C
CyberSafety.pro
Penetration Testing • SOC-as-a-Service • Compliance

Prevent breaches before they happen.

14-day penetration tests with actionable remediation plans. Continuous monitoring via SOC to keep you compliant with PCI DSS, GDPR and SOC 2.

Request Threat Simulation See Case Studies
Trusted by teams in FinTech, E-commerce & SaaS since 2013.

Free Threat Simulation Report

A free, non-intrusive simulation of how an attacker could target your public footprint. We outline plausible entry points, assets at risk, and quick wins to reduce likelihood and impact.

  • What we simulate: attack surface mapping (domains/subdomains), weak TLS/headers, misconfigurations, exposed assets, perimeter CVEs, risky widgets/SDKs.
  • What you get in 24–48h: a concise 2-page report with prioritized risks (High/Med/Low), screenshots/artifacts, and a developer-ready fix checklist.
  • Safe & legal: non-disruptive checks only. NDA available on request.

We’ll get back within 24–48 hours. No spam.

Trusted by

zoiper.com olimp.com coinigy.com bongacams.com kommo.com cloudbet.com efarma.nl flexispy.com hypereddit.com plein.nl royalroad.com ticketswap.com

Services

Choose a focused engagement or combine for full coverage.

01

14-Day Penetration Test

Black/Gray-box testing across Web, API and business logic with prioritized remediation plan and retest.

  • OWASP Top 10 & Business Logic
  • API/GraphQL, Auth & Access Control
  • Reporting ready for PCI DSS / SOC 2
02

SOC-as-a-Service

24/7 monitoring, alerts and incident response playbooks tailored to your stack.

  • Asset & log collection (SIEM-ready)
  • Threat detection & triage
  • Monthly posture reports
03

Compliance Readiness

Gap assessments and remediation guidance for GDPR, PCI DSS and SOC 2.

  • Policies & procedures templates
  • Vendor risk & data mapping
  • Audit preparation support

How we work

A sharp, repeatable process that delivers actionable results.

01

Recon

Asset discovery, threat modeling and scope confirmation.

02

Exploitation

Manual and automated testing, business logic and APIs to find real risks. Network perimeter analysis.

03

Reporting

Clear fixes with severity, impact, reproduction and code-level details.

04

Retest

Validate patches and provide a compliance-ready attestation letter.

Case Studies

Anonymized real incidents. Company names and sensitive artifacts removed in this public version.

FinTech • Web & API

Full DB access in 6 hours prevented

Chained IDOR + weak JWT validation enabled pivot to admin API. Fixes eliminated the vector within 48 hours.

  • Impact: potential exposure of 1.1M records
  • Time to remediate: 2 days
  • Outcome: Passed SOC 2 audit
E-commerce • Checkout

Payment flow logic flaw (race condition)

Race condition allowed free orders via coupon stack timing. PoC + WAF rules shipped; business impact neutralized.

  • Impact: revenue loss risk ~ $250k/mo
  • Fix: atomic server checks + idempotency
  • Outcome: chargeback rate ↓ 72%
HealthTech • Cloud

S3 misconfig with PHI exposure

Public buckets with backups holding PHI. Bucket policies & KMS implemented; CI drift checks added.

  • Records at risk: ~320k
  • Outcome: GDPR / HIPAA alignment
  • Retest: passed
Retail • Subdomain

Exposed config → full repository copy

On a tire retail & service subdomain we found an exposed config.json containing Git credentials, allowing a full clone of the website codebase and assets.

  • Impact: source code & secrets exposure
  • Fix: revoke keys, CI secret scanning, block indexing
  • Outcome: rotation within 24h
iGaming • Payments

Race condition → negative balances

In a P2P exchange module, a race condition executed the same exchange multiple times, pushing accounts negative and multiplying fiat payouts.

  • Risk: multi-million monthly losses
  • Fix: idempotency keys + ledger locks
  • Outcome: issue neutralized in prod in 48h
iGaming • Wallet top-up

Price tampering on USDT deposits

Parameter tampering in the top-up flow allowed arbitrary crediting (e.g., $30 → $10,000) without server-side validation.

