Service
We test your dApp, API, mobile app, and infrastructure the way a motivated attacker would, and document everything so your team can fix and your auditors can verify.
What you get
A reproducible list of exploitable findings, ranked by impact, with the evidence that any reviewer can verify.
Scope
Front-end dApps, custodial trading interfaces, wallet apps, admin panels. We cover the OWASP Top 10 baseline and the Web3-specific issues, wallet-connect abuse, signature phishing, transaction spoofing.
REST, GraphQL, WebSocket, gRPC. Authentication, authorisation (IDOR, tenant isolation), rate limiting, input validation, secrets handling. We test the surface your auditors don't see.
AWS / GCP misconfigurations, IAM scope creep, validator and signer hardening, secrets in CI/CD pipelines, RPC node exposure. The on-chain layer is only as secure as the off-chain layer beneath it.
Optional. We test how your team responds to targeted phishing, malicious DMs in your operational channels, and fake mint links, the entry vectors that bypass the technology entirely.
Crypto-asset service providers (CASPs) under MiCA, financial entities under DORA Articles 24–27, and PSAN-registered firms in France must run periodic penetration testing on their ICT systems. We deliver pentests scoped to those regulatory expectations: documented methodology, reproducible findings, executive summary, and an attestation letter your supervisor (AMF, ACPR, or local NCA) can rely on.
Deliverables
Timeline. 1–4 weeks depending on scope. Re-test typically 3–5 days after your fixes are deployed.
FAQ
We default to grey box, we get credentials and minimal documentation, then explore from there. Black box wastes time on reconnaissance; full white box misses the attacker's perspective. Grey box gives you both depth and realism.
Yes. Our methodology is aligned with DORA Article 25 (vulnerability assessments) and Article 26 (threat-led penetration testing for significant entities), MiCA's expectations on CASP ICT security, and the AMF / ANSSI requirements that apply to PSAN-registered firms in France. The deliverable includes the attestation letter and the methodology documentation supervisors ask for.
DORA expects vulnerability assessments at least annually for relevant systems, and TLPT every three years for significant entities. MiCA-regulated CASPs are expected to test after every material change. In practice, an annual full-scope pentest plus targeted re-tests after each major release is the cadence we recommend.
Read more
What MiCA, DORA Articles 24–27, and the local PSAN regime actually require in terms of penetration testing, and how to satisfy your supervisor without overspending.
Read article →
DORA Article 26 mandates threat-led penetration testing for significant financial entities, including large CASPs. Here is what TLPT actually involves, how it differs from a standard pentest, and what to expect from a TIBER-EU-aligned engagement.
Read article →
Approval phishing is the dominant wallet-drain pattern on EVM chains. Here is how it works, why it works, and the operational habits that defeat it.
Read article →
