An independent forensic review of your SaaS — security, stability, and 152-ФЗ compliance — done in two or four weeks. Latest audit: 9 P0 + 19 P1 found in 12 days, including a live JWT impersonation bypass.
10+ years building product at Ozon · Avito · Yandex
Three layers. Each one matters separately. Together they tell you whether your SaaS can survive scale.
OWASP Top 10, auth flows, multi-tenant isolation, IDOR, JWT, secrets, webhooks. Runtime exploitation against a staging or production endpoint, with your permission.
Production log forensics, database pool config, error budgets, idle-session timeouts, P0 fatal patterns. Why your server “just falls over” — found in the logs, not guessed.
Data flow mapping, consent logs, DPA gaps with cloud vendors (Yandex Cloud OCR, OpenAI, etc.), Roskomnadzor readiness. Compliance as code, not paperwork.
Fixed price, fixed scope. No RFP, no procurement theatre. Pick a tier, sign, start within a week.
Code review + production log analysis + OWASP Top 10 sweep + 152-ФЗ status. Top P0/P1 findings with fix recommendations.
Best for: pre-PMF SaaS, 5–50 usersExpress + runtime exploitation tests + live demos of every P0 + 152-ФЗ deep dive + cloud DPA review + full-team walkthrough session.
Best for: SaaS with paying usersMonthly audit sweep + every-PR review on security-sensitive changes + 152-ФЗ ongoing advisory + design+engineering supervision.
Best for: SaaS scaling its teamNot for: bug-bounty replacement · ФСТЭК certification (need licence) · marketing “security badge” engagements
From a 12-day engagement with a Russian document-management SaaS, May 2026. Names removed, findings preserved.
A free 32-point checklist combining OWASP Top 10 and 152-ФЗ compliance. The questions I open with on every engagement. PDF, 6 pages.
No newsletter. No drip funnel. One email with the PDF, then I leave you alone.
Ideally read-only access, yes. If that’s a blocker, a sanitized SQL dump works for most checks. We sign an NDA either way and I run a local PII sanitizer (Anonymous) over any logs you send before they touch any cloud tool.
Only with explicit written permission and with you watching. Default mode is static + low-impact runtime probes. The JWT bypass demo from the example above was run on a staging copy first, then reproduced on production with the client’s engineering lead in the room.
A markdown report with severity-tagged findings (P0 / P1 / P2 / P3), reproduction steps, fix recommendations, and a Sprint 1 roadmap. Plus a 60-minute walkthrough call with your team. No 80-page Word documents.
No — and that’s on purpose. If you need a licenced auditor for state contracts or Roskomnadzor inspection prep, talk to RTM Group, Бастион, or Digital Security. My engagement is technical + practical, not certificatory.
Currently accepting 1 project, May–July 2026. Typical lead time is 1–2 weeks from signature to kick-off. Express Audit fits a 2-week sprint, Full Audit a 4-week one.
One email. We talk for 30 minutes, I tell you which tier fits, you decide. No pitch deck.