Faustshield Begin an Audit
FaustShield penetration research  ·  written report

A full-scope security assessment

The vulnerabilities your scanners miss, found by a real researcher and returned with the exact patch.

Every audit is a deep review of your entire external footprint, carried out by a real security researcher rather than an automated scan. One engagement covers all domains, subdomains, applications, APIs, and exposed infrastructure within scope. Nothing is sampled and nothing is skipped.

Findings are shared with you as they are confirmed, each one reproduced, evidenced, and rated for business impact, then paired with a concrete fix and a prompt you can paste straight into your AI coding assistant.

Begin an Audit

Secure checkout via Stripe

vulnerabilities responsibly disclosed to

$12M+
estimated breach exposure prevented across past engagements
40+
organisations assessed
5 days
typical window from first findings to final report
AI Prompts
one per finding, ready to paste into Cursor or Copilot

I.   responsible disclosure

Disclosed to

Findings from past engagements have been reported responsibly to the organisations below, alongside forty or more private engagements held under NDA. Each issue was reported privately, remediated, and verified.

zero-day research responsible disclosure
status  ·  all remediated

II.   redacted, with written consent

Selected findings

A small, redacted sample of issues identified by a real researcher in live engagements. Nothing is published without written consent, and the details below are paraphrased to protect the affected organisations.

i.

Broken object level authorisation. Financial record mutation via a predictable resource identifier.

An account-statement endpoint performed no ownership check on the record being requested. Because record identifiers were sequential, any authenticated user could read and alter the financial records of any other account. Reproducing the issue required nothing more than a logged-in session and a browser developer console.

  • Attack vectorNetwork · low-privilege auth · no interaction required
  • Regulatory exposureGDPR Art. 32 · PCI-DSS Req. 6.3 · OWASP API1:2023
  • Time to reproduceMinutes from an authenticated session
severity · critical fintech platform REST API reported, patched, verified
ii.

JWT algorithm confusion. An unsigned token accepted by the verification layer.

The token-verification routine accepted a token whenever its algorithm field was set to none. A crafted token carrying that value, and no signature at all, was treated as valid. This granted a fully authenticated session under any role the attacker chose to claim. The flaw sat in the verification logic itself, not in the application above it.

  • Attack vectorNetwork · no authentication · no interaction required
  • CWE referenceCWE-347 Improper Verification of Cryptographic Signature
  • Time to adminUnder a minute from zero credentials
severity · critical developer tooling verification middleware reported, patched, verified
iii.

Union-based SQL injection. Raw string concatenation inside a search handler.

A search parameter was placed directly into a database query through string concatenation, with no parameterisation. The injection point allowed full extraction of database contents, including user records, order history, and stored credential hashes. Confirmed with read access only and verified without writing to the database.

  • Payload classUNION-based read · schema enumeration · time-based confirmation
  • Data exposedUser records, order history, credential hashes
  • OWASP classificationA03:2021 Injection · CWE-89
severity · high commerce platform relational database reported, patched, verified
iv.

Server-side request forgery. Cloud credential exfiltration through an unvalidated webhook endpoint.

A webhook-registration endpoint accepted arbitrary URLs and issued server-side requests to them with no destination validation. Pointed at the cloud instance metadata service, it returned temporary infrastructure credentials carrying read and write permissions. The result was a direct path from an unauthenticated form to live cloud access.

  • Attack vectorNetwork · low-privilege auth · metadata service reachable
  • ImpactLive temporary credentials with read and write permissions on the surrounding cloud account.
  • ClassServer-side request forgery · instance metadata access
severity · high SaaS integration cloud infrastructure reported, patched, verified

all findings reported and patched  ·  FaustShield engagements

III.   letters received

After the report lands.

What teams say once the findings are in their hands and the retest has confirmed the fixes. Shared with permission; names withheld under standard engagement NDAs.

The engagement surfaced a critical authorisation flaw that two scanner reports and a compliance audit had walked straight past. Every finding came with the exact patch, and the retest confirmed each one was closed.

Chief Technology Officerfintech platform · single audit

We forwarded the report to our largest enterprise customer's security team and they signed off within the week. The AI fix prompts alone saved our engineers days of remediation work.

