TrustEdge Labs
Practical security analysis · Booking engagements

Proactive security
against real-world threats.

Our goal isn't paper compliance — it's protecting your systems against real-world attacks. We work alongside your engineers to find the vulnerabilities in your stack before someone else does, then hand you back step-by-step technical remediation. Practical, outcome-focused security analysis to protect the privacy and integrity of the data your applications hold.

Request a quoteSee a sample report

Engagements

Five focused tracks.

Tracks chosen deliberately around the kinds of systems we ourselves build. Not sure which one matches your asset? "Help me scope it" is a real option on the request form.

Web / SaaS

Web Application & SaaS Review

Manual review of web apps and APIs — auth, authorization, business logic, supply chain, and the boring-yet-fatal stuff in between.

Read engagement details

WordPress

WordPress Security Review

Real WordPress hardening — plugin/theme audit, admin posture, REST API exposure, file uploads, and custom code review.

Read engagement details

Desktop / Plugin

Desktop App & CAD Plugin Review

Binary + runtime review for desktop apps and CAD plugins. Local privilege, secure storage, update channels, and license/IP protection.

Read engagement details

License & Activation

License & Activation Security

End-to-end review of activation, key validation, hardware fingerprint, online checks, anti-tamper, and the build pipeline.

Read engagement details

Mobile (basic)

Basic Mobile App Review

Scoped iOS/Android review — secure storage, biometrics, deep links, TLS pinning, and the backend.

Read engagement details
?

Not sure?

Tell us about your asset.

We help you scope it on the request form — no commitment, no fee, no spam.

Open the form

The flow

Four steps. No surprises.

  1. 01

    Scope

    You submit a short request describing the asset.

  2. 02

    Quote

    We review and reply with a written, fixed-scope quote.

  3. 03

    Authorization

    On accept, we send a Letter of Authorization to sign.

  4. 04

    Review & report

    Active testing begins; technical report follows.

Honesty first

What we are, and what we are not.

What we are

  • · An independent software studio that takes security seriously.
  • · Hands-on engineers who hand-verify every finding before it ships.
  • · A partner for technical hardening — practical guidance an engineer can act on.
  • · Transparent about scope, schedule, and what we will and won't deliver.
  • · Working against public technical references (OWASP, MITRE ATT&CK, NIST SP 800-115).

What we are not

  • · A CREST / OSCP-certified pentest firm.
  • · An ISO 27001, SOC 2, PCI-DSS, or HIPAA auditor.
  • · A regulator-approved provider for TIBER-EU, CBEST, DORA TLPT, or similar regimes.
  • · A bug bounty program — we run scoped, time-boxed engagements.
  • · A vendor that issues compliance certificates. Our reports are technical guides, not audit evidence.

Important — please read

Are these reports valid for formal audits?

Our security analysis reports are prepared to identify technical vulnerabilities in your infrastructure, improve code security, and support system hardening. They serve as technical improvement guides and cannot be used as official documents in regulatory (certification-purpose) audits required by frameworks such as ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, or local regulators (e.g. KVKK, BDDK, TSE in Türkiye). Our focus is the technical security of your system — not bureaucratic process. If you need a formal certificate, your accredited auditor issues that; we'd be happy to be one of the technical inputs they review.

References

Public technical references
we work against.

These are open standards we use as the floor for our work — not certifications we hold or issue. Findings are tied back to the relevant control IDs so your engineers can defend the remediation in technical reviews.

OWASP Top 10
OWASP ASVS
OWASP MASVS
OWASP API Top 10
OWASP WSTG
MITRE ATT&CK
NIST SP 800-115
PTES

What every engagement includes.

NDA on day zero

We'll sign yours, not insist on ours. Mutual NDA template available.

Manual verification

Every finding hand-verified. No raw scanner output in the deliverable.

Live communications

Shared Slack/Teams channel for the duration. High-severity findings reported within the hour.

Re-test included

One round of re-testing within the post-engagement window — no additional fee.

References, not certificates

Findings mapped to OWASP / MASVS / ATT&CK / NIST control IDs as technical guidance.

Executive readout

30–60 minute live readout for leadership at the end of the engagement.

Source on request

We share PoCs, scripts, and runtime instrumentation back to your team.

Practical, not theatrical

Findings come with the smallest possible fix that actually works — not 30 pages of citations.

FAQ

Are you a certified pentest firm?
No, and we say so up front. TrustEdge Labs is an independent software studio — not a CREST/OSCE-certified provider, not a regulator-approved pentest firm, not an ISO/PCI/SOC 2 auditor. We're hands-on engineers who do practical security analysis. If your engagement requires a regulator-recognized certificate, we're not the right partner.
Will the report help with our SOC 2 / ISO 27001 / PCI-DSS / GDPR / HIPAA audit?
Our reports are technical hardening guides — they describe vulnerabilities, give reproduction steps, and recommend fixes. They are NOT formal audit deliverables and they do NOT serve as evidence for compliance certification. They can be useful inputs to your auditor's technical control review, but the certificate itself is issued by your auditor, not by us.
What do I actually get?
An executive summary deck for non-technical readers, a technical report with reproduction steps and request/response captures, finding-by-finding remediation guidance, a 30-minute readout call with your engineering team, and one round of re-testing within the post-engagement window — at no additional cost.
Do you sign NDAs?
Always — and we'll sign yours, not insist on ours. We can also work under a mutual NDA template if you don't have one.
Can I see a sample report?
Yes — there's a public redacted sample at /security/sample-report. It uses the same structure and tone as the real reports we ship; only the names, hostnames, and detailed findings have been replaced with placeholders.
Do you test production?
Yes, with care. Most engagements run against production with a clearly-scoped rules-of-engagement document. Where production is too risky we mirror to a clone.
How does a re-test work?
Within the post-engagement window (typically 90 days, 120 for desktop / network), we re-verify the findings you say you've fixed and update your findings document. No additional fee.
Are you a one-person studio?
Yes. TrustEdge Labs is led directly by Cihan Karabalta — a software engineer who builds the same kind of products being analyzed. Specialist review may be arranged when an engagement calls for it. If you need the headcount of a large pentest firm, we are not that.

Get a quote

Tell us about
your asset.

The request form takes about three minutes. We respond within one business day with scoping questions and a quote range.

Open the request formsecurity@trustedgelabs.dev