Skip to content
leeveel
← All services

05Practice · security

Security & compliance.

Security audits and PCI DSS consultancy for ASVs.

Best for

ASVs and merchants who need a partner that can both find the issue and ship the fix.

We help Approved Scanning Vendors and merchants close the gap between a passing scan and a defensible posture. PCI DSS scoping, evidence collection, scan-result triage, and remediation engineering — written by the people who'll fix the code, not just write the report.

PCI DSS is a paper trail and a posture. Most teams have one without the other. We help close the gap on both: scoping the cardholder data environment honestly, packaging the evidence so the QSA's life is easy, and triaging ASV scan results so you spend hours on real findings instead of weeks on noise. We've worked the merchant side and the ASV side, and we understand where they look different.

Where the work gets interesting is the remediation. Finding the issue is the first ten percent — most reports stop there. We stay through the fix: code review, threat modelling, the patch itself, and the re-scan that lets you defend the result. Reverse-engineering protection where the threat model warrants it, not by default.

What we build

  • 01PCI DSS scoping and gap assessments for SAQ-A through SAQ-D environments.
  • 02ASV scan triage: false-positive review, evidence packaging, dispute prep.
  • 03Application security audits — code review, threat modelling, fix patches. Reverse engineering protection.
  • 04Remediation work for findings nobody else on the team wants to own.

Signals to call us

  • §An ASV scan with twenty open findings nobody on your team owns.
  • §A SAQ-D environment that grew faster than the diagram for it.
  • §A new payments flow that hasn't been threat-modelled yet.
  • §A breach disclosure or audit failure you need a calm hand on this week.

When this isn't us

Bug bounty operations or single-point pen tests with no follow-through. We work in engagements, not drive-bys.

Stack

PCI DSSOWASPBurpSuiteThreat modellingMetasploitZAPNessus

← Previous · 04

Custom systems

The unglamorous software that runs the business.

Pass · admission · 001VALID THRU JUN '26

One conversation, no proposal deck.

Sixty minutes on the phone. We bring questions. You bring the problem. By the end, both of us know if it's a fit — usually within the first ten.

FROMAthens · GreeceSEATRow 01 · AGATE[email protected]

Studio · admission

01

Q2 · 2 of 3 spots open

Book a conversation →