Services · Infrastructure
Security Reviews
Category
Infrastructure
Starts with
A scoping call
Status
Booking 2026
(01) Our take
Security work at the studio is scoped deliberately. We’re not an application security firm, we’re not a penetration-testing shop, and we won’t pretend to replace the specialised work those firms do. What we are is the team that helps you get to the baseline most startups should already be at before a customer’s security questionnaire lands in your inbox and you discover how far away you actually are.
The baseline covers the parts of security that sit in the engineering surface rather than a specialist’s surface: secrets management that doesn’t leave API keys in environment variables forever, access control that doesn’t give every engineer production credentials, dependency hygiene that keeps CVEs from aging quietly in a lockfile, and the incident response process you’ll need the first time you get a responsible disclosure email. These are engineering problems with security implications, and that’s where we’re useful.
Our reviews start with an honest inventory: what you’ve got running, who has access to it, where the data lives, and what’s logged. We produce a written assessment — not a 60-page compliance document, but a prioritised list of what’s wrong, what matters most, and what to fix first. We’re deliberate about the prioritisation. Most security reports over-recommend; ours doesn’t. “This is acceptable risk for your stage” is a sentence we use, in writing, when it’s true.
For teams approaching a formal audit (SOC 2 Type 1 or 2, ISO 27001, HIPAA for health), we’ll help with the pre-audit hygiene work specifically. We won’t run the audit — that’s an auditor’s job — but we’ll get the engineering estate into shape so the audit itself is a non-event rather than a months-long remediation exercise. For teams not approaching an audit, we scope to the baseline hygiene that earns its keep regardless.
(02) What we build
Typical work
- Secrets management setup (1Password, Vault, or cloud-native alternatives)
- Access control audits and IAM hardening (AWS, GitHub, internal tools)
- Dependency and supply-chain hygiene (Dependabot, Renovate, vulnerability triage)
- Incident response runbooks and responsible-disclosure processes
- Pre-audit engineering hygiene for SOC 2, ISO 27001, HIPAA
(03) Is this for you
When to pick this
- A customer’s security questionnaire landed and you realised how far off you are.
- You’re heading into a formal audit and the engineering estate isn’t ready.
- You’ve had a close call (a credential leak, a suspicious access pattern) and want the basics fixed properly.
- You’re growing past the stage where informal security hygiene still works.
When not to pick this
- You need penetration testing. That’s a specialist firm, and we’ll refer.
- You need a CISO. That’s a hire, not an engagement.
- You’re at the baseline already and the questionnaire was a minor update. Answer it.
(04) Engagement shape
How we engage
3–6 week engagements for a security review with a prioritised remediation list. Longer when the remediation work is included in scope.
(05) What you walk away with
Deliverable
The headline artefact
A written assessment, a prioritised remediation list, and the remediation itself if that’s in scope — all framed around what matters at your stage, not a generic checklist.
Signature tools we reach for
(06) Pairs with
Related services
Services we often run alongside Security Reviews, or that make sense as the next engagement after it.
Start a Security Reviews engagement.