-validation documentation
- Safety-security co-engineering — DO-178C / DO-326A for avionics; IEC 61508 / IEC 62443 for safety-critical industrial systems
- Memory-safe language migration — migration strategy, safe wrapper design, incremental rewrite planning for legacy codebases
HOW WE ENGAGE
Embedded or project-based.
Embedded Engineering
- Dedicated engineer(s) allocated to your team for the engagement duration
- Participation in sprint planning, design sessions, and retrospectives
- Continuous PR review and security advisory throughout development
- Threat modelling and architecture review at each feature milestone
- Knowledge transfer and security champion enablement as a built-in outcome
- Weekly written summary of findings, decisions, and open risks
Project-Based & Advisory
- Defined scope, timeline, and deliverables agreed before work begins
- Interim findings issued during engagement for high-severity issues — no waiting for the final report
- Parallel workstreams across architecture, code, and verification available for large scopes
- Accelerated scheduling available for pre-release or compliance deadlines
- Retainer option for ongoing vulnerability research or periodic review cycles
- Advisory-only engagements available for design review and threat modelling without full implementation access
DELIVERABLES
What ships at the end.
Architecture & Design
- Threat model document with STRIDE/PASTA analysis, data-flow diagrams, and mitigations mapped to controls
- Architecture decision records (ADRs) with security rationale
- Reference architecture diagrams and trust-boundary specifications
- Secure-by-default IaC modules and application framework templates
- Security requirements specification tied to assurance level
Review & Research
- Code review report: CWE-tagged findings, CVSSv4 severity, reproduction steps, remediation guidance
- Vulnerability research report with technical write-up and proof-of-concept
- Fuzzing campaign report: crash triage, root cause analysis, coverage metrics
- SBOM (CycloneDX / SPDX) with risk assessment and VEX statements
- Binary analysis report for closed-source or firmware targets
Engineering & Assurance
- Secure coding standard and developer guidance documentation
- CI/CD security gate configuration and policy-as-code rules
- Custom security tooling with source code and documentation
- Verification & validation report with test evidence for sign-off
- Common Criteria security target or protection profile (where applicable)
IP, NDA & DISCLOSURE
Yours by default.
Work produced under engagement belongs to the client upon payment. Vulnerabilities found in third-party components handled under a documented CVD process.
Intellectual Property
- Work-for-hire by default — all code, tooling, documentation, and research produced under engagement belongs entirely to the client upon payment
- No Grilli Security background IP is incorporated into client deliverables without explicit written disclosure and licence grant
- Open-source components used in deliverables are identified with licence obligations documented in the SBOM
- IP terms are finalised and signed before any work begins — no ambiguity at project close
Confidentiality
- Mutual NDA executed before any code, architecture, or system information is shared
- Source code and proprietary information handled on isolated, access-controlled systems — never stored in shared or cloud-sync environments without explicit agreement
- All research artefacts (exploits, PoCs, vulnerability details) treated as strictly confidential and returned or destroyed at engagement close
- No publication, blog post, or public disclosure of client-specific findings without explicit written consent
Coordinated Vulnerability Disclosure
- CVD process — vulnerabilities discovered in third-party components handled aligned with ISO/IEC 29147 and 30111
- Client is notified immediately upon discovery; disclosure timeline and approach agreed jointly before any vendor contact
- CVE assignment support provided where applicable; advisory drafted in CSAF/CVRF format
- No unilateral disclosure — the client's operational and legal interests are factored into every disclosure decision
Get a written proposal
Send scope + timeline. Detailed SoW within 1 business day.
Open the form →
Email a senior practitioner
Direct line for scoping questions. NDA available on request before you share details.
hello@grillisecurity.com →
Active incident?
24/7 incident line. Triage call + retainer set-up inside the hour for new engagements.
+372 5610 1641 →
