TrustEdge Labs
Practical security analysis · Booking engagements

Proactive security
against real-world threats.

Our goal isn't paper compliance — it's protecting your systems against real-world attacks. We work alongside your engineers to find the vulnerabilities in your stack before someone else does, then hand you back step-by-step technical remediation. Practical, outcome-focused security analysis to protect the privacy and integrity of the data your applications hold.

Request a quoteSee a sample report

Engagements

Five focused tracks.

Tracks chosen deliberately around the kinds of systems we ourselves build. Not sure which one matches your asset? "Help me scope it" is a real option on the request form.

Web / SaaS

Web Application & SaaS Review

Manual review of web apps and APIs — auth, authorization, business logic, supply chain, and the boring-yet-fatal stuff in between.

Read engagement details

WordPress

WordPress Security Review

Real WordPress hardening — plugin/theme audit, admin posture, REST API exposure, file uploads, and custom code review.

Read engagement details

Desktop / Plugin

Desktop App & CAD Plugin Review

Binary + runtime review for desktop apps and CAD plugins. Local privilege, secure storage, update channels, and license/IP protection.

Read engagement details

License & Activation

License & Activation Security

End-to-end review of activation, key validation, hardware fingerprint, online checks, anti-tamper, and the build pipeline.

Read engagement details

Mobile (basic)

Basic Mobile App Review

Scoped iOS/Android review — secure storage, biometrics, deep links, TLS pinning, and the backend.

Read engagement details
?

Not sure?

Tell us about your asset.

We help you scope it on the request form — no commitment, no fee, no spam.

Open the form

The flow

Four steps. No surprises.

  1. 01

    Scope

    You submit a short request describing the asset.

  2. 02

    Quote

    We review and reply with a written, fixed-scope quote.

  3. 03

    Authorization

    On accept, we send a Letter of Authorization to sign.

  4. 04

    Review & report

    Active testing begins; technical report follows.

Honesty first

What we are, and what we are not.

What we are

  • · An independent software studio that takes security seriously.
  • · Hands-on engineers who hand-verify every finding before it ships.
  • · A partner for technical hardening — practical guidance an engineer can act on.
  • · Transparent about scope, schedule, and what we will and won't deliver.
  • · Working against public technical references (OWASP, MITRE ATT&CK, NIST SP 800-115).

What we are not

  • · A CREST / OSCP-certified pentest firm.
  • · An ISO 27001, SOC 2, PCI-DSS, or HIPAA auditor.
  • · A regulator-approved provider for TIBER-EU, CBEST, DORA TLPT, or similar regimes.
  • · A bug bounty program — we run scoped, time-boxed engagements.
  • · A vendor that issues compliance certificates. Our reports are technical guides, not audit evidence.

Important — please read

Are these reports valid for formal audits?

Our security analysis reports are prepared to identify technical vulnerabilities in your infrastructure, improve code security, and support system hardening. They serve as technical improvement guides and cannot be used as official documents in regulatory (certification-purpose) audits required by frameworks such as ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, or local regulators (e.g. KVKK, BDDK, TSE in Türkiye). Our focus is the technical security of your system — not bureaucratic process. If you need a formal certificate, your accredited auditor issues that; we'd be happy to be one of the technical inputs they review.

References

Public technical references
we work against.

These are open standards we use as the floor for our work — not certifications we hold or issue. Findings are tied back to the relevant control IDs so your engineers can defend the remediation in technical reviews.

OWASP Top 10
OWASP ASVS
OWASP MASVS
OWASP API Top 10
OWASP WSTG
MITRE ATT&CK
NIST SP 800-115
PTES

What every engagement includes.

NDA on day zero

We'll sign yours, not insist on ours. Mutual NDA template available.

Manual verification

Every finding hand-verified. No raw scanner output in the deliverable.

Defined communication channel

Channel and response expectations are agreed in the engagement letter. Critical findings are reported as soon as reasonably possible.

Optional re-test

A limited verification pass on previously-reported findings can be scoped separately after remediation.

References, not certificates

Findings mapped to OWASP / MASVS / NIST control IDs as technical guidance.

Optional readout call

A short written executive summary is included. Live readout calls are available when scoped.

Reproduction without leaks

We share enough technical detail for verification and remediation — not reusable exploit chains, internal tools, prompts, or methodology.

Practical, not theatrical

Findings come with the smallest possible fix that actually works — not 30 pages of citations.

FAQ

Are you a certified pentest firm?
No, and we say so up front. TrustEdge Labs is an independent software studio — not a CREST/OSCE-certified provider, not a regulator-approved pentest firm, not an ISO/PCI/SOC 2 auditor. We're hands-on engineers who do practical security analysis. If your engagement requires a regulator-recognized certificate, we're not the right partner.
Will the report help with our SOC 2 / ISO 27001 / PCI-DSS / GDPR / HIPAA audit?
Our reports are technical hardening guides — they describe vulnerabilities, give reproduction steps, and recommend fixes. They are NOT formal audit deliverables and they do NOT serve as evidence for compliance certification. They can be useful inputs to your auditor's technical control review, but the certificate itself is issued by your auditor, not by us.
What do I actually get?
By default: an executive summary for non-technical readers, a technical report with reproduction steps and request/response captures, and finding-by-finding remediation guidance. Live readout calls, additional verification passes (re-tests), shared instrumentation, and PoC scripts are optional and scoped per engagement in the SoW.
Do you sign NDAs?
Always — and we'll sign yours, not insist on ours. We can also work under a mutual NDA template if you don't have one.
Can I see a sample report?
Yes — there's a public redacted sample at /security/sample-report. It uses the same structure and tone as the real reports we ship; only the names, hostnames, and detailed findings have been replaced with placeholders.
Do you test production?
Yes, with care. Most engagements run against production with a clearly-scoped rules-of-engagement document. Where production is too risky we mirror to a clone.
Is a re-test included?
Not by default. If you want a verification pass after remediation, it is scoped separately in the engagement letter — fee, timeline, and what is in scope agreed up front. The pass covers only the previously-reported findings, not new features or expanded scope.
Are you a one-person studio?
Yes. TrustEdge Labs is a small, independent studio run by an engineer who builds the same kind of products being analyzed. Specialist review may be arranged when an engagement calls for it. If you need the headcount of a large pentest firm, we are not that.

Get a quote

Tell us about
your asset.

The request form takes about three minutes. We respond within one business day with scoping questions and a quote range.

Open the request formsecurity@trustedgelabs.dev