Authentication code review by people who build production identity systems.

    A fixed-fee, fixed-scope security review of your OAuth2, OIDC, WebAuthn, or passkeys implementation — delivered in two weeks with an auditor-ready report.

    Industries & teams we have worked with

    SpectricityDeep Tech
    CNDXMusic Tech
    HearYourBrainMusic Tech
    RPStudiosCreative
    Social BuildersSocial Impact
    Saloufaki MCPYMaritime Services
    ManestraE-commerce
    IMECDeep Tech
    VeroTechTech Consulting
    SSOBuddyCybersecurity
    Digital FlandersDigital Governance
    Anodos ConstructionProperty Developer
    Prove / UnifyIDBehavioral Biometrics
    DatAnalysisWeb Development
    Camping Vrachos3D Virtual Visit
    SpectricityDeep Tech
    CNDXMusic Tech
    HearYourBrainMusic Tech
    RPStudiosCreative
    Social BuildersSocial Impact
    Saloufaki MCPYMaritime Services
    ManestraE-commerce
    IMECDeep Tech
    VeroTechTech Consulting
    SSOBuddyCybersecurity
    Digital FlandersDigital Governance
    Anodos ConstructionProperty Developer
    Prove / UnifyIDBehavioral Biometrics
    DatAnalysisWeb Development
    Camping Vrachos3D Virtual Visit

    How the engagement works

    Three phases, fully predictable. Scope is fixed upfront so the price stays fixed.

    ANALYZE

    Manually review your authentication code

    We perform a manual, standards-grounded code review of your authentication flows. Every finding is traced to its exact location in your code, mapped to an OWASP ASVS requirement or RFC, and rated by exploitability and impact.

    This phase covers:

    • OAuth2 / OIDC flows including PKCE and token exchange
    • WebAuthn / FIDO2 / passkeys registration and authentication
    • Session management, token handling, and rotation
    • Federation, multi-tenant isolation, and SSO integration
    • Threat modeling of the full authentication surface
    Scope table8 rows
    ✅ In scope❌ Out of scope
    Manual code review of authentication & identity componentsImplementation of fixes
    OAuth2 / OIDC flows (auth code + PKCE, client credentials, token exchange, refresh)Infrastructure or cloