We sell accountability.
Most firms find the bug and hand it to the vendor. The vendor decides what happens next — usually nothing. We work the other direction.
A vulnerability nobody is forced to disclose is a vulnerability that stays buried.
The people who can find concealed defects rarely have the standing to compel action. The people with enforcement authority rarely have the depth to know what they’re looking at. We sit in that gap — detecting what was quietly patched, proving when the vendor knew, and translating it into language a regulator, an underwriter, or a court can act on.
What we watch.
Silent Patch Intelligence
Monthly report of every quietly patched vulnerability in your ecosystem, scored and explained.
$12,000 / yearSupply-Chain Watch
Standing monitoring of every dependency in your portfolio for silent patches and quiet regressions.
$24,000 / yearDisclosure-Record Audit
We grade a vendor’s public disclosure hygiene against what they actually patched in the dark.
$9,000 / vendorCVE Program Liaison
Run your org’s CVE numbering and disclosure program so nothing ships unannounced.
$6,000 / monthCrown-Jewel Mapping
Threat model that names the shortest paths to maximum business damage on your target.
$12,000 / targetDetection Tooling Access
Licensed access to our silent-patch detection pipeline, with onboarding and support.
$4,000 / monthWhat we are known for.
Audit & Silent-Patch Archaeology
A full audit of a codebase or dependency, plus the complete concealment history — not just “are there bugs now,” but what was hidden, when, and who was exposed in the gap.
$40,000 / engagementRegulatory Translation & Escalation
We take a confirmed finding, translate it into regulatory language, identify the body with jurisdiction, prepare the filing, and serve as technical expert through the process.
$12,000 / month retainerCoordinated Disclosure Management
End-to-end handling of a disclosure: MITRE CVE filing, downstream notification to every affected party, deadline management, and a documented timeline that survives later dispute.
$9,000 / disclosureWhat we drive.
Pre-Deployment Due Diligence
Security and disclosure-hygiene review before you commit capital or build on top of a target.
$25,000 / targetBreach Forensics
Post-incident causation chain linking the exploited weakness to the commit where the vendor knew.
$550 / hourWhistleblower Validation
Secure channel that verifies insider and researcher tips before they reach an enforcement body.
$7,500 / monthRegulatory Filing Prep
Standalone preparation of a filing-ready package when you’ll carry the escalation yourself.
$10,000 / filingMethodology Workshops
We teach your team silent-patch archaeology and autonomous vulnerability hunting, hands-on.
$8,000 / sessionOn-Call Research Retainer
Dedicated researcher hours on standing retainer for fast-turnaround questions and triage.
$5,000 / monthWe do not sell comfort.
What we sell
- Proof a vendor concealed a defect
- The commit history that dates their knowledge
- Findings translated for people with subpoena power
- A causation chain that survives discovery
What we don’t
- Compliance checkboxes
- Assurance letters
- Vendor-friendly “responsible” silence
- Findings that die in a private inbox
If you suspect something was buried.
Bring us the finding, the ghosted report, or the vendor whose disclosure record doesn’t add up. Initial review of whether a matter meets regulatory threshold carries no charge.