Focused
Critical components only — auth, crypto, payment. Single repo.
5 — 7
$8k — $15k
Methodology Brief · Hybrid Manual + SAST · Threat-Model Driven
TLP: Amber · NDA Required
Section 01 // Overview
Source
Code
Review.
Hybrid manual + SAST review. The scanner is the baseline, never the deliverable. We build the threat model, follow the data, and write framework-specific remediation.
Tiers
4
Focused → Enterprise
Duration
5 — 30 days
Tier dependent
Approach
Manual + SAST
Hybrid review
Languages
8 covered
Plus framework idioms
Section 02 // Engagement Tiers
Four review depths.
Pricing tracks LOC, language count, and how much we sample versus exhaustively walk.
Standard
Full review of single repo · ~50k LOC · one language.
10 — 14
$12k — $25k
Standard+
50 — 100k LOC · 1 — 2 languages · supporting infra.
15 — 20
$25k — $45k
Enterprise
100k+ LOC · multi-language · multi-repo · CI/CD + IaC.
20 — 30
$40k — $70k
Pair with Web App Pentest
Bundling a code review with the matching web app pentest drops the combined price by 10% — context shared, threat model reused.
Section 03 // Languages & Frameworks
What we cover natively.
"Native" means we know the framework's idioms — Rails strong-params, Spring's CSRF defaults, Django's ORM quirks. Generic checks don't catch framework-specific bugs.
Covered · 01
Python
Django · Flask · FastAPI
Covered · 02
JavaScript · TypeScript
Node / Express · NestJS · Next.js
Covered · 03
Java
Spring · Quarkus
Covered · 04
Go
Gin · Echo · Fiber · stdlib
Covered · 05
Ruby
Rails · Sinatra
Covered · 06
PHP
Laravel · Symfony
Covered · 07
C# · .NET
.NET 6 / 7 / 8
Covered · 08
Rust
Web frameworks · stdlib
Stacks we refer out
Honest about the edges of our practice. We will either decline or quote with explicit caveats — never pretend.
Refer · Limited
C / C++
Deep memory-safety review needs a specialist firm — we will route you.
Refer · Future
Solidity · Smart Contracts
Future service. Today we refer to a Web3-specialist partner.
Section 04 // Components of Concern
Where bugs actually hide.
Risk is non-uniform — these nine areas account for almost every critical finding we ship. Manual sampling is concentrated here; SAST sweeps the rest.
CONCERN · 01
Authentication & Session
Login flow, password reset, MFA enforcement, JWT validation, session fixation.
CONCERN · 02
Authorization Layer
IDOR, vertical / horizontal escalation, tenant isolation, ABAC / RBAC enforcement points.
CONCERN · 03
Payment & Financial Logic
Race conditions, currency rounding, refund / chargeback flows, idempotency tokens.
CONCERN · 04
PII / PHI Handling
Data flow tracing, encryption at rest / in transit, logging hygiene, retention scopes.
CONCERN · 05
File Upload / Download
Type enforcement, polyglot defenses, antivirus integration, signed URL lifetimes.
CONCERN · 06
Third-Party Integrations
Webhook signature verification, OAuth scope boundaries, vendor SDK pinning.
CONCERN · 07
Background & Async Jobs
Queue authentication, deserialization risk, retry storms, fan-out abuse.
CONCERN · 08
Admin & Privileged Paths
Hidden endpoints, master-key checks, support-impersonation flows, audit trails.
CONCERN · 09
Public API Surface
Rate limiting, mass assignment, GraphQL field-level authZ, SSRF in URL-fetch endpoints.
Section 05 // Methodology
Seven phases. Threat-model driven.
The threat model is the routing table for the review. Every line of code we read traces back to a trust boundary or a sensitive flow on the DFD.
01
Architecture & Threat Modeling
~1 — 2 days
STRIDE · DFD
Repository intake, build / run locally, confirm scope boundaries
Walk existing architecture docs; flag inconsistencies vs the code
Draw a Data Flow Diagram (DFD) of the trust boundaries
Run STRIDE per trust boundary, prioritize review effort
If client has a threat model, validate it; otherwise build one
02
SAST Sweep & Manual Triage
~1 day
Semgrep · CodeQL · Custom Rules
Multi-engine SAST baseline — Semgrep + CodeQL, framework-specific rule packs
Triage every alert; false positives discarded, not shipped
Custom rule writing where compliance demands repeatable detection
SAST output is the floor — manual review never stops at the scanner
03
Authentication, Authorization, Session
~2 — 3 days
OWASP ASVS · L2 / L3
Login, registration, password-reset, MFA — flow + code
JWT / session token validation, expiry, rotation
IDOR & authorization — every endpoint, every role
Tenant isolation in multi-tenant code
SSO / OAuth / SAML integration auditing
04
Sensitive Data & Cryptography
~1 — 2 days
CWE-200 · CWE-327
PII / PHI flow tracing across services
Password storage — Argon2id / bcrypt validation, no MD5 / SHA1
Secret handling — env vars vs Vault vs hard-coded
TLS enforcement, no plaintext channels
JWT signing algorithm checks — no
alg: noneLogging hygiene — no credentials / tokens / full card numbers in logs
05
Input Validation & Injection
~2 — 3 days
OWASP Top 10
SQL / NoSQL injection — ORM raw-query call sites, string concatenation
XSS — output encoding context-by-context
Command, LDAP, template injection (SSTI), XXE
SSRF — URL-fetching code paths, internal-network reachability
Deserialization — native sinks per language
Mass assignment — Rails, Node, .NET binding code
06
Supply Chain & Dependencies
~1 day
SBOM · SLSA
SBOM generation (SPDX or CycloneDX) if none exists
Vulnerable dependency review — including transitive
Lockfile integrity & rotation hygiene
Private / vendored libraries audited individually
Typosquat / dependency-confusion exposure
07
Findings, Triage & Remediation
Continuous
CVSS v3.1 · CWE
Each finding cited by
file:line with permalink to commitSeverity = CVSS v3.1 in your env, not the textbook score
Remediation written against your framework, not a generic snippet
Re-review for critical / high included for 30 days post-delivery
Section 06 // Beyond Application Code
Optional modules.
