Skip to content
Cyber ArmyCyber Army
ServicesSurace Monitor

Capabilities

We combine senior manual testing with modern tooling and AI assists to go deep—without noise. Evidence you can trust, guidance your engineers can ship, and guardrails your auditors respect.

What we emphasize

  • Manual-first with targeted automation (no scanner dumps)
  • Evidence-based findings: safe PoC, repro steps, and impact
  • Safe-in-prod options: change windows, traffic caps, allowlists
  • Standards-aligned: OWASP ASVS/MASVS, NIST SP 800-115, CIS Benchmarks

Application & API Security

  • OWASP ASVS/MASVS-aligned testing for web & mobile
  • AuthN/AuthZ and session hardening; SSO/OIDC/SAML flows
  • API risks incl. BOLA/BFLA, input validation, rate limiting, idempotency
  • GraphQL depth/complexity controls; schema & resolver access checks
  • Business-logic abuse (funds flows, limits, race conditions)
  • Webhook security: signature verification, replay windows, outbound SSRF

Cloud & Kubernetes

  • IAM least privilege (principals, roles, SCP/org policies)
  • Exposure sweeps (storage, SG/NSG rules, public endpoints)
  • KMS/HSM usage & key rotation; encryption at rest/in transit
  • Kubernetes RBAC, NetworkPolicy, Pod Security Standards, runtime hardening
  • Cluster & node isolation; image scanning and admission controls
  • Backup/snapshot hygiene and data egress controls

Identity & Access

  • SSO/OIDC/SAML setup, JIT/SCIM lifecycle, role mapping and drift
  • Break-glass paths and high-risk action step-up MFA
  • Service-to-service auth (mTLS, workload identity, token scope)
  • Tenant-aware RBAC/ABAC and cross-tenant isolation checks

CI/CD & Supply Chain

  • Secrets hygiene in repos, images, pipelines, and logs
  • Provenance & signing (e.g., Sigstore/SLSA), dependency pinning/SBOM
  • OIDC to cloud with least privilege; artifact & cache isolation
  • Build & release guardrails, branch protection, environment segregation

Data Protection & Secrets

  • Tokenization/minimization; PHI/PII handling and redaction by default
  • Central secrets management; short-lived credentials & rotation
  • Leak prevention in telemetry, crash reports, and analytics

LLM/AI Security

  • Prompt/indirect injection and tool-use abuse testing
  • RAG retrieval/data leakage via prompts, logs, or plugins
  • Policy/safety bypass evaluation; output manipulation risks
  • Threat modeling for assistants, plugin/webhook chains, and function calling

Detection & Resilience

  • Ransomware blast-radius reduction: segmentation, EDR, hardening
  • Immutable/offline backups and restore drills
  • Centralized logging, anomaly detection for auth/admin and exfiltration

Reporting & Remediation

  • Executive summary + developer-ready guidance with CVSS/exploitability
  • Code/config snippets, diffs, and references your team can ship
  • Rapid re-test for critical/high findings to verify closure
  • Optional mapping to SOC 2 / ISO 27001 / HIPAA safeguards

Want details for your stack? Explore services or request a proposal.