Offensive testing + defensive hardening, by signed engagement.
Tholim is a small purple-team practice — offensive testing, defensive hardening, and continuous attack-surface monitoring under one roof. We work directly with engineering teams under signed authorisation, deliver findings with reproducible evidence, and help the same teams ship the fixes.
Two halves, one room. The same engineers do the offensive review and hand the fix back to the team that owns the code — no translation layer between attack and remediation. You get a finding with a working curl, a stack-specific patch, and a re-test ran by the people who broke it. That's the whole pitch.
Manual offensive review against your live perimeter. Auth bypass, IDOR, injection chains, SSRF, business-logic flaws — reproduced with the request that proves them.
Remediation scoped to the stack we found. Where it's mechanical we open the PR, where it's architectural we pair until it's right. Re-test runs against the patched build before the finding closes.
Engagements scope and price per project — not retainer-locked, not seat-based. Every report is reviewed by a second pair of eyes before it leaves the practice. Smallest engagement we accept is roughly one calendar week of work.
Manual offensive review of web applications and HTTP / GraphQL APIs against OWASP WSTG and ASVS. Authenticated session testing, business-logic flaws, IDOR, injection chains, SSRF, deserialisation. Findings reproduced with proof-of-concept where impact requires it.
Recurring passive surveillance of your public surface: new subdomains, certificate issuance, exposed services, secret leaks in JS bundles, retired-but-still-online assets, third-party dependency drift. Diff alerts to Slack or email when something changes.
AWS / GCP / Azure configuration audit against CIS Benchmarks. IAM misconfigurations, public buckets, exposed metadata, security group sprawl, KMS key hygiene. Walk-through of remediation with the team that owns each control.
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI configuration. Anti-spoofing posture review with active spoofing demonstration where authorised. The class of finding that can liquidate a customer base — and the cheapest to close.
On-call assistance when something looks wrong: log triage, scope estimation, containment guidance, evidence preservation. Hand-off to law-enforcement-grade forensics partners when the scope demands it.
A purple-team practice should produce evidence the engineering team can act on within the same sprint. The four principles below are how we keep deliverables grounded in that constraint.
Every finding ships with the exact request, response, or capture that proves it. No screenshot-only claims, no "trust the consultant" reports.
Findings include a fix path scoped to the stack we found in the audit — not generic OWASP boilerplate. Where appropriate, we open the pull request.
We orchestrate Mozilla Observatory, sslyze, RetireJS, ProjectDiscovery's nuclei and subfinder, plus our own native checks. The same tools the public security community already audits.
Active testing begins only after we hold a signed authorisation and a verified domain-ownership proof. The authorisation file is timestamped and retained for the engagement lifecycle.
We give back what we use day to day. Our internal tools eventually become public — partly to improve them under outside review, partly because the field works better when the floor is shared.
A passive web reconnaissance tool. Eighteen checks orchestrated across Mozilla Observatory, sslyze, RetireJS, ProjectDiscovery's nuclei and subfinder, certificate-transparency logs, OTX, Shodan InternetDB. Signed report, reproducible evidence, twenty-five-second median runtime.
APK / IPA static analysis on top of MobSF — same orchestration model as the web surface audit, hooked into our reporting format.
Daemon that re-runs the surface audit on a schedule, diffs against a baseline, and pushes deltas to Slack or email. Currently powering our retainer monitoring engagements.
Anonymised case write-ups, vulnerability classes we keep finding, and tooling notes. Published when the engagement permits.
Client names withheld under engagement terms. Findings categorised here only after remediation; the line below the date confirms when the post-fix verification ran clean. Case-study write-ups available on request.
DMARC absent · TLS 1.0 negotiable · Mozilla F
→ fixed inside 90 min via Cloudflare panel + DNS TXT
IDOR on user-export endpoint · public S3 bucket with logs · MFA bypass via OAuth flow
→ patched in two sprints, post-fix scan clean
DKIM key 1024-bit · MTA-STS absent · subdomain takeover candidate on legacy host
→ rotated keys, deployed MTA-STS, decommissioned host
8 deltas surfaced over the period · most material: exposed staging admin
→ ACL'd within 4 hours of alert
Mass-assignment on enrollment API · CORS reflection · stored XSS in markdown rendering
→ fixed and re-tested, no regressions
We reply within two working days with a scoping note, a rough timeline, and a fixed-fee estimate. If the work isn't a fit, we'll say so and refer you to a practice that is.