Complex systems where the standard categories do not apply.
Payment networks. Voting infrastructure. Sovereign identity. Multi-stakeholder cryptographic protocols. Hardware-software hybrids that span continents and jurisdictions. We are known for the work that does not fit a service catalogue — the kind that requires engineering judgement before anyone can write a scope.
Systems that need to be understood before they can be assessed.
A web pentest has a defined surface. A mobile pentest has a defined surface. A cloud audit has a defined surface. The systems on this page do not — they are interactions of subsystems, jurisdictions, and stakeholders that no commercial-services taxonomy covers cleanly.
Most security firms either decline this work or run it as if it were a standard pentest with a different scope sentence. The result is a report against the surface they happened to recognise — and the most consequential failure modes go unexamined because nobody on the engagement team had the depth to see them.
We are the firm customers reach for when they need to assess one of these systems and the obvious vendors have said no.
The kinds of systems this means in practice.
Sanitised to respect non-disclosure. Each of these has been a real engagement.
Acquirer + scheme + processor + merchant interactions across multiple jurisdictions. Settlement, dispute, signed-message integrity, scheme-rule enforcement. The system is correct only when every actor's incentives are correctly modelled.
Voter-roll integrity, ballot capture and chain-of-custody, tabulation, audit, results-publication. The threat model includes coercion, denial-of-service against legitimacy itself, and adversaries who control parts of the infrastructure.
National-scale identity issuance and verification. Biometric custody, federated trust, cross-border verification, regulator access boundaries. The customer is a sovereign actor; the threat model includes other sovereign actors.
Continent-scale mobile-money platforms with thousands of agent endpoints, USSD bridges, settlement chains, and KYC pipelines. Adversaries operate at every layer — customer, agent, operator-staff insider, technical vendor.
Payment terminals at fleet scale, agent-banking devices, hardware-bound identity tokens. Where the security boundary lives partly in silicon, partly in firmware, partly in cloud-side verification, and partly in field operations.
Threshold cryptography, federated PKI, signed-update protocols across vendor ecosystems, sovereign-key custody arrangements. The protocol must hold under adversarial parties at every position.
Read first. Decide the methodology second.
Every engagement begins with a structured reading phase. Documentation, source where it is shared, deployment topology, regulatory environment, the customer's existing threat models, the vendor and partner landscape. The first deliverable is a written model of the system — not findings.
From the system model, we identify the load-bearing trust boundaries, the multi-actor failure modes, and the interfaces where adversarial assumptions are most underspecified. The methodology — what we test, how, with what tooling — is decided against that model.
Most engagements include custom tooling built specifically for the engagement: parsers for proprietary protocols, harnesses for multi-actor interaction, custom analyzers for the customer's languages and stack. The tooling becomes part of what the customer keeps.
We accept these engagements only when the customer is willing to spend the reading-phase time. Pretending we can scope this kind of work without it would be dishonest.