We build it.
We break it.
Penetration testing, compliance readiness, and secure development for small and mid-size businesses in Connecticut and Dallas–Fort Worth. Senior-only engagements. Reports that exploit, not just scan.
Penetration testing and compliance readiness
Fixed-price engagements from $500 website checks to full-scope compliance readiness. No junior handoffs. The person who tests is the person who writes the report.
PCI DSS Pentest
Annual internal + external testing for Requirement 11.4.
SOC 2 Readiness
Pre-audit work Vanta and Drata cannot do.
HIPAA Assessment
Risk analysis, pentest, and Security Rule readiness.
CMMC Readiness
110 NIST 800-171 practices for DoD contractors.
AI Security Audit
OWASP LLM Top 10. Prompt injection, agentic tool-chain, RAG + vector store.
CT Penetration Testing
Local CT firm for Hartford, New Haven, Stamford, Greenwich.
DFW Penetration Testing
DFW coverage + Texas SB 2610 safe harbor readiness.
Vertical-specific expertise
Different industries have different regulators, different attackers, and different failure modes. Our engagements are shaped around your vertical.
What we are finding right now
Original vulnerability research published regularly. Platform-specific attack patterns, compliance breakdowns, and threat intelligence from active engagements.
cisco SD-WAN CVE-2026-20182: a missing else-if branch gave UAT-8616 god-mode over the corporate WAN fabric of every Catalyst customer that didn't patch in 3 days
CVE-2026-20182 in Cisco Catalyst SD-WAN Controllers is CVSS 10.0 / pre-auth / unauthenticated / remote. The bug is a missing else-if branch in the vdaemon peering authentication service that handles device_type messages on UDP/12346 (DTLS). The switch statement handles vBond, vSmart, vEdge — but the device_type=2 (vHub) case has no verification branch, so the controller unconditionally flips the authenticated flag for anyone who claims to be a vHub. From there: SSH key injection into /home/vmanage-admin/.ssh/authorized_keys, NETCONF on TCP/830 as the high-priv internal vmanage-admin account, then root. CISA KEV added 2026-05-14 with the tightest federal mitigation window of 2026 (3 days, due May 17, ED 26-03). Attribution: UAT-8616 — the threat cluster that has been camping on Cisco SD-WAN since 2023, previously caught burning CVE-2026-20127 / 20133 / 20128 / 20122. Blast radius is the entire enterprise WAN fabric: OMP route tables, TLOC entries, branch-to-branch segmentation, policy distribution. A single controller pop = god-mode over every cEdge/vEdge in the overlay. This post: full bug walkthrough, affected versions and patches (20.9 → 20.18 and 26.1), hunt indicators across SSH/NETCONF/DTLS/config-plane/webshell layers, pre-patch mitigations (no Cisco workaround so perimeter ACL + management-plane lockdown), the post-patch credential rotation list, and Snort SIDs 66482-66483 for IPS detection.
langflow CVE-2026-33017: the unauth RCE in your team's AI prototyping tool is exfiltrating your AWS keys in under 20 hours flat
Langflow — the visual builder for LLM agent chains used by AI engineers and MLOps teams — had its second unauthenticated RCE in two years pushed through the same exec() call. The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow (note the _public_ — no auth by design), which routes attacker-supplied Python into exec() at src/lfx/src/lfx/custom/validate.py:397 with zero sandboxing. Sysdig honeypots logged the first probe 20 hours after disclosure on 2026-03-17, the first successful credential exfil within 25 hours, and active exploitation has continued through May 2026. The payload is purpose-built for AI infrastructure: dumps os.environ for AWS_*, OPENAI_*, ANTHROPIC_*, HF_TOKEN, PINECONE_*, SUPABASE_*, GITHUB_TOKEN; drops a 9.4MB Go binary (worker-linux-amd64) using utls for TLS fingerprint spoofing + embedded gitleaks for secret scanning; persists as keyhunter-worker.service; joins a NATS-based C2 botnet at 45.192.109.25:14222 subscribing to task.scan_cde, task.scan_web, task.validate_aws, task.validate_ai. Affected ≤ 1.8.1, patched in 1.9.0. NATS-as-C2 is the new technique infostealer botnets are converging on (sysdig writeup). Why AI/ML tooling is the new Jenkins: broad IAM, default-internet-exposed, :latest tags, high-value secrets in env, no auth gate. Full IOCs, the air-gap-first remediation order (the worker can detect revocation CLI invocations), and the IAM/key-rotation list to clean up after compromise.
exchange CVE-2026-42897: every news outlet is calling this "RCE." it isn't. it's OWA XSS — and the threat model is completely different.
CVE-2026-42897 in on-prem Microsoft Exchange Server is being reported as RCE across every major security outlet this week. It is not RCE. CWE-79 — Cross-Site Scripting in Outlook Web Access. The bug fires when a victim opens a crafted email in OWA. Javascript executes in the victim's authenticated browser session, not on the Exchange server. That distinction completely changes the response playbook: the box is not owned, the user's session is. Patch posture: no permanent fix for Exchange 2016/2019 unless you're enrolled in the Period 2 paid Extended Security Updates program. Exchange SE will receive the public patch. Exchange Online: not affected. This post: why every outlet has the framing wrong, what the post-XSS hunt actually looks like (inbox-rule abuse, EWS post-message-read patterns, MSExchange Management event log), the EEMS M2 mitigation everyone should already have auto-applied, the manual EOMT path for air-gapped boxes, and the PowerShell block to hunt persistence in the last 24 hours. CISA KEV due date for federal mitigation: 2026-05-29.
Start with a free security check
We scan your public surface and send a plain-English findings report in 48 hours. No obligation. No sales pitch. If the findings matter, we scope a real engagement. If they do not, we tell you.