About Stormbane
Stormbane Security is a security consulting firm focused on the attack surface that engineering teams actually live in: cloud infrastructure, Kubernetes clusters, and CI/CD pipelines.
Patrick Putman
Founder — Birmingham, Alabama
We started Stormbane because we kept seeing the same gap: engineering teams shipping excellent software into infrastructure with serious, exploitable security debt. Not because they didn't care — because the tooling to surface those problems was either opaque, expensive, or designed for a compliance checkbox rather than real adversary resistance.
Our approach is different. We bring the perspective of people who have spent time on both sides — building cloud-native systems at scale, and testing them from the outside. We know where the bodies are buried in GKE clusters, GitHub Actions workflows, and GCP IAM policies, because we've buried a few ourselves.
We also believe in transparency. Our primary scanning tool, Beacon, is open source and Apache-licensed. You can read the code, understand the methodology, and run it yourself before you ever talk to us. That's intentional.
How we operate
Responsible disclosure
When we find something during an engagement, we report it — fully, clearly, and with enough context to fix it. No fluff, no filler CVSSv3 theatrics.
No vendor kickbacks
We don't take referral fees or commissions from tool vendors. Our recommendations are based on what actually works for your threat model, not what pays us.
Practitioner-led
Every engagement is run by people who spend time in terminals, not in PowerPoint. We've built, broken, and defended these systems ourselves.