available for engagements
I take on a limited number of clients at a time. Work is done manually, no automated scan dumps passed off as reports. If you want real findings, this is the right place.
All engagements are under NDA. Findings stay between us.
what i offer
VAPT — Web, API & Network
Manual penetration testing for web applications, APIs, and network infrastructure. I focus on logic flaws and business-layer vulnerabilities — the kind that automated scanners never catch.
What you get: a structured report with confirmed findings, reproduction steps, severity ratings, and remediation guidance. Not a Burp Suite export.
Typical scope: internal tools, SaaS platforms, fintech apps, admin panels, authentication flows.
Starting from: contact for scope-based pricing Timeline: 5–15 days depending on scope
Web3 Security — Smart Contract Auditing
Manual Solidity code review for DeFi protocols, NFT projects, and dApps. I look for reentrancy, flash loan attack vectors, access control issues, oracle manipulation, and EVM-level logic errors.
I’ve reviewed contracts handling real liquidity. I understand what “this will get drained” actually means.
What you get: line-by-line findings, severity classification, proof-of-concept exploit code where applicable, and fix recommendations.
Best for: pre-launch audits, protocol upgrades, bridge contracts, custom token logic Timeline: 3–10 days depending on contract complexity
CTI — Cyber Threat Intelligence
Custom threat intelligence engagements. I operate on DarkWeb marketplaces, monitor stealer log drops, track threat actor infrastructure, and build actor profiles from open and closed sources.
Use cases: understanding if your organization is being targeted, tracking a specific actor or group, identifying leaked credentials or data before it causes damage, building a threat profile for a legal or law enforcement case.
Reporting is structured for both technical teams and executive audiences.
Timeline: ongoing retainer or one-time investigation
OSINT Investigation
Targeted open-source intelligence gathering. Person of interest profiling, corporate due diligence, infrastructure mapping, social media footprinting, geolocation correlation.
I work methodically. No assumptions, no guesswork — everything sourced and documented.
Not available for: stalking, harassment, or anything that harms individuals who haven’t consented. I’ll decline without explanation.
Timeline: 3–7 days for standard investigations
need dev work?
Security is my lane. If you need a web app, mobile app, or backend system built — I don’t do that, but I know people who do it well. Developers I’ve worked with directly, not random referrals.
Tell me what you need and I’ll connect you with the right person.
how to engage
No forms. No automated response. Just email.
Tell me: what you need, rough scope, timeline. I’ll respond within 24 hours with whether I can take it and what it looks like to work together.
For sensitive engagements, PGP available on request.
working style
- Everything is manual. I don’t run a tool farm.
- I communicate during the engagement, not just at the end.
- I tell you if something is out of scope rather than pretending I covered it.
- NDAs are standard. Findings don’t leave the engagement.
- I work with startups, solo founders, small security teams, and companies that can’t afford a Big 4 firm but need the same quality.
@0xprit3sh// if my work helped you, buy me a chai ☕