Offensive Security · Est. 2020 · Waterloo / London / Calgary

We break it before they do.

We don't scan. We hunt.

0block is an elite penetration testing and offensive security firm. We think like the attacker and report like the engineer — securing web applications, hardware, and blockchain systems for the world's most targeted organizations.

Get a quote View our work

310+ engagements delivered 10 zero-days disclosed · $1B+ assets protected Scroll

Trusted by the most targeted teams in crypto, fintech, and critical infrastructure

NorthVault HeliosPay CryoLabs MeridianHealth Ledgerworks AetherGrid SentinelMobility CobaltExchange Vantatech PolarisDefense

Why 0block

We don't scan.
We hunt.

Automated tooling finds the obvious. We find the chained, business-logic, real-world paths a funded adversary would actually take — then hand you proof, not a noisy PDF.

Manual-first testing

Every engagement is driven by humans, not a scanner license. We don't scan. We hunt. — chaining flaws into the breach a tool would never report.

24-hour critical SLA

Find a critical, you hear about it within 24 hours — never buried until the final report. You start fixing while we keep testing.

Free verified retest

Remediation isn't done until it's proven. Every fix gets a free retest, so "closed" means closed — not "marked resolved."

True attacker mindset

We model your real adversary and your crown jewels, then take the path they would. Your worst day, rehearsed — on our terms, not theirs.

Board-to-bash reporting

One report, two readers: an executive narrative ranked by business risk, and engineer-grade reproduction down to the request and payload.

Canadian-based & data-sovereign

Founded in 2020, operated from Waterloo, London, and Calgary. Engagement data stays in Canada under NDA — sovereign by default, never offshored.

Attack surface we cover

If it can break,
we break it first.

From the browser to the silicon to the chain — one team, one threat model, no handoffs. Fifteen domains we attack in depth:

// 01Web

// 02API

// 03Mobile

// 04Active Directory

// 05AWS · Azure · GCP

// 06Kubernetes

// 07Firmware

// 08RFID · NFC

// 09BLE

// 10Automotive CAN

// 11Solidity · EVM

// 12Cross-chain bridges

// 13MPC · BTC custody

// 14Phishing

// 15Physical intrusion

By the numbers

Proof, not promises.

Six years of adversarial testing. Zero client breaches post-remediation. The receipts:

Engagements delivered

Clients secured — startup to Fortune 100

0B+

Digital assets under protection

Vulnerabilities discovered

Zero-days disclosed · assigned CVEs

Red-team engagements reached objective

Full-time researchers · 20+ certs

0/5

Average client rating

By the numbers

Adversaries don't
send reports. We do.

Six years of receipts. Behind every figure is a closed gap, a coordinated disclosure, or a breach that never happened.

$1B+

Assets protected

Across DeFi protocols, exchanges, and digital-asset custody — value we've stress-tested before an attacker could price it.

3,700+

Vulnerabilities found

Real, exploitable findings — auth bypasses, logic flaws, and full kill-chains — each demonstrated, not just flagged.

Zero-days disclosed

Novel bugs in shipping products, taken through coordinated disclosure to assigned CVEs and vendor fixes.

Breaches post-remediation

Zero client breaches after our findings were fixed and verified on retest. The number we're proudest of.

Capabilities

Six ways
we attack.

Full-spectrum offensive security under one roof — from the browser to the silicon to the chain. Every engagement is manual, chained, and built to prove real business impact.

01 / WEB & APP

Web & Application Testing

Black-, grey-, and white-box testing of web apps, SPAs, REST/GraphQL APIs, mobile, and SaaS multi-tenancy. We exploit auth, access control, injection — and the business-logic flaws scanners never find.

Explore 02 / NETWORK & CLOUD

Network & Cloud Infrastructure

External/internal network testing, Active Directory attack paths — Kerberoasting, ADCS abuse, NTLM relay — segmentation validation, and AWS / Azure / GCP review including Kubernetes breakout.

Explore 03 / HARDWARE & IoT

Hardware, Embedded & IoT

Our lab tears down what others won't: PCB reversing, firmware extraction, JTAG/SWD/UART, secure-boot bypass, side-channel analysis, and voltage/EM fault injection to defeat "secure elements."