Code rarely ships alone. These four modules slot into the engagement when the risk surface extends past the application repository.
MODULE · CI/CD
Pipeline Review
Secret leakage paths, build provenance, runner permissions, deploy-key blast radius.
MODULE · CONTAINER
Dockerfile & Image
Base-image hygiene, root-vs-non-root, exposed secrets, layered-cache leaks.
MODULE · IaC
Terraform / Pulumi / CDK / Helm
Misconfigured IAM, public storage by default, drift between code and runtime.
MODULE · SBOM
Supply Chain SBOM
Generate / validate SBOM, transitive CVE map, lockfile integrity, registry posture.
Section 07 // Code Handling
Your code, treated like an asset.
NDA before access, deletion after delivery, secret rotation list at handoff. Three hosting options depending on how restrictive your policy is.
Mode · Default
Encrypted Reviewer Laptop
Full-disk-encrypted device, read-only deploy key or temp Git account. Repo cloned, fully deleted post-engagement, deletion log shared.
Mode · Restrictive
Client-Provided VDI
We work inside your dev box. Slower (no local tooling), but the code never leaves your perimeter. No price impact.
Mode · Strictest
Screen-Share Only
No copy of the code at all. Review through synchronous screen-share. Adds +30% to engagement — pace and coverage drop.
NDAMutual NDA required. Signed before any source-code access. Sent with SOW if not already on file.
GEOGeographic restrictions honored — US-only or EU-only reviewer pools available.
SECRETSSecret rotation list at handoff. We log every credential / token / key we encountered.
PIIProduction data is not requested. If we encounter sample-PII in fixtures we flag and isolate it.
Section 08 // Pricing Adjusters
Base tier, then modules.
Adjusters stack on the tier price. Pairing with another engagement gives the only price discount we offer.
Module · Condition
Effect
Each additional language in scope
+ 15 %
No architecture docs — build threat model from scratch
+ 10 %
Bundle with a Web App Pentest of the same surface
− 10 %
Container & Dockerfile review
+ 5 %
IaC review — Terraform / Pulumi / Helm
+ 10 %
CI/CD pipeline review
+ 5 %
Screen-share only — no code copy
+ 30 %
Custom SAST rule pack required (compliance)
+ 10 %
Inline PR comments on findings (add-on)
+ $2k
Full re-scan after fixes (vs targeted re-review)
+ $3k
Languages we don't fully cover (C / C++ / Rust deep memory)
+ 25 % or refer
Fixed overhead included: 3 — 5 days of report writing (proportional to findings volume), 1 day of readout + revisions, and a 10% schedule buffer.
Section 09 // Deliverables
What you receive.
01
Executive Summary
One page. The engineering leadership and compliance teams will read the same document.
02
Threat Model & DFD
The architecture and trust-boundary diagram we built. Yours to keep, extend, and reuse next year.
03
Findings Report
Severity-ordered, CVSS v3.1. Each:
file:line citation, repro, code snippet, framework-specific remediation, CWE refs.04
Report Formats
PDF standard. PDF + JSON for auto-ticketing. PDF + per-finding Markdown. PR comments optional (+$2k).
05
SAST Output Appendix
Triaged scanner output, with false-positive call-outs. Raw output available on request.
06
Re-Review · Included
Critical / high re-review free within 30 days. Full re-scan available as a fixed add-on (+$3k).
Section 10 // Engagements We Decline
What we won't take.
Stated up front so the discovery call stays useful. If your situation matches one of these, we'll say so honestly.
×
Won't sign an NDA. Code review requires deep trust on both sides. Without a mutual NDA we don't begin.
×
"Just run Semgrep and send the output." That isn't our offering. We refer you to a pure SAST report at a different price tier.
×
Review someone else's code without their consent. Code theft, IP exfiltration, or competitor analysis — refused immediately.
×
"Find a way to bypass our open-source license." Refused. We aren't license-laundering consultants.
×
"Insert a backdoor we can use later." Refused on the spot, every time. Engagement ends.
×
"Certify our codebase as secure." We ship findings — we never certify the absence of bugs. Manual review is sampling-based.
×
"Guarantee 100% coverage." Same answer. The deliverable is verified findings against a threat model, not a coverage badge.
×
"Done in 5 days, 100k LOC." Unrealistic. We will educate or recommend the Focused tier on critical paths.