Answers

Frequently asked

What engagements look like, how we work, and how to reach us securely.

What kind of security work do you do?

Offensive security research. We start by mapping your entire attack surface: the exposed and forgotten infrastructure most teams don't know they have. From there we go deep across AI and agent systems, supply chains, and modern web and cloud-native applications. Every engagement is manual and research-driven: we find what's reachable, understand the logic, and reason our way to real impact.

Can you find infrastructure we don't know is exposed?

That's often where we start. We run deep external reconnaissance across your whole internet-facing footprint, using internet-wide scanning and open-source intelligence, to surface forgotten subdomains, shadow IT, staging and admin panels, exposed APIs, and misconfigured services that were never meant to be reachable. Then we prove what an attacker actually does with them. The serious findings usually live in the assets nobody remembered.

How is this different from a scanner or a standard pentest?

Scanners find what they're told to look for. We find what nobody thought to check. You don't get raw tool output. We manually trace trust boundaries, chain low-severity issues into critical ones, and prove exploitability instead of flagging theoretical risk.

Which systems can you test?

Your external attack surface and exposed infrastructure, web apps and APIs, cloud-native infrastructure, CI/CD and supply chains, and AI/LLM and agent systems, including prompt injection into tool-calling chains, agent privilege escalation, and jailbreaks that reach real systems. If it's reachable and has logic worth breaking, we're interested.

How does an engagement work?

Four stages: scoping and threat modeling, deep reconnaissance, controlled exploitation, then reporting and remediation support. We define objectives and boundaries with you up front. No surprises, no scope creep.

What do we get at the end?

A clear technical report with reproducible steps and proof of impact, an executive summary for stakeholders, and concrete remediation guidance. We stay available through your fix cycle and retest when you're ready.

Do you follow responsible disclosure?

Always. Every finding is disclosed responsibly. We give affected vendors adequate time to patch before any public write-up, following coordinated vulnerability disclosure practices.

Do you sign NDAs and keep things confidential?

Yes. Client data and findings stay confidential, and we're glad to work under an NDA. Many of our engagements never become public.

How do we share something sensitive?

Encrypt it. Use our PGP key for any sensitive disclosure or report, and send it to contact@steelgatesec.com. We treat everything you share as confidential.

How fast do you respond, and how do we start?

We typically respond within 24 hours. Reach out through the contact page or over PGP, tell us the scope and timeline you have in mind, and we'll take it from there.

Still have a question?

Let's talk.

If your question isn't here, or you have an engagement in mind that doesn't fit a standard checkbox, reach out. That's exactly the work we want.