Explore 04 / BLOCKCHAIN

Blockchain & Smart Contracts

Solidity / Vyper / Rust audits, EVM internals, DeFi & bridge review, MEV and economic-attack modeling, oracle manipulation — plus Bitcoin & crypto custody, HSM/MPC threshold-signing review.

Explore 05 / RED TEAM

Red Team & Adversary Simulation

Full-scope, objective-based red teaming that models a real, funded adversary: spear-phishing, EDR/SOC evasion, lateral movement, domain dominance, exfiltration — plus physical intrusion and purple-team.

Explore 06 / PTaaS

Continuous Security / PTaaS

Penetration Testing as a Service: a continuous-testing platform with on-demand retests, real-time finding delivery, attack-surface monitoring, and a live remediation dashboard for teams that ship daily.

Explore

Assets we test

Everything you
ship and run.

From the browser to the silicon to the chain — these are the assets we put in scope and attack in depth.

Web Applications & APIs

SPAs, REST and GraphQL endpoints, and multi-tenant SaaS — tested for broken auth, access control, injection, and business-logic flaws.

Mobile Applications

iOS and Android binaries plus their backends — reverse engineering, insecure storage, cert pinning, and API authorization.

Cloud Infrastructure

AWS, Azure, and GCP configuration, IAM, and Kubernetes — misconfiguration, privilege escalation, and container breakout.

Networks & Internal Infra

External and internal ranges, Active Directory, and segmentation — from initial foothold to domain dominance.

Hardware, IoT & Embedded

PCB teardown, firmware extraction, secure-boot bypass, and fault injection against "tamper-proof" devices.

Smart Contracts & Wallets

Solidity / Vyper / Rust audits, bridges and oracles, plus HSM/MPC custody and threshold-signing review.

Methodology

Five phases.
One objective.

We model your adversary and crown jewels — not a generic checklist. Critical findings hit your inbox within 24 hours, not at the end. Every fix gets a free retest.

01

Scope & Reconnaissance

Rules of engagement, threat-led scoping, OSINT, and full attack-surface mapping before a single packet leaves our lab.

OSINT · ASM
02

Threat Modeling

We model your real adversary and your crown jewels — who attacks you, why, and the paths that actually matter.

Adversary-led
03

Exploitation

Manual, chained exploitation. Real attacks, safely executed. Critical findings reported within 24h — not buried in a final PDF.

< 24h SLA
04

Post-Exploitation & Impact

We prove business impact: exactly what an attacker reaches, moves to, and takes. No theoretical risk — demonstrated risk.

Impact proof
05

Reporting & Remediation

Executive narrative + engineer-grade technical detail, ranked by real risk (CVSS + business context). Free retest to verify every fix.

Free retest

Aligned to PTES · OWASP · NIST SP 800-115 · MITRE ATT&CK · OSSTMM

Featured engagement

From the field.

CRITICAL CS-3 · Hardware

We glitched a wallet
marketed "unhackable."

A consumer cold-storage wallet shipped with a public claim: tamper-proof, secure boot, keys that never leave the device. We brought it into the lab for a full teardown.

Using voltage fault injection during boot, our hardware team bypassed the secure-boot signature check and dumped firmware straight from external flash — recovering enough material to reconstruct the seed on a lab unit. The device's entire security claim, defeated with a glitching rig.

Outcome: the vendor redesigned with a true secure element and encrypted external flash. Our findings drove a public firmware advisory. Coordinated disclosure — 2 CVEs assigned.

Read all case studies

VOLTAGE

Fault-injection vector

SEED

Recovered on lab unit

2 CVE

Coordinated disclosure

$300

Cost of the rig that broke it

Recent advisories

Straight from
the disclosure queue.

A sample of recent findings taken through coordinated disclosure. Sanitized, vendor-fixed, and written up in full on our research desk.

Critical Cross-chain bridge signature replay let a forged validator set drain locked collateral 0B-2026-014 · Blockchain · CVSS 9.8 Read writeup Critical Secure-boot voltage glitch bypassed signature verification and dumped device firmware 0B-2026-009 · Hardware · 2 CVEs Read writeup High ADCS ESC1 misconfiguration escalated a low-priv user to Enterprise Admin 0B-2026-006 · Active Directory · CVSS 8.8 Read writeup Critical Threshold-ECDSA nonce reuse in an MPC wallet leaked the master signing key 0B-2026-003 · MPC Custody · CVSS 9.1 Read writeup High GraphQL introspection plus broken object-level auth exposed cross-tenant records 0B-2025-061 · Web & API · CVSS 8.2 Read writeup

All advisories published under coordinated disclosure — vendor-fixed before release. Full research desk

What clients say

The gold
standard.

