SK · v0.1 — 2026

Adversarial testing for modern software and the models behind it.

We break web apps, APIs, and AI systems — before the bad guys do. Quietly, and with receipts.

Book an assessment Our services
Vulnerabilities reported to

Three disciplines.
One adversarial mindset.

/ Services — 01 / 03
01 — APPSEC

Web & API security testing

Deep-context assessments of production web platforms and APIs. We find what scanners miss.

  • OAuth misconfigs & token forgery
  • Race conditions & business-logic flaws
  • SSRF, IDOR, deserialization chains
  • — and more
02 — AI / LLM

AI & LLM security testing

Red-teaming for production agents, RAG pipelines, and model-backed features — the way attackers do it.

  • Prompt injection & jailbreaks
  • Agent & tool-use exploitation
  • RAG / context poisoning
  • — and more
03 — CODE

Security code review

Manual review of source code for logic flaws, dangerous patterns, and architectural weaknesses that dynamic testing alone can't surface.

  • Taint flow to dangerous sinks
  • Hardcoded secrets & leaked key material
  • Supply chain & dependency risk
  • — and more

Small team.
Senior practitioners only.

/ Team — 01 / 01

Vitor Falcão

Founder · @busfactor

Bug bounty hunter and vulnerability researcher focused on web, cloud, and AI. Founder of Sekkai Labs.

2026 Google bugSWAT LHE 2nd place
2025 Google bugSWAT LHE 2nd place
2025 Google VRP Best AI researcher

Start an engagement.

/ Contact — 01