Reverse Engineering Services
Vulnerability discovery. Code audits. Exploit research. Engagements include vulnerability analysis, security audit, and related work — all under NDA.
Overview
Security research services covering vulnerability analysis, code audits, and exploit research. Independent security assessments for critical systems.
Engagements are scoped to a fixed deliverable list before kickoff and run under a written NDA. Daily lab notes and weekly written status keep the work auditable from your side at every step.
In the lab
Adversary mindset, applied with discipline. Findings documented.
Security Research Lead
Anonymized pre-NDA
How we work
In both reverse engineering and custom development, we never thoughtlessly clone. We carry out improvements and adaptations to the customer's specific task, because the existing solution often cannot fully satisfy the customer's request. Reverse engineering surfaces the design intent; the engineering that follows decides what to keep, what to change, and what to engineer from scratch.
Engineering analysis
As part of both reverse engineering and custom development projects, we perform in-depth engineering analysis based on mathematical and physical modeling. Depending on project requirements this may include structural calculations, fluid dynamics, gas flow analysis, thermal processes, stress and load simulations, process modeling, and validation of engineering assumptions affecting system performance and operational reliability — used for design verification, technology assessment, process optimization, and validation of technical parameters for production and commercial deployment.
When you call us
Patterns we see across engagements. Each can stand alone or combine with adjacent capabilities.
Independent vulnerability discovery on shipping products — firmware, applications, protocols. Outputs feed responsible disclosure or internal hardening.
Source-level review of high-risk code: parsers, crypto, authentication, network handlers. Findings ranked by exploitability and impact.
Independent technical security review of an acquisition target's products. Confidential output, delivered only to the acquiring party.
Demonstrate vulnerability impact under controlled conditions, with engagement scope strictly defined in writing.
Threat modeling for systems where security failure has safety consequences — automotive, medical, industrial. Aligned to ISO 21434, IEC 62443, FDA postmarket guidance.
Hardware-software-network integrated penetration testing on devices and platforms where standard pentest scope is insufficient.
Manage responsible disclosure of findings — vendor coordination, CVE filing, embargo timelines, and public publication.
Methodology
Vertical phasing — each step's deliverables agreed before kickoff, and not closed until you sign off.
Phase 01
Mutual NDA executed before any source, binaries, or technical materials change hands. Scope, rules of engagement, and disclosure terms confirmed in writing.
Phase 02
Identify attack surface, trust boundaries, and adversary capability assumptions. Output: written threat model that scopes the rest of the engagement.
Phase 03
Source review for in-scope code. Tooling-assisted (CodeQL, Semgrep) plus expert manual review of high-risk regions.
Phase 04
Targeted fuzzing, instrumented runtime analysis, and behavioral verification of identified candidate issues.
Phase 05
Confirm exploitability of findings under controlled conditions. Document preconditions, complexity, and impact.
Phase 06
Findings report with severity, technical detail, and remediation guidance. Coordinated disclosure where applicable.
Tooling
Named tools, in production. We don't list anything we don't actually use.
Tool
Burp Suite Professional
Production use — versioned per-engagement and pinned in our build.
Tool
OWASP ZAP
Production use — versioned per-engagement and pinned in our build.
Tool
Nessus
Production use — versioned per-engagement and pinned in our build.
Tool
Custom fuzzers (libFuzzer, AFL++)
Production use — versioned per-engagement and pinned in our build.
Tool
Wireshark
Production use — versioned per-engagement and pinned in our build.
Tool
Frida
Production use — versioned per-engagement and pinned in our build.
Tool
CodeQL
Production use — versioned per-engagement and pinned in our build.
Tool
Semgrep
Production use — versioned per-engagement and pinned in our build.
Tool
Ghidra / IDA Pro
Production use — versioned per-engagement and pinned in our build.
Tool
Metasploit (research only)
Production use — versioned per-engagement and pinned in our build.
