Attackers don't need zero-days.
They need your pipeline.
A misconfigured Terraform module, a leaky GitHub Actions workflow, or an overpermissive IAM role is all it takes. We find those before someone else does.
Practitioner-led · GCP-native expertise · Open source tooling
What We Do
Hands-on security reviews by people who have broken these systems — and built them.
Cloud Security
IAM audit, misconfiguration review, network topology analysis, and attack path mapping. Deep GCP expertise, cloud-agnostic methodology.
Kubernetes Security
RBAC analysis, pod security, network policies, admission control, supply chain trust, and cluster hardening.
CI/CD Security
Pipeline audit, secrets exposure, dependency confusion, OIDC trust chain review, and supply chain risk assessment.
Who this is for
We work best with engineering-led organizations that move fast, ship real infrastructure, and want honest answers — not a report that sounds good in a board deck.
SaaS startups shipping on GitHub Actions, GitLab CI, or CircleCI
Engineering teams managing infrastructure with Terraform, Pulumi, or CDK
Cloud-native companies on GCP, AWS, or Azure that haven't had a security review since they scaled
Dev teams that use Kubernetes and want to know what an attacker would actually do with it
Companies preparing for SOC 2, customer security reviews, or board-level risk conversations
Who it's not for
We'd rather tell you this upfront than waste both our time.
Enterprise compliance programs that need checkboxes signed — we do attack paths, not audits
Teams looking for a vulnerability scanner they can run themselves — that's what Beacon is for
Not sure if we're a fit?
Tell us what you're building and where you're worried. We'll tell you honestly whether we can help — and if not, who probably can.
hello@stormbane.netWhat we actually find
These aren't theoretical. They're representative of findings from real engagements — the kind that survive security reviews and automated scanners.
pull_request_target with untrusted checkout
Impact
Any external contributor can open a PR that exfiltrates all repository secrets and gains code execution in your CI environment. This is exploitable with a single pull request — no account compromise required.
Fix
Never checkout untrusted code in pull_request_target context. Use pull_request for untrusted PRs, or isolate secret access to protected branches only.
Terraform state stored in public GCS bucket
Impact
State files contain every resource attribute at creation time — database passwords, private keys, API tokens. A public bucket means anyone can read your full infrastructure secrets without authentication.
Fix
Enable uniform bucket-level access, remove allUsers IAM bindings, and enable versioning. Use a separate GCS bucket per environment with access scoped to the deploying service account only.
Wildcard CORS origin with credentialed requests allowed
Impact
Any website — including attacker-controlled pages — can make authenticated API requests using a victim's session. Browser will include cookies automatically. Effective session hijacking with no malware required.
Fix
Enumerate allowed origins explicitly. Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true cannot coexist — browsers block it, but some misconfigured proxies do not.
Entry point
CI/CD + IaC Security Assessment
$3,000 – $7,000
Depending on scope. Delivered in 5 business days.
We go through your pipelines, your Terraform, and your cloud permissions the way an attacker would — looking for the paths that survive your normal review process. You get a prioritized report with exact remediation steps, not a list of medium-severity CVEs.
What's included
Pipeline configuration audit — GitHub Actions, GitLab CI, or CircleCI
Secrets exposure review — what's leaking and how it gets rotated
IaC security review — Terraform, Pulumi, or CDK misconfigs and drift
OIDC trust chain and token scope — what your pipelines can actually reach
Dependency and supply chain risk — pinning, provenance, and third-party action exposure
Prioritized findings with exact fixes — not a PDF full of scanner output
Open Source
We build and maintain public security tooling. Our methodology is open — the tools are free to use.
Beacon
Attack surface scanner
Most scanners run a checklist. Beacon fingerprints your stack — identifying services, frameworks, and exposed interfaces — then uses AI to reason across attack vectors and surface real attack paths, not a list of CVEs.
$ go install github.com/stormbane-security/beacon@latest$ beacon scan --target api.example.com[beacon] Resolving api.example.com... [beacon] Running surface scan (passive) [CORS] api.example.com — wildcard origin (*) with credentials [TLS] api.example.com:443 — TLS 1.1 accepted (deprecated) [HEADER] api.example.com — missing Content-Security-Policy [JWT] /auth/token — alg:none accepted [AI] Analyzing findings across attack vectors... [AI] Attack path: CORS bypass → credential theft → /auth/token [AI] Confidence: high | Impact: account takeover 4 findings | 2 high | 2 medium | 1 attack path
Ready to harden your stack?
We respond within one business day. Tell us what you're building and we'll tell you where it's exposed.
Get in touch