What I look for.
A web infrastructure exposes far more than people think. Four families of vectors concentrate most of the real risk. Invisible until someone looks from the right side.
Exposed secrets
Public .env files, plaintext credentials, API keys and tokens forgotten in front-end code. The most dangerous secret is the one the developer thinks is private.
Server configuration
Missing security headers, permissive CORS, misconfigured TLS, exposed services. The door wasn't forced. It was already open.
Sensitive files
Forgotten backups, accessible .git repositories, production source maps, SQL dumps. An app's complete source code, accessible in a single request.
Application vulnerabilities
Injections, missing authentication, IDOR, bypassable business logic. Where the developer assumed without ever verifying.
Real flaws. Real companies.
Three discoveries among others, reported under responsible disclosure and fixed. Names anonymized in accordance with confidentiality commitments.
With a single command, it was possible to download the entire source code of 15 production sites. The repository contained: an active Google Cloud private key giving access to analytics data for 50 million monthly visitors, root server deployment credentials, and a JWT key enabling identity theft of any user account on the network.
The flaw was at their technical agency, not directly at the client's end. An accessible Git repository on the agency's server contained configuration files for dozens of client projects. Among the secrets found: an active live Stripe key, a CRM access key giving access to the full subscriber contact database with personal data, and user account management credentials.
A public URL gave access to the entire application source code with no authentication required. Analysis of the code revealed that the app's chat database was openly readable by anyone on the internet: conversations between drivers and passengers were visible in real time. The code also contained unprotected SQL injection flaws in the mobile API, and third-party service access keys stored in plaintext.
Three audit tiers.
From a quick diagnosis to full support. Every audit ends with an actionable report, prioritized by real impact.
LITE Audit
€49–99Quick diagnosis of your external exposure. Ideal for a first assessment.
- →External attack surface scan
- →Detection of exposed secrets and files
- →Server configuration check
- →Concise report with priorities
Latest articles
Research, vulnerabilities and security tips.
SPF, DKIM, DMARC: three obscure acronyms that let anyone send emails pretending to be you
Without these three DNS records, anyone can send an email that looks like it came from you. Your clients, your suppliers, without ever touching your mailbox.
Stored XSS: I Injected JavaScript Into Your Back-Office
One simple text field with no validation, and your back-office is running code without your knowledge. Stored XSS is the vulnerability everyone forgets — until the day it makes itself very hard to forget.
SSRF: I Asked Your Server to Open Your Internal Network for Me
Your server trusts its own requests. The problem is I asked it to make one on my behalf. And it complied.
Describe your exposure.
Response within 24 business hours · free initial analysis
Step 1 · Your need