You should see the look on Tony's (CTO) face when we showed him how insecure their multi-millon-dollar software stack is.

Of course they were working with "penetration" testers and security analysts from one of Forbes's Top 50 -we do anything you want- I.T. firm and they were telling him that how qualified and good their security guys with "respected" certificates from a "respected" security gurus with "respected" references. Months after they gave Tony a detailed security report. And they said "if you fix all bugs on our (232 paged) report then you should be fairly secure". And Tony added "And i'm sure that we have fixed all".

"It is not possible" said the DBA when we showed him "the data" we fetched from multi-millon-dollar database under his administration when he was probably snoring in his bed at 02:34 the night before. Then i asked "why you think that it is not possible?". He said "because we are using 2048 bit encryption and Oracle is the most secure database ever !!!".

"We paid a lot to secure our systems" said the CEO. And he added after a sudden silence "You will not tell about this to anyone before we fix it, right?"

No, we will not. We don't need to. Because we already been there to satisfy our ego when we were in school. Years passed, some of us moved to the dark-side and probably you hear about them on the news when a finance firm or government agency or high-tech company got hacked or some got into jail after a long pursuit.

And some of us should be good guys as a result of dialectics to "balance the force".

Long story short:

  • We work together with people to protect and strenghten structures in mind. Because we know more aware people means more aware and secure organizations.

  • We start with human and end with human. Every vulnerability we find and every issue we exploited is a lesson to teach and learn from it. We make people to understand with real examples, not technical boring documentations.

  • We are paranoid and we make you too. It is an evolutionary mechanism to "stay alive" and be "secure".

  • We know that security is a matter of critical thinking not a job or profession. Thus we do not see what we do, as a job or a profession. So we stay as amateurs and we are fine with it.

  • If it turns out to be a subject of "the public interest" we don't care even if you are N.S.A. So if you are "the bad guys", you wouldn't want to work with us.

  • We find vulnerabilities and exploit them that you have never heard of. We create.