Yinkozi
Contact
services

Security services for institutions where the consequences are largest.

Penetration testing across web, mobile, API, cloud, AI / LLM, hardware, and OT / SCADA. Red team and adversarial simulation. Architecture and threat-model review. Multi-year engagements with tier-1 banks, payment providers, government bodies, and energy operators.

Discuss an engagement
01 / capabilities

What the work covers.

Five service shapes, applied across the surfaces a tier-1 organisation actually has — not a fixed catalogue with checkboxes.

01

Penetration testing

Adversarial assessment of application, infrastructure, and product surfaces. Manual, research-driven, with custom tooling built per engagement. No checklist runs, no automated SaaS scans. The methodology stays human — local LLMs accelerate our tooling, they do not drive the work.

  • Web applications & APIs
  • Mobile applications (iOS, Android, embedded mobile)
  • Cloud infrastructure (AWS, Azure, GCP)
  • AI / LLM models — prompt injection, data exfiltration, model integrity
  • Hardware and embedded systems
  • Wireless, IoT, OT, SCADA
Deep dive
02

Red team and adversarial simulation

Goal-based, multi-vector engagements designed against the customer's actual adversary model — not a generic kill-chain exercise. Custom payloads, custom infrastructure, custom OSINT.

  • Full-scope red team — physical, network, application, social
  • Assumed-breach exercises (4-week to 6-month windows)
  • Purple-team collaboration with the customer's blue team
  • Tabletop and incident-response drills
Deep dive
03

Architecture and threat-model review

Pre-build review of new systems — done at the architecture stage, where security choices are still cheap to change. Threat-model-driven design with explicit attacker capability assumptions.

  • Architecture review for new and migrating systems
  • STRIDE / LINDDUN / PASTA threat-model facilitation
  • Cryptography review — protocol, primitive, and implementation
  • Identity, authentication, and authorisation systems
Deep dive
04

Source code review

Manual review of security-critical code where commercial static-analysis tools do not have enough context. We read the code the way an attacker would.

  • Manual review of security-critical paths
  • Custom static analysis for codebases off-the-shelf tools cannot reach
  • Cryptography implementation review
  • Build pipeline and software-supply-chain review
Deep dive
05

Continuing engagement

Most of our customer relationships are measured in years, not project IDs. We work as embedded engineers with a rotating scope — the methodology, instrumentation, and threat library compound over time.

  • Multi-year retainer with rotating coverage
  • Embedded engineers, not just project leads
  • Quarterly cadence and reporting rhythm
  • Threat library and instrumentation that grows with the customer
02 / specialty deep pages

Where the methodology gets specific.

Four surfaces where our methodology differs enough from a general pentest that they have their own page.

AI / LLM security

Prompt injection, RAG attacks, agent abuse, model integrity.

Read more
Mobile application security

Manual binary, runtime hooking, side-channel, real-device fleets.

Read more
Cloud security

AWS / Azure / GCP attack-path analysis. Not a CSPM scan.

Read more
SCADA / OT security

Refinery, pipeline, generation. Real PLCs, hardware-lab work.

Read more
Blockchain security

Smart contracts, bridges, validator sets, consensus clients, economic models.

Read more
Complex systems

Payment networks, voting, sovereign identity, multi-stakeholder protocols.

Read more
03 / engagement model

We don't ship a 200-page PDF and walk away.

Most of our customer relationships are multi-year. The engagement starts as a defined scope — a pentest, a red team, an architecture review — and becomes a continuing relationship measured in quarters, not weeks.

That continuity is the point. The methodology compounds. The threat library compounds. The instrumentation we built for last quarter's review still works for this quarter's. The customer gets engineers who actually know the system, not consultants ramping up from scratch every time.

The shape that doesn't fit us: one-off compliance pentests where the deliverable is a report PDF and a stamp.

04 / sectors

Where this work is concentrated.

Our customer base is small, deliberate, and concentrated in environments where security failures are existential.

01 — Banking
Tier-1 banks

Multi-year engagements at retail, corporate, and investment-bank surfaces. Africa, Europe, North America.

02 — Payments
Payment providers

Acquirers, processors, scheme-adjacent infrastructure. Mobile money, POS estates, agent banking.

03 — Government
Government bodies

National identity, payments, voting infrastructure, citizen-services platforms. Sovereign-deployment posture.

04 — Energy
Oil & gas, SCADA

Critical-infrastructure operators. SCADA, ICS, refinery and pipeline control systems.

05 — Telcos
Mobile network operators

Mobile money, agent network security, device estates, signalling and core infrastructure.

06 — Hardware
Hardware labs

Device, terminal, and embedded-system security work — the depth most consultancies do not maintain.

05 / start a conversation

Tell us what you are trying to defend.

We respond to inbound engagement requests within two business days. NDAs and MSAs available on request.

email