  • Fix: server-side pricing & HMAC on payload
  • Outcome: abuse blocked; audit added
HealthTech • MSSQL

Time-based SQLi → code execution

A time-based SQL injection with stacked queries on MSSQL led to code execution on a Windows host (AnyDesk dropped; full server control under coordinated response).

  • Risk: PHI exposure & infrastructure takeover
  • Fix: parameterized queries, least privilege
  • Outcome: dangerous procedures disabled
Telecom/VoIP • Admin

Blind XSS → admin takeover

A blind XSS in the email field during checkout executed in the admin panel, leading to session hijack and full admin access with 20M+ PII in scope.

  • Fix: output encoding, CSP, input validation
  • Outcome: incident averted; CSP enforced
Cloud • SSRF chain

SSRF → cloud creds exfiltration → control

A server-side request forgery in a PDF renderer was chained to cloud metadata access, exposing temporary credentials. This allowed impact across storage and queues.

  • Risk: data lake exfiltration, service disruption
  • Fix: IMDSv2/headers, egress ACLs, SSRF filters
  • Outcome: tenant isolation verified

Our Team

Show real people with LinkedIn profiles for trust. Replace placeholders below.

Marat B.

Lead Security Researcher (since 2010)
  • Focus: Web/API, auth, business logic
  • Bug bounty & responsible disclosure

Ghennadi T.

Team Leader
  • Chief Executive Officer
  • Founder of CyberSafety.pro with over 12 years of experience in penetration testing, threat intelligence, and cyber risk management. Has led 500+ successful security engagements for clients in FinTech, e‑commerce, SaaS, and critical infrastructure.

Ben H.

Senior Penetration Testerr
  • Experience: Since 2010 in testing web applications, APIs, and mobile apps.
  • Skills: OWASP Top 10, API Security, GraphQL, SSRF, SQLi, XSS, IDOR, RCE.
  • Tools: Burp Suite Pro, Nmap, Nessus, Metasploit, Kali Linux, custom Python/Go exploits.
  • Projects: Security audits for banks, e-commerce platforms, telecom providers, and government portals

Lina K.

Senior Application Security Engineer
  • Secure code reviews & SAST/DAST
  • OWASP ASVS, threat modeling

Li Wei

Senior Red Team Operator
  • Experience: Since 2010 in red teaming, APT simulations, and social engineering tests.
  • Skills: Phishing, Spear-Phishing, Initial Access, Lateral Movement, Persistence, AD Security.
  • Tools: Cobalt Strike, Empire, BloodHound, Mimikatz, custom C2 frameworks.
  • Projects: Full-scale red team operations for critical infrastructure, financial institutions, and large-scale retail.

Sara M.

Cloud Security Architect
  • AWS/Azure hardening & IAM
  • KMS, network segmentation

Sergey K.

Senior Infrastructure & Cloud Security Specialist
  • Experience: Since 2010 in corporate network and cloud security testing (AWS, Azure, GCP).
  • Skills: Network Pentest, Internal/External Assessments, Cloud Misconfigurations, Privilege Escalation, Container/Kubernetes Security.
  • Tools: AWS CLI, ScoutSuite, Pacu, kube-hunter, Nessus, custom bash/Python tooling.
  • Projects: Securing data centers, SaaS cloud platforms, and multi-cloud environments.

Julia R.

Security Program Manager
  • Roadmaps, KPIs, audit readiness
  • Vendor & risk management

Omar A.

Threat Intelligence Lead
  • Dark web monitoring & TTPs
  • Brand protection & takedowns

Pricing

Transparent, engagement-based pricing. Adjust to your market.

Pentest • 14 days
from $4,000
  • Web + API + Business Logic + Network perimeter
  • Remediation plan & retest
  • Compliance letter
Request scope
SOC-as-a-Service
from $2,200/mo
  • 24/7 monitoring & alerting
  • IR playbooks & monthly reports
  • SIEM-ready integrations
Get a quote
Compliance Readiness
custom
  • GDPR / PCI DSS / SOC 2
  • Policies & controls mapping
  • Audit preparation
Discuss needs

Get in touch

Prefer email? Write to info@cybersafety.pro. Or use the form — it will open your mail client with a pre-filled message.

  • Signed NDA available on request
  • We typically respond within 24–48 hours

We’ll prepare an email to info@cybersafety.pro with your details. If no client opens, copy the address and send manually.