Division 01 · Cybersecurity
Offensive security research and vulnerability disclosure for teams that ship fast and need to stay ahead of the attack surface. No retainer theater — real findings, real evidence.
How We Work
We start with a written scope document: what's in, what's out, what authorization level we have, and what constitutes a valid finding. No ambiguity. This protects you and ensures we test the right surface.
Before touching any system, we map what's publicly visible — DNS records, certificate transparency logs, WHOIS, Shodan, Wayback Machine, GitHub secret scanning, and subdomain enumeration. This surfaces architecture, tech stack, and historical exposure without sending a single test packet to your servers.
We enumerate every endpoint, parameter, and trust boundary — authenticated and unauthenticated. For web apps this means full API discovery, GraphQL introspection, WebSocket handshakes, and JWT inspection. For AI systems this means tool-use surface, prompt routing, and output handling. Every endpoint gets logged in Valence before testing begins.
We methodically probe the mapped surface for real vulnerabilities — not automated scanner noise. Tests are manual and targeted: IDOR probing with two accounts, CORS reflection, JWT algorithm confusion, GraphQL batch abuse, SSRF chain construction, prompt injection with tool-use payloads. Each test is logged with request/response evidence at the time of execution.
Every confirmed finding gets a complete chain-of-evidence: reproducer steps, raw HTTP request/response, CVSSv3 base score with vector string, business impact statement, and proof that a second account was harmed (where applicable). We don't submit single-account impact claims — we prove the cross-tenant boundary was crossed.
You receive a written report structured for your security team, your CTO, and your legal counsel — three audiences, one document. Findings are severity-sorted, each has a remediation recommendation, and the report includes a timeline of when we found what. For bug bounty programs, we coordinate disclosure through HackerOne or direct disclosure per your program policy.
Engagement Types
Full-coverage manual testing of web apps — authentication flows, session management, authorization logic, file upload, CSRF, XSS, and business-logic bypasses.
REST and GraphQL APIs — endpoint enumeration, authorization testing, introspection abuse, batch query attacks, rate limiting validation, and JWT/OAuth flows.
Prompt injection, tool-use exploitation, sandbox escape attempts, agent trust-boundary analysis, MCP server security, and AI model API key exposure patterns.
Passive and semi-active external attack surface assessment — subdomain enumeration, exposed services, cloud misconfigurations, secrets in public repos.
Custom Tooling
HAR-file analysis engine. Feed it a browser network export and it automatically flags: exposed tokens and API keys, weak authentication patterns, CORS misconfigurations, GraphQL endpoints, and sensitive parameter names. Built to surface what manual review misses at scale.
Continuous attack surface management and finding tracker. Manages scope boundaries, tracks every endpoint under test, stores chain-of-evidence per finding, and generates structured disclosure reports. Integrates with HackerOne API for submission coordination.
Bug bounty scope enforcement engine. Parses HackerOne and Bugcrowd program scopes, validates targets against in-scope definitions, and prevents accidental out-of-scope testing. Connects to Valence for automated scope tagging on all findings.
What You Get
Get Started
Send us a brief description of what you'd like tested. We'll respond within one business day with a scope draft and timeline estimate.
security@bigheadinvestments.net · Long Beach, CA