Head of EngineeringB2B SaaS · embedded

He treated our scope like his own attack surface, found a forgotten subdomain we did not know still existed, and turned it into the most important finding of the engagement. Zero noise, zero false positives.

FounderAI services company · single audit

identities withheld under NDA  ·  direct references available on request

IV.   engagement plans

Three ways to work together.

A pentest from a firm runs five to twenty thousand dollars for a single point-in-time test, and a managed PTaaS platform starts higher still. Every plan below delivers the same work, carried out by a real researcher, for less, because the work goes straight from your researcher to you with no platform and no overhead in between.

Single Audit

A complete, one-time assessment of your entire external footprint.

$ 4,500 one-time
  • A full penetration test of every in-scope domain, subdomain, application, API, and exposed service, carried out by a real researcher.
  • Written report with every finding reproduced, rated by severity and business impact, and explained in plain terms.
  • Exact, step-by-step remediation for each issue.
  • One AI fix prompt per finding, ready to paste into your editor.
  • One round of free retesting once you have applied the fixes.

best for  ·  a point-in-time audit before a launch, a SOC 2 cycle, or a customer security review

Begin a single audit

Weekly

A recurring weekly security subscription.

$ 499 per week
  • Continuous, hands-on security coverage of your platform from a real researcher.
  • Findings shared as they are confirmed, with unlimited retesting of fixes.
  • A direct line to your researcher throughout.
  • Billed weekly. Pause or cancel at any time.

best for  ·  teams that want steady, low-commitment coverage week to week

Start a weekly subscription

A single breach costs many times more than a year of any plan above. Every plan is built to surface the issues that lead to one, before an attacker does.

V.   how an engagement runs

How an engagement runs.

Four stages. One real researcher from start to finish, with no subcontracting and no automated scanners standing in for real testing. Findings are shared as they are confirmed, not held back for a final reveal.

I.

Reconnaissance and scope mapping.

OSINT and infrastructure analysis to map the full attack surface. Forgotten subdomains, exposed storage, shadow infrastructure, and stale endpoints are found and brought into scope before any testing begins.

OSINT subdomain discovery shadow infrastructure
II.

Deep-dive logic testing.

Each application is examined directly by the researcher: authentication, authorisation, session handling, business logic, and race conditions. This is the work scanners cannot do, and where the most serious issues usually sit.

authentication business logic race conditions
III.

Exploitation and impact validation.

Every reported issue is proven, not assumed. Findings are exploited under safe, controlled conditions to establish their real impact, with no risk to production stability.

proof of concept controlled exploit impact rating
IV.

Remediation and direct support.

You receive a detailed report and direct access to your researcher while you patch. Your researcher stays available through the fix and confirms each issue is closed with a verification retest.

written report AI fix prompts verification retest

VI.   secure intake

Begin an Audit

Tell us about your target, choose how you would like to work, and pay securely with Stripe. Your researcher begins as soon as checkout completes.

step 01 of 05  ·  organisation

This appears on the cover of your audit report.

step 02 of 05  ·  scope

List your primary domain and any subdomains, applications, or APIs you want assessed. If you are unsure whether something belongs, include it. A broad scope is encouraged and does not change the price.

Staging URLs, test accounts to use, known issues, or areas to leave alone.

step 03 of 05  ·  plan

Choose how you would like to work.

Recurring plans run on an annual term. A recent Single Audit can be credited toward Embedded.

step 04 of 05  ·  contact

Where should the findings be delivered?

Your researcher uses this to deliver the report and to reach you directly if a critical issue is found mid-engagement.

step 05 of 05  ·  payment

Confirm and pay.

Payment is processed securely by Stripe. Your audit begins the moment checkout completes.

Secure checkout via Stripe  ·  card details never touch our servers

Transmitting…

Encrypting your request

intake live / full report · exact fixes · one AI prompt per finding

the cost of doing nothing

43%
of cyberattacks target small and mid-sized businesses
$4.88M
average cost of a single data breach
45%
of organisations run code with known unpatched vulnerabilities
21 days
average time a breach goes undetected

A single audit costs a small fraction of any one of these outcomes. The issues that lead to a breach are usually present long before it happens, and usually fixable in an afternoon once they are known. Sources: IBM, Verizon, Veracode.