Security Review Offering Positioning We provide practical, fast, founder-friendly security reviews for small teams and early-stage companies running services on VPS/cloud. Focus: web apps, APIs, infra, and deployment pipelines. Deliver clear, prioritized findings with remediation steps and a 30/60/90-day uplift plan. Ideal for CTOs, dev teams, and solo founders who need an actionable security assessment without an enterprise audit price or heavy process. Scope Included asset types (single engagement): - Public web application(s) and APIs (up to 3 domains/subdomains) - One VPS/server (Linux) including deployed app and common services (Nginx, systemd, Docker if present) - CI/CD pipeline review (one provider: GitHub Actions/GitLab CI/Bitbucket Pipelines) - Basic cloud configuration review (one account/project; IAM, firewall rules) Not included: deep mobile app reverse engineering, hardware, SCADA/OT, large multi-account cloud estates (see exclusions). Tiers & Pricing 1) Essentials — $1,500 - Light external pentest + infra review - Automated scans + manual verification - 10–12 prioritized findings - 1-hour walkthrough call - Report (PDF + markdown) - 2-week turnaround 2) Standard — $4,500 - Full web/API review (OWASP Top 10 + business logic checks) - Internal host review for one VPS - CI/CD and basic cloud config review - 15–25 findings with remediation steps and severity - 2-hour walkthrough call + recording - One re-test of fixed items (up to 5) - Report + executive summary + remediation roadmap - 3-week turnaround 3) Premium — $9,500 - Standard scope expanded: up to 3 domains, up to 3 hosts - Auth/account abuse, session management, advanced logic testing - Configuration review across app, infra, and CI/CD - Up to 40 findings + prioritized roadmap and 90-day uplift plan - Two re-tests (up to 10 fixes) - 4-hour workshop for devs + recording - Report + tailored checklist + 60-day support (email) - 4-week turnaround Deliverables - Executive summary (1 page) - Full findings (markdown + PDF) with severity, impact, reproducible steps, PoC where applicable, and recommended fixes - Remediation roadmap (30/60/90 days) - CI/CD & infra checklist (actionable items) - Test artifacts (Burp requests, scan exports) delivered in a secure artifact package where possible - Rules of Engagement (signed) and Evidence Handling statement Process 1. Intake (1–2 days): questionnaire, asset list, credentials (read-only where needed), Rules of Engagement (RoE) and evidence handling agreement 2. Recon & automated scanning (2–5 days depending on tier) 3. Manual testing and verification (3–10 days depending on tier) 4. Draft report and client review (2–4 days) 5. Final report, walkthrough call, re-test if included Rules of Engagement (RoE) — summary - Testing window: agreed dates/times and target IPs/domains - Authorized assets: explicitly listed; no out-of-scope targets touched - No social engineering or physical testing without explicit written approval - Non-destructive testing by default; any intrusive or disruptive tests require a separate agreement and explicit sign-off - Emergency contact: technical and legal contact details for coordination - Acceptance of basic logging/noise on monitored environments Evidence handling & retention - Evidence collected (requests, responses, traces, PoC code, screenshots) will be packaged and delivered as part of the final artifact bundle unless otherwise requested. - Sensitive customer data encountered during testing will be reported but not retained beyond the engagement unless explicit permission is granted. Any samples retained will be redacted and stored securely. - Default retention: evidence is retained for 30 days after final delivery to allow for re-tests and dispute resolution; after 30 days artifacts are deleted unless client requests longer retention in writing (additional fees may apply). - Transfer: artifacts are delivered via secure link (expiring) or encrypted archive; keys shared through a separate channel. Client responsibilities - Provide access (read-only credentials, staging environment if available) within 48 hours of engagement start - Appoint a primary technical contact and provide contact details for emergency escalation - Ensure backups and rollback plans are in place for production testing, if production is in scope - Inform the security reviewer of any scheduled maintenance windows or monitoring that could interfere with testing - Provide signed RoE and confirmation of acceptance of evidence handling and retention terms prior to testing Communications cadence - Kickoff: intake and RoE confirmation - Daily updates (optional, recommended for Premium tier) via agreed channel during active testing - Mid-engagement check-in (email or brief call) for Standard and Premium tiers - Draft report review call scheduled within 2 business days of draft delivery - Final walkthrough call and handoff - Post-delivery support window described in the chosen tier (email support for 30/60 days depending on tier) Timelines - Essentials: 2 weeks total - Standard: 3 weeks total - Premium: 4 weeks total Assumptions - Client provides access (read-only credentials, staging if available) within 48 hours of engagement start - One primary communication channel (Matrix room or email) - No social engineering or destructive tests without explicit sign-off - Reasonable cooperation from client for re-tests and clarifications Exclusions - Physical or social-engineering testing - Mobile binary reverse engineering - Extensive multicloud estates (multiple accounts/projects) - Long-term monitoring, continuous scanning subscriptions (can be quoted separately) Sample Findings Format - ID: SR-001 - Title: Reflected XSS in search endpoint - Severity: High - Affected assets: https://example.com/search - Description: Unsanitized user input is reflected in response and executed in browser context. - Impact: Accounts can be hijacked, session tokens stolen, phishing attacks enabled. - Reproduction steps: 1) Visit https://example.com/search?q= 2) Alert runs in browser. (Provide encoded requests/responses) - Evidence: request/response snippets (delivered in artifact bundle) - Recommendation: Properly escape output; apply input validation and Content Security Policy; use templating auto-escaping. - References: OWASP XSS guidance - Remediation difficulty: Medium - Retest notes: What we'll check in the re-test Liability & disclaimer (plain language) - We strive to avoid disruption. Testing is performed in good faith under the signed RoE. While we follow non-destructive practices by default, testing any system carries a small risk of causing unexpected behavior. - We are not liable for indirect or consequential damages resulting from testing, configuration changes, or client remediation actions. Clients should not rely on this engagement as their only security control. - Findings are based on the state of systems during the engagement. New vulnerabilities may appear after testing completes; we recommend periodic reviews and continuous monitoring. Pricing notes - Travel and expenses not included (if on-site) - Hourly rate for out-of-scope work: $200/hr - Payment: 50% up-front, remainder on delivery Contact Schedule: create an issue in the project repo or DM via Matrix. Preferred contact: Ted on Matrix (provide room link).