Codiaks Service · 05

Security findings with context, not CVE lists.

Penetration testing, application security review, code audits, and compliance prep. Reports written for engineers, not auditors — what matters, what doesn’t, what to fix first.

Book an intro call See security work

SOC 2

Type II ready

ISO

27001 prep

OWASP

aligned testing

codiaks · pen-test report

Engagement #2026-Q1-04

14d scope

Web app + API security review

Findings by severity

Critical

High

Medium

Low

Top findings

SSRF via image proxy High

Context: exploitable, internal network reachable

Stored XSS in audit log viewer Medium

Context: admin-only surface, low blast radius

Missing rate limit on auth endpoint Medium

Context: WAF mitigates, recommend defense-in-depth

Methodology · OWASP ASVS L2 retest scheduled

What we do

Six security disciplines. One philosophy: report what matters.

A scanner finds 200 issues. A good security review finds the three that’ll actually get exploited — and ignores the noise.

Penetration testing

Web, API, mobile, network. Authenticated and unauthenticated. Real attacker mindset, not just a scanner with a person reading the output.

App security review

Architecture review, threat modeling, design-time security. Catch issues before they ship, when they cost a meeting to fix instead of an incident.

Code audits

Manual review of authentication, authorization, crypto, data handling, and the boring-but-important stuff. Static analysis is a starting point, not the whole audit.

Compliance prep

SOC 2, ISO 27001, PCI-DSS, HIPAA. We help you pass the audit by actually being secure, not by gaming the controls.

Threat modeling

STRIDE, attack trees, data flow analysis. Done with engineering in the room so the threat model maps to the actual code, not an abstraction of it.

Secure dev training

Hands-on, scenario-driven training for engineering teams. Anchored to real findings from real codebases, not generic OWASP slides.

How we engage

Scope, test, report, remediate. Retest until it’s actually fixed.

Stage 01

Scope

Threat model, in/out of scope, rules of engagement, target environment. Written and signed before testing starts.

Stage 02

Test

Manual + automated. Authenticated + unauthenticated. We pivot when we find something interesting — the scope is a starting point, not a checklist.

Stage 03

Report

Findings with severity, exploitability, business impact, and remediation guidance. Written for engineers and execs, both can use the same document.

Standard, not extra

Stage 04

Retest

Free retest within 90 days of the original report. We verify fixes are real and don’t introduce new issues. Document everything for the audit trail.

Featured work

Bank-grade compliance prep. First-attempt audit pass.

Tier-one bank Compliance prep · 2024

A 90-day prep program that turned a struggling audit into a clean first-attempt pass.

Code review, architecture review, penetration test, gap analysis against the framework, prioritized remediation plan, evidence collection. The auditor commented on the quality of the documentation. The bank renewed the engagement for the following year before the report was even submitted.

90d

prep timeline

1st

attempt audit pass

critical findings

Methodology

Tools we use. Frameworks we follow.

Frameworks

OWASP ASVS OWASP Top 10 NIST CSF MITRE ATT&CK

Tooling

Burp Suite Nuclei Semgrep CodeQL

Compliance

SOC 2 ISO 27001 PCI-DSS HIPAA

Threat modeling

STRIDE PASTA Attack trees

Questions we get

Things prospects ask on the first call.

How is this different from a vulnerability scanner?

A scanner finds patterns. A pen tester finds context. Scanners flag every reflected parameter; we tell you which one is actually exploitable, why, and what an attacker would do with it. The output is a short list of issues that matter, not a 200-page PDF nobody reads.

Do you retest after fixes?

Yes. Free retest within 90 days of the original engagement. We verify each fix actually closes the finding, doesn’t introduce new issues, and produce a follow-up report you can hand to your auditor or board.

Can you support our SOC 2 / ISO 27001 audit?

Yes. We’ve helped clients pass SOC 2 Type II, ISO 27001, and PCI-DSS audits. Our deliverable includes evidence collection, control mapping, and gap remediation. We don’t replace your auditor — we make sure you’re ready when they show up.

Do you offer red-team or adversary simulation?

Targeted assumed-breach exercises and adversary emulation, yes. Full-spectrum red team with social engineering and physical access, depends on the engagement — we’ll tell you honestly if a partner is a better fit.

How long does a pen test take?

Typical web-app + API engagement runs 10 to 14 working days for testing, then a few more days to write the report. Larger or higher-stakes scopes go longer. Compliance prep engagements run 60 to 90 days end-to-end.

Talk to us

Let’s talk about your attack surface.

Book a 30-minute call. We’ll ask about your stack, your customers, and your audit timeline — then tell you honestly whether we should be the ones to test it.

Get in touch hello@codiaks.com

Or explore other services

Custom Software → Product Design → DevOps → QA & Testing →