Faustshield Begin an Audit
FaustShield Quarterly penetration research  ·  written report

A full-scope security assessment

The vulnerabilities your scanners miss, found by a real researcher and returned with the exact patch.

Every audit is a deep review of your entire external footprint, carried out by a real security researcher rather than an automated scan. One engagement covers all domains, subdomains, applications, APIs, and exposed infrastructure within scope. Nothing is sampled and nothing is skipped.

The process is transparent from start to finish. Findings are shared with you as they are confirmed, each one reproduced, evidenced, and rated for business impact, then paired with a concrete fix and a prompt you can paste straight into your AI coding assistant. A complete and honest account of what is broken, how it is broken, and precisely how to close it.

Begin an Audit Secure checkout via Stripe
$12M+
estimated breach exposure prevented across past engagements
40+
organisations assessed
5 days
typical window from first findings to final report
AI Prompts
one per finding, ready to paste into Cursor or Copilot

Full report. Every finding reproduced, rated, and explained.

Exact fixes. Specific remediation steps, not generic advice.

AI prompts. One concrete fix prompt per finding.

I.   secure intake

Begin an Audit

Tell us about your target, choose how you would like to work, and pay securely with Stripe. Your researcher begins as soon as checkout completes.

step 01 of 05  ·  organisation

This appears on the cover of your audit report.

step 02 of 05  ·  scope

List your primary domain and any subdomains, applications, or APIs you want assessed. If you are unsure whether something belongs, include it. A broad scope is encouraged and does not change the price.

Staging URLs, test accounts to use, known issues, or areas to leave alone.

step 03 of 05  ·  plan

Choose how you would like to work.

Recurring plans run on an annual term. A recent Single Audit can be credited toward Continuous.

step 04 of 05  ·  contact

Where should the findings be delivered?

Your researcher uses this to deliver the report and to reach you directly if a critical issue is found mid-engagement.

step 05 of 05  ·  payment

Confirm and pay.

Payment is processed securely by Stripe. Your audit begins the moment checkout completes.

Secure checkout via Stripe  ·  card details never touch our servers

Transmitting…

Encrypting your request

intake live / full report · exact fixes · one AI prompt per finding

II.   responsible disclosure

Disclosed to

Findings from past engagements have been reported responsibly to the organisations below, alongside forty or more private engagements held under NDA. Each issue was reported privately, remediated, and verified.

data classification  ·  public
last updated  ·  MMXXVI  ·  iii  ·  xiii

No. 01

Crypto.com

crypto.com

Fintech / Web3 Sev · Critical

No. 02

DoiT

doit.com

Cloud Infra Sev · High

No. 03

RentAHuman

rentahuman.ai

AI Services Sev · Critical

No. 04

TeachersPayTeachers

teacherspayteachers.com

EdTech Sev · High

No. 05

Chimoney

chimoney.io

Global Payouts Sev · Critical

No. 06

Syfe

syfe.com

Digital Wealth Sev · High
40+
private engagements

Held under NDA. Each issue reported privately, remediated, and verified.

zero-day research responsible disclosure
status  ·  all remediated

III.   redacted, with written consent

Selected findings

A small, redacted sample of issues identified by a real researcher in live engagements. Targets are assessed proactively, without automated scanners, and nothing is published without written consent. The details below are paraphrased to protect the affected organisations.

volume iii  ·  MMXXIV to MMXXVI
four entries of record

i.

Broken object level authorisation. Financial record mutation via a predictable resource identifier.

An account-statement endpoint performed no ownership check on the record being requested. Because record identifiers were sequential, any authenticated user could read and alter the financial records of any other account. Reproducing the issue required nothing more than a logged-in session and a browser developer console.

  • Attack vectorNetwork · low-privilege auth · no interaction required
  • Regulatory exposureGDPR Art. 32 · PCI-DSS Req. 6.3 · OWASP API1:2023
  • Time to reproduceMinutes from an authenticated session
severity · critical fintech platform REST API reported, patched, verified
ii.

JWT algorithm confusion. An unsigned token accepted by the verification layer.

The token-verification routine accepted a token whenever its algorithm field was set to none. A crafted token carrying that value, and no signature at all, was treated as valid. This granted a fully authenticated session under any role the attacker chose to claim. The flaw sat in the verification logic itself, not in the application above it.

  • Attack vectorNetwork · no authentication · no interaction required
  • CWE referenceCWE-347 Improper Verification of Cryptographic Signature
  • Time to adminUnder a minute from zero credentials
severity · critical developer tooling verification middleware reported, patched, verified
iii.

Union-based SQL injection. Raw string concatenation inside a search handler.

A search parameter was placed directly into a database query through string concatenation, with no parameterisation. The injection point allowed full extraction of database contents, including user records, order history, and stored credential hashes. Confirmed with read access only and verified without writing to the database.

