Engineers who
think like attackers.

A Canadian boutique founded in 2020 in Waterloo, Ontario, with offices in Waterloo, London, and Calgary. We are confident, precise, and allergic to fluff — engineers writing for engineers and the executives who trust them.

Since 2020, 0block has done one thing relentlessly well: find the way in before an adversary does — across web, hardware, and the chain.

0block was founded in 2020 in Waterloo, Ontario by a tight crew of operators who were tired of "penetration tests" that were really vulnerability scans with a logo on the cover. We had all sat through the same theatre — a tool runs, a template fills in, a PDF ships, and nothing an actual attacker would do ever gets tested. So we built the opposite: manual, chained, adversary-led engagements that prove real business impact and read like the work of people who actually break things.

We are offensive-only by design. We don't sell the defensive products we'd be grading, and we don't pad scopes with managed services — the entire firm exists to think like the attacker and write like the engineer. We planted that firm in Canada on purpose: Waterloo sits on one of the deepest security and systems-engineering talent pools in the world, and Canadian data-sovereignty law lets regulated clients keep sensitive testing artefacts under a single, predictable jurisdiction instead of scattered across borders.

Six years on, that single cell has grown into a Canadian firm of 7 full-time researchers holding 20+ offensive certifications, with offices in Waterloo, London, and Calgary, a hardware lab that tears down "unhackable" devices, and a cryptography practice that has reviewed protocols holding $1B+ in value. We've delivered 310+ engagements for 120+ clients, disclosed 10 zero-days with assigned CVEs, and reached objective in 100% of our red-team operations. Most importantly: zero client breaches post-remediation. That number is the whole point — and it is the mission we measure ourselves against.

Adversaries don't send reports. We do.

— 0block · the operating principle, since 2020

Consecutive years operating

Client breaches post-remediation

Canadian offices

The road so far

Six years
on the offensive.

From a single cell in Waterloo to three Canadian offices — every milestone is one more "unbreakable" thing we broke first.

2020

Founded in Waterloo

A handful of ex-CERT and red-cell operators incorporate 0block in Waterloo, Ontario — offensive-only, manual-first, no defensive products to grade.

Year 0

2021

First $100M+ in assets protected

Word-of-mouth from the first exchange and fintech engagements crosses nine figures in customer assets actively defended by our findings.

Traction

2022

Hardware lab opens

We stand up a dedicated bench for side-channel and fault-injection work — secure elements, HSMs, and "tamper-proof" devices stop being off-limits.

Silicon

2023

London office · 10th CVE disclosed

A second office opens in London, Ontario to be closer to our growing client base, the same year we coordinate the disclosure of our tenth assigned CVE.

Expansion

2024

First $1B-TVL protocol audit

Our cryptography practice reviews its first single protocol securing more than a billion dollars in total value locked — end to end, by hand.

Scale

2025

Calgary office

A third Canadian office opens in Calgary, extending coverage into energy and critical-infrastructure clients across Western Canada.

Coast to coast

2026

120+ clients · 6 years on the offensive

Six years in, three offices, 120+ clients served, 10 CVEs disclosed — and still zero client breaches post-remediation. The number that matters.

Today

Inside the hardware lab

Where "secure
elements" fail.

The bench in Waterloo exists to disprove the marketing on the box. If a chip claims to be tamper-proof, this is where we find out.

ChipWhisperer rigs

Power-analysis and clock/voltage fault-injection benches that pull keys and skip security checks on "protected" microcontrollers and secure elements.

Logic analyzers

High-channel-count capture across SPI, I²C, JTAG, SWD, and UART to map debug surfaces and silent buses vendors swore were locked down.

X-ray imaging

Non-destructive board and package imaging to find hidden test pads, unmarked dies, and the via you were never supposed to reach.

Micro-probing station

A motorized probing rig for decapped parts — landing on individual bond wires and on-die traces to read and inject where firmware can't see.

Voltage & EM glitching

Custom voltage and electromagnetic glitching platforms that corrupt single instructions on demand to defeat secure boot and lifecycle locks.

Firmware teardown

Dumped flash meets static and dynamic analysis — we reverse the stack, emulate it, and chain the silicon bug into a real, demonstrable compromise.

What we stand for

How we
operate.

Four principles that decide every engagement, every report, and every line of disclosure we publish.

Manual over automated

Scanners find the easy 20%. We find the business-logic flaws, chained exploits, and crown-jewel paths that tools never will — by hand, the way a real attacker would.

Impact, not noise

We don't ship a 200-page wall of "informational" findings. We prove what an attacker reaches and takes, ranked by real risk: CVSS plus your actual business context.

Authorization, always

0block performs security testing exclusively under signed contract and explicit written authorization. We do not condone unauthorized access. Ethics are not optional.

Privacy by design

Operator identities are protected by design — handles, not headshots. Named references are available to clients under NDA. The work speaks; the operators stay quiet.

Why we're not a scanner with a logo

How we're
different.

Plenty of firms will sell you a clean dashboard. We sell you the truth about your worst day — rehearsed — before someone forces it on you.

We hunt, we don't scan

Automation is a starting line, never the finish. Every engagement is driven by a human chaining flaws by hand — the business-logic abuse, trust-boundary breaks, and crown-jewel paths a scanner structurally cannot reach.