$ afl-fuzz -i corpus/ -o findings/ -- ./target_under_test @@
Cycles done: 1 · paths total: 412 · uniq crashes: 3
$ triage --findings findings/crashes/ --dedup
3 unique root causes · 2 exploitable · CVE drafts queued
$
Deliverables
Artifacts handed over at close-out. Each is reproducible and self-contained.
Sample deliverable
security-research-services · final report
rev.04 · pdf
Engagement summary
Findings
Our practice
Security research is independent work. Coordinated disclosure when findings affect third-party products. Track record across 30+ CVEs.
Adversary mindset
Threat modeling first, fuzz harness next, coordinated disclosure on third-party findings.
Security Research Lead
Anonymized pre-NDA
Vulnerability Analysis
Anonymized pre-NDA
Exploit Research
Anonymized pre-NDA
Disclosure Coordinator
Anonymized pre-NDA
“Threat model before tooling. Then we find the issue, prove it, and coordinate disclosure responsibly.”
Cross-industry
Sectors where this work is most often scoped. Cross-link to detailed industry pages for sector-specific context.
Adversary research and product hardening.
Security Research for cybersecurityECU, CAN, and aftermarket interoperability.
Security Research for automotiveCompliance-aware reverse engineering.
Security Research for medical devicesFirmware extraction and protocol mapping.
Security Research for iot & embeddedSustainment for long-life platforms.
Security Research for aerospacePLC and legacy controller recovery.
Security Research for industrial & manufacturingQuestions
Pulled from real client conversations. If yours isn't here, ask directly.
Our security research services cover vulnerability analysis, code audits, exploit research, threat modeling, and coordinated disclosure. The work is independent — we are not a managed service or a continuous monitoring vendor. Each engagement answers a specific security question with audit-grade documentation.
Vulnerability analysis combines tooling-assisted scanning with expert manual review. Tooling catches the high-volume class of issues; expert review catches the deep-impact issues that automated tools miss — protocol-level flaws, business-logic vulnerabilities, and chained exploitation paths. Our security research services bias toward depth.
Code audit services start with a threat model that scopes which code matters and why. We then perform source-level review with CodeQL and Semgrep for breadth, and expert manual review for depth on high-risk regions: parsers, crypto, authentication, network handlers, and trust-boundary code. Findings are ranked by exploitability and impact.
Yes, in research mode. We develop proof-of-concept exploits to demonstrate impact of identified vulnerabilities under controlled conditions, with scope strictly defined in writing. We do not develop offensive tooling for distribution. All exploit research feeds coordinated disclosure unless the engagement is purely internal.
When security research surfaces vulnerabilities affecting third-party products, we follow coordinated disclosure: notify the vendor first, agree to a remediation window (typically 90 days, negotiable), file CVEs where applicable, and publish only after the remediation window or with vendor consent. We have track record across 30+ CVEs.
Yes. Threat analysis aligned to industry-specific standards is common, particularly for automotive, industrial, and medical-device clients. Our security research services produce threat models that satisfy regulatory submission requirements while remaining technically rigorous.
Standard penetration testing scope assumes a network target. For complex products — connected hardware, embedded systems, automotive platforms — pentest scope must integrate hardware, firmware, network, and application layers. Our integrated security assessment combines all four; findings often emerge from the cross-layer interactions standard tests miss.
All security research runs under mutual NDA. Findings are shared only with your nominated security contacts until remediation is agreed. Public disclosure follows coordinated disclosure timelines and your written authorization. Methodology and tooling notes are shared as deliverables; specific findings are not.
Engagements start with a scoping phase under NDA. Project length and pricing depend on system complexity, depth of review (surface scan vs. deep audit), and whether exploit development is in scope. Most engagements run four to twelve weeks; large code audits run longer.
Selected work
Engagements where this capability carried significant scope.
Case studies for this service available under NDA
Most of our work in this area is covered by mutual NDA. Request anonymized references during your inquiry — we share them with prospective clients after NDA execution.
More from us
Adjacent capabilities you may need on the same engagement.
Engage
All inquiries reviewed under NDA. We respond within two business days with a scoped engagement plan and fixed deliverables list.
Senior engineers · Anonymized pre-NDA