  • Payload classUNION-based read · schema enumeration · time-based confirmation
  • Data exposedUser records, order history, credential hashes
  • OWASP classificationA03:2021 Injection · CWE-89
severity · high commerce platform relational database reported, patched, verified
iv.

Server-side request forgery. Cloud credential exfiltration through an unvalidated webhook endpoint.

A webhook-registration endpoint accepted arbitrary URLs and issued server-side requests to them with no destination validation. Pointed at the cloud instance metadata service, it returned temporary infrastructure credentials carrying read and write permissions. The result was a direct path from an unauthenticated form to live cloud access.

  • Attack vectorNetwork · low-privilege auth · metadata service reachable
  • ImpactLive temporary credentials with read and write permissions on the surrounding cloud account.
  • ClassServer-side request forgery · instance metadata access
severity · high SaaS integration cloud infrastructure reported, patched, verified

all findings reported and patched  ·  FaustShield engagements

IV.   engagement plans

Three ways to work together.

A pentest from a firm runs five to twenty thousand dollars for a single point-in-time test, and a managed PTaaS platform starts higher still. Every plan below delivers the same work, carried out by a real researcher, for less, because the work goes straight from your researcher to you with no platform and no overhead in between. Scope, findings, and progress are visible to you throughout.

pricing in USD
secure checkout via Stripe

Single Audit

A complete, one-time assessment of your entire external footprint.

$ 1,500 one-time
  • A full penetration test of every in-scope domain, subdomain, application, API, and exposed service, carried out by a real researcher.
  • Written report with every finding reproduced, rated by severity and business impact, and explained in plain terms.
  • Exact, step-by-step remediation for each issue.
  • One AI fix prompt per finding, ready to paste into your editor.
  • One round of free retesting once you have applied the fixes.

best for  ·  a point-in-time audit before a launch, a SOC 2 cycle, or a customer security review

Begin a single audit
continuous coverage

Continuous

A full audit of your platform, every month.

$ 1,500 per month · 12-month term
  • A full security audit of your platform every month, carried out by the same researcher who knows your environment.
  • The first month establishes a complete baseline, equal to the Single Audit in scope. Each month after re-tests what changed and re-confirms the rest.
  • Findings shared as they are confirmed, with unlimited retesting of fixes.
  • A direct line to your researcher between audits for questions and remediation guidance.

billed monthly on a 12-month term  ·  a recent Single Audit fee can be credited toward your first months of Continuous

Start continuous coverage

Embedded

A standing security partner for teams with enterprise customers.

$ 2,800 per month · 12-month term
  • Everything in Continuous.
  • A scheduled monthly re-assessment focused on what changed, with findings tracked over time.
  • Priority response on critical findings.
  • Compliance-ready evidence for SOC 2 and ISO 27001 reviews.
  • Direct support answering the security questionnaires your own customers send you.

best for  ·  teams under active compliance and customer-security pressure

Start an embedded engagement

A single breach costs many times more than a year of any plan above. Every plan is built to surface the issues that lead to one, before an attacker does.

V.   how an engagement runs

How an engagement runs.

Four stages. One real researcher from start to finish, with no subcontracting and no automated scanners standing in for real testing. Every stage is visible to you: findings are shared as they are confirmed, not held back for a final reveal.

method  ·  real researcher
cadence  ·  around five days

I.

Reconnaissance and scope mapping.

OSINT and infrastructure analysis to map the full attack surface. Forgotten subdomains, exposed storage, shadow infrastructure, and stale endpoints are found and brought into scope before any testing begins.

OSINT subdomain discovery shadow infrastructure
II.

Deep-dive logic testing.

Each application is examined directly by the researcher: authentication, authorisation, session handling, business logic, and race conditions. This is the work scanners cannot do, and where the most serious issues usually sit.

authentication business logic race conditions
III.

Exploitation and impact validation.

Every reported issue is proven, not assumed. Findings are exploited under safe, controlled conditions to establish their real impact, with no risk to production stability.

proof of concept controlled exploit impact rating
IV.

Remediation and direct support.

You receive a detailed report and direct access to your researcher while you patch. Your researcher stays available through the fix and confirms each issue is closed with a verification retest.

written report AI fix prompts verification retest

VI.   the underlying numbers

The cost of doing nothing.

The figures below describe what tends to happen to companies that defer a proper assessment.

sources  ·  IBM, Verizon, Veracode
compiled  ·  MMXXIV to MMXXV

43%
of cyberattacks target small and mid-sized businesses

The most attacked segment, and the least prepared.

$4.88M
average cost of a single data breach

IBM Cost of a Data Breach Report. The highest figure on record.

45%
of organisations run code with known unpatched vulnerabilities

Vulnerabilities tend to remain reachable in production long after they are known.

21 days
average time a breach goes undetected

Most organisations do not know they have been compromised until weeks after the initial intrusion.

in closing
a single audit costs a small fraction of any one of these outcomes

The issues that lead to a breach are usually present long before it happens, and usually fixable in an afternoon once they are known.