AI-generated code ships fast and breaks faster. No auth. No rate limiting. API keys in the frontend. Personal data exposed within hours of launch. We find every gap before someone else does — using the same convergence method that secures our own infrastructure.
Senator Edwin Sifuna launched a political registration platform on March 13, 2026. Within hours, 7,000 Kenyans signed up. Within hours, it was also hacked — personal data leaked on social media, the site pulled offline, and volunteer IT experts flown in from London and Washington to fix it.
The platform collected names, phone numbers, emails, voter registration status, and KSh 10 M-Pesa payments. Screenshots of users' personal information appeared on social media the same day.
The real cost isn't technical. 7,000 citizens trusted a platform with their personal data, voter status, and payment information. That trust was broken on day one. The reputational damage to the Linda Mwananchi movement — regardless of who attacked it — is permanent for those 7,000 people. A pre-launch security audit costs a fraction of what this incident cost.
Whether this was a state-sponsored attack or opportunistic hacking doesn't matter. These vulnerabilities exist in every site launched without a security review. Here's what we look for.
Unprotected API endpoints returning user records. No authentication on admin routes. Database queries injectable via form inputs. Personal data accessible to anyone who knows the URL pattern.
Sites built under time pressure often skip auth entirely or implement it client-side only. "It worked in dev" becomes "everyone can see everything" in production.
No CDN. No rate limiting. No auto-scaling. A single-origin server handling registration, payment, and database queries — one traffic spike and it's over.
API keys, database credentials, payment gateway tokens — hardcoded in JavaScript files visible to anyone who opens browser dev tools. The #1 vibe-coding sin.
Collecting M-Pesa payments alongside personal data without PCI compliance, data encryption at rest, or proper payment gateway integration. One breach exposes financial data.
The team didn't know they were being attacked until screenshots appeared on social media. No logging, no anomaly detection, no real-time alerts.
We don't run a scanner and hand you a PDF. Our audits use convergent analysis — automated tools AND manual review independently examine the same surface. When both find the same issue, you can trust it. When they disagree, that's where the interesting vulnerabilities hide.
Every endpoint, every form, every API route, every third-party integration. We build a complete inventory of what's exposed before testing anything.
Path A: automated scanning (OWASP ZAP, nuclei, custom scripts). Path B: manual penetration testing by a human. Two independent observers, same target.
Every finding gets a severity rating, reproduction steps, and a specific fix. Not "you have a vulnerability" — "here's the exact line of code and here's the patch."
We don't just hand you a report and leave. We implement the critical fixes, verify the patches, and re-test. Your site launches hardened, not hopeful.
Every finding with severity, reproduction steps, affected endpoints, and recommended fix. Prioritised by blast radius — what can hurt you most, fixed first.
We don't just find problems. Critical and high severity issues get fixed as part of the audit. You get pull requests, not just paragraphs.
DNS, CDN, WAF, rate limiting, DDoS protection, origin shielding, TLS configuration. The boring stuff that stops you going offline.
Uptime monitoring, error alerting, and anomaly detection so you know when something is wrong before your users tell you on Twitter.
Registration platforms, donation sites, volunteer coordination. Collecting citizen data during elections makes you a target. 2027 is coming.
MVP shipped by a vibe-coder or outsourced dev team. You don't know what's in the code. Neither did they.
M-Pesa integrations, lending platforms, savings apps. Financial data exposure isn't just embarrassing — it's criminal liability.
Beneficiary data, health records, community surveys. The people you serve are often the most vulnerable to data exposure.
Kenya's government websites were hacked in November 2025. Business Registration Service leaked presidential data in February. The pattern is clear.
Cursor, v0, Bolt, Lovable, Claude — they write functional code, not secure code. The gap between "it works" and "it's safe" is where breaches live.
Every engagement includes the vulnerability report, infrastructure review, and critical fixes. The only question is how deep you need us to go.
You're about to launch. You need to know what's exposed before the public does. Fast turnaround, focused on what matters most.
The full package. We find everything, fix everything critical and high, set up monitoring, and verify the fixes hold. You launch hardened.
For platforms that stay live — political campaigns, fintech, government portals. Monthly scans, real-time alerting, and incident response.
The Linda Mwananchi breach was preventable. Every pre-launch vulnerability is. Get your site audited before launch — or before it's too late.
Request an audit