Secure channel · TLS 1.3 All systems nominal 00:00:00 UTC v.2026.05
Disclose a vuln Talk to us
ONIDEF/INDEX/2026.05 WARSAW, POLAND·OSCP · CISSP · CISA · OSWE

We find the threats before
they find your business.

Onidef is an independent offensive-security firm. We perform adversarial testing, deliver audit-grade compliance, and run a 24/7 response capability — for the teams that cannot afford to learn they were breached on the news.

Explore services Book a scoping call
Aligned with
ISO 27001 SOC 2 TYPE II PCI DSS v4.0 NIS2 / GDPR OWASP ASVS L3 MITRE ATT&CK
01 Services

A complete defensive perimeter — built by people who attack for a living.

Most consultancies sell either offense or paperwork. We deliver both, then close the loop with the engineering and monitoring required to keep the result intact. Every engagement is led by a senior practitioner — never a project manager.

01 / Offensive

Penetration
Testing

Black-box, grey-box and assumed-breach testing across web, mobile, API, cloud and corporate networks. Findings are weaponized for proof — and triaged for impact.

  • Web & API
  • Mobile (iOS / Android)
  • Internal / AD
  • Cloud (AWS · GCP · Azure)
  • Red Team
Read more 3–6 weeks
02 / Compliance

Certifications
& Audits

End-to-end programs for ISO 27001, SOC 2 Type II, PCI DSS v4.0, GDPR and NIS2 — from gap assessment to evidence collection, internal audit and certifying-body liaison.

  • ISO 27001 / 27017 / 27018
  • SOC 2
  • PCI DSS
  • GDPR · NIS2
  • HIPAA
Read more 3–9 months
03 / Discovery

Vulnerability
Assessment

Continuous attack-surface management and threat modeling. We map your real perimeter, score what matters, and tell engineers which fix returns the most risk reduction per hour.

  • ASM
  • Threat Modeling
  • SBOM & Supply Chain
  • Cloud Posture
  • Code Review
Read more ongoing
04 / Response

Incident Response
& SOC

A retained team on standby. Detection engineering, 24/7 monitoring, containment, forensic investigation and post-incident hardening — all with a contractual response SLA.

  • 24/7 SOC
  • DFIR
  • Threat Hunting
  • Ransomware
  • Tabletop Exercises
Read more < 4 h SLA
They acted like part of our engineering team — not like a vendor checking boxes. We shipped SOC 2 in fourteen weeks.
Helena Marsh VP Engineering · a Series-B FinTech
02 Why Onidef

Four principles we will not negotiate on.

Our offer is narrow on purpose. We turn down work that does not fit because the alternative — generic, undifferentiated security consulting — has been failing organizations for two decades.

  1. P / 01
    Senior-only engagement teams
    Every test, every audit, every incident is led by a practitioner with at least ten years of operator experience. We do not staff with juniors and bill seniors. If you meet our lead on the kickoff, you keep them through delivery.
  2. P / 02
    Findings that survive scrutiny
    Each vulnerability is reproduced with documented evidence — and a working remediation path written by someone who could have shipped the fix themselves. No theoretical risk dressed up as critical.
  3. P / 03
    Compliance as engineering, not theatre
    We build control frameworks that pass external audits and continue to hold when nobody is looking. Evidence is produced once and reused across ISO, SOC 2, PCI and GDPR — not re-collected every quarter.
  4. P / 04
    A standing relationship, on retainer
    The work is rarely done. Threat models change, codebases mutate, regulators issue new guidance. Our retainer keeps a named team available for the question you have at 17:00 on a Friday.
03 Impact

A small firm with an unreasonable record.

Selected metrics across active and concluded engagements as of Q2 2026. Detailed case studies available under NDA.

247+ Engagements delivered Web, network, cloud & red team — since 2021.
100% Senior-led engagements Every lead, every report, every fix — written by an operator.
< 4hours Critical response SLA Median first-action time across all retained clients.
0 Post-engagement breaches Across all clients still under our continuous program.
04 Methodology

Six stages, repeated until the report would survive a deposition.

Each engagement is structured around the same backbone. Specific tactics, techniques and procedures vary; the discipline does not.

  1. 01 · SCOPE
    Scoping & rules of engagement
    We define crown-jewel assets, attack windows, escalation channels and legal authorisation in writing — before a single packet leaves our lab.
  2. 02 · RECON
    Reconnaissance & intelligence
    Passive and active mapping of the real attack surface, including third-party dependencies, exposed credentials and infrastructure drift.
  3. 03 · ATTACK
    Exploitation & lateral movement
    Manual exploitation of identified weaknesses, chained where credible. We pursue impact — not vulnerability counts.
  4. 04 · REPORT
    Reporting & reproducibility
    Two reports: an executive narrative for the board, and a technical dossier in which every finding is reproducible by your engineers.
  5. 05 · REMEDIATE
    Remediation support
    We pair with your engineers through the fix. Where helpful, we write the patch ourselves and submit a pull request.
  6. 06 · RETEST
    Retest & attestation
    Closed findings are independently retested. A signed attestation letter is delivered for use with customers, partners and regulators.
05 Field Notes

Recent writing from the practice.

Sanitised dispatches from active work — disclosures, lessons learned and opinions held loosely. Read all insights →

RED TEAM2026.05.08

From an unpatched VPN appliance to domain admin in eleven minutes.

A walk-through of a recent assumed-breach engagement against a 4,000-seat European insurer — and what could have stopped us at four different chokepoints.

Field Report8 min read →
COMPLIANCE2026.04.21

Why most SOC 2 Type II audits fail on their first attempt.

The eight control families where remediation work tends to compound — and a sample evidence schedule that survives a real auditor without rework.

Practice Note6 min read →
DISCLOSURE2026.04.03

CVE-2026-21118 · Privilege escalation in a popular Node.js framework.

Coordinated disclosure timeline, proof-of-concept and mitigation guidance for a vulnerability we found in a widely-used middleware library.

Advisory5 min read →

Start with a conversation, not a proposal.

Tell us where you are. We will either propose a focused engagement, recommend you wait, or refer you to a firm we trust. No procurement gauntlet.

Book a scoping call Disclose a vulnerability