Clear enough for the board, deep enough for the engineers. Here's what security leaders say after the report lands.

0block found in three days what two prior vendors missed in a year. Their report is the gold standard we hold others to.

CISO, major crypto exchange

The hardware team extracted keys from a device we shipped as tamper-proof. Terrifying — and the single most valuable week of engineering feedback we've ever received.

VP of Engineering, IoT Manufacturer

They got Domain Admin in an afternoon, then sat with our blue team for a week so it could never happen again. That's the difference.

Director of Security, Series C SaaS

Clear enough for the board, deep enough for the engineers. Rare.

CTO, Fintech

Accreditations & compliance

SOC 2 Type II ISO 27001-aligned CREST-aligned methodology PCI-DSS ASV & Pen Test CHECK-equivalent OWASP NIST MITRE ATT&CK PTES OSSTMM

Industries we defend

The attack
you can survive.

From crypto exchanges to hospital networks to defense suppliers — when an organization can't afford to be wrong, they bring us in first.

NorthVault HeliosPay CryoLabs MeridianHealth Ledgerworks AetherGrid SentinelMobility CobaltExchange Vantatech PolarisDefense

Crypto Exchanges & DeFi

Smart-contract audits, bridge and oracle review, MEV modeling, and hot/cold custody — where a single bug is an instant, irreversible loss.

Fintech

Payment rails, ledger integrity, and API authorization tested against fraud, account takeover, and the logic flaws that move money.

Healthcare

PHI exposure, medical-device and HL7/FHIR interfaces, and segmentation — protecting patient data and the systems patients depend on.

SaaS

Multi-tenancy isolation, RBAC, and continuous PTaaS coverage for teams shipping daily — so a new release never opens a new door.

Manufacturing & IoT

Firmware teardown, secure-boot and fault-injection work, plus OT/ICS and BLE/RFID review of the devices and lines you ship.

Government & Defense

Adversary-grade red teaming and supply-chain review for sovereign and critical systems, under strict authorization and clearance.

Frequently asked

Before you
scope.

The questions security and engineering leaders ask us most. Have one that isn't here? A scoping call answers it in fifteen minutes.

Q1 How fast can you start?

Most standard engagements kick off within one to two weeks of a signed scope and authorization. We hold dedicated slots for incident-driven and urgent work — if you're mid-fire, tell us on the scoping call and we'll triage you to the front of the queue.

Q2 Do you test production safely?

Yes. We routinely test production under tightly agreed rules of engagement, with destructive actions explicitly carved out and a live comms channel to your team throughout. Where downtime risk is real, we mirror to staging or run a controlled window — your uptime is part of the scope, not an afterthought.

Q3 Is a retest included?

Always. Every engagement includes a free verified retest of your remediations. We re-run the original attack paths and confirm each finding is actually closed — then issue an updated, attestation-ready report you can hand to customers, auditors, or your board.

Q4 Do you work under written authorization and sign NDAs?

Without exception. No testing begins without a signed contract and explicit written authorization, and we sign mutual NDAs as standard. Engagement data is handled under strict confidentiality and kept data-sovereign in Canada — we never condone or perform unauthorized access.

Q5 Startups or enterprise?

Both. We scope from a focused single-app test for a seed-stage startup to multi-quarter, multi-team red-team programs and continuous PTaaS for the Fortune 100. The methodology is the same at every size — only the surface and depth change.

Q6 What do I get at the end?

A report built for two audiences: an executive narrative ranked by real business risk, and engineer-grade technical detail with full reproduction steps, evidence, and prioritized remediation. Critical findings reach you within 24 hours during the test, you get a live readout at the end, and a free retest closes the loop.

The attack you can survive

Find it first.

If there's a way in, we'll find it before an adversary does — and hand you the map to close it. Response within one business day.

Request a scoping call See all services