We prove real business impact

"Theoretically exploitable" doesn't ship. We demonstrate what an attacker actually reaches, moves through, and takes — your data, your funds, your domain admin — and rank it by the damage to your business, not just a CVSS number.

We report for humans — board to bash

One report, two readers. The executive summary gives leadership a narrative and a decision; the technical body gives your engineers exact reproduction steps, payloads, and fixes. No 200-page wall of "informational" filler.

We retest for free, and verify it

A finding isn't closed because you say so — it's closed because we re-broke it and couldn't. Verified remediation retesting is included, so the fix is confirmed, not assumed.

We protect operator identities

Handles, not headshots — by design. Our researchers ship world-class work without ever becoming a target list. Named references and full credentials are available to clients under NDA.

The operators

Handles,
not headshots.

Privacy is part of the brand. These are the leads behind 0block's five practices — a team of 7 full-time researchers holding 20+ offensive certifications. Named references available to clients under NDA.

r00t

Founder · Head of Offensive Research

15 years in the field. Former national-CERT. Sets the bar for every engagement that leaves the firm. Signed off on all 310+ engagements 0block has shipped since 2020.

OSCE3 · OSEE

glitch

Lead · Hardware & Embedded

Side-channel and fault-injection specialist. Drives the team's 10 CVEs and the Waterloo lab that breaks "secure elements." Has pulled keys off chips three vendors called extraction-proof.

Side-channel · Fault injection

overflow

Lead · Web & Application

Author of two OWASP cheat sheets. Lives in the business-logic flaws other testers walk straight past. Has chained "low-severity" bugs into full account takeover on more than one unicorn SaaS.

OSWE · GWAPT

chain

Lead · Blockchain & Cryptography

PhD in applied cryptography. Has personally audited $1B+ in TVL across DeFi, bridges, and MPC custody. Found a signature-malleability flaw before a single dollar ever flowed through the contract.

PhD · Applied cryptography

spectre

Lead · Red Team & Adversary Sim

Ex-military red cell. Models a real, funded adversary end-to-end — then sits with your blue team to make sure it never works again. Has reached domain admin from a single phishing click in under an hour.

OSEP · CRTO

Collective credentials — 20+ certs across the team: OSCP·OSCE3·OSEP·OSED·OSEE·OSWE·GXPN·GWAPT·CREST·CISSP

By the numbers

Six years,
measured.

Reduced, honest, and verifiable. The only metric we brag about is the last one.

Engagements delivered

Clients served

0B+

Customer assets protected

Vulnerabilities found

Zero-days disclosed (CVE)

Full-time researchers

Offensive certifications

Red-team objective rate

<0h

Critical-finding SLA

0/5

Average client rating

Years operating

Client breaches post-remediation

Where we operate

Three offices,
one jurisdiction.

A Canadian firm by design. Your sensitive testing artefacts stay under a single, predictable data-sovereignty regime — coast to coast.

Headquarters

Waterloo, ON

305 King St W, Suite 400
Waterloo, ON N2J 2L9
Canada

+1 (519) 886-2020

Office

London, ON

255 Queens Ave, Suite 1100
London, ON N6A 5R8
Canada

+1 (416) 642-2020

Office

Calgary, AB

421 7th Ave SW, Suite 1500
Calgary, AB T2P 4K9
Canada

+1 (403) 264-2020

Industries served

Where the
stakes are highest.

Accreditations & compliance

Trust,
attested.

Independently attested and aligned to the frameworks your auditors already use. We help clients meet SOC 2, PCI-DSS, HIPAA, ISO 27001, GDPR, DORA, and MiCA.

SOC 2 Type II Independently audited operating controls over a monitoring period — not a point-in-time snapshot — so clients can hand the report straight to their own auditors.

ISO 27001-aligned Our information-security management system maps to the ISO 27001 control set, keeping engagement data handled to an internationally recognised standard.

CREST-aligned methodology Engagements follow CREST-aligned penetration-testing methodology and quality gates, the benchmark procurement and security teams already trust.

PCI-DSS ASV & pentest We deliver both the external ASV scanning and the segmentation and application penetration testing your PCI-DSS assessor requires for cardholder environments.

OWASP Web and API testing is driven by the OWASP Testing Guide and ASVS, with the Top 10 treated as a floor for coverage, never the ceiling.

NIST Findings are framed against NIST SP 800-115 and the Cybersecurity Framework so results slot cleanly into the risk language your leadership already speaks.

MITRE ATT&CK Red-team and adversary-simulation activity is mapped to MITRE ATT&CK techniques, giving your blue team precise, testable detection coverage.

PTES The Penetration Testing Execution Standard structures every engagement end to end — from pre-engagement scoping through to reporting and retest.

OSSTMM For operational and infrastructure work we apply the OSSTMM, measuring real, verified attack surface rather than theoretical exposure.

Our work helps clients meet SOC 2, PCI-DSS, HIPAA, ISO 27001, GDPR, DORA, and MiCA obligations.

Work with
the best.

Whether you're a seed-stage startup or a Fortune 100, the standard is the same. Let's talk scope.

Request a scoping call View our work

Six yearson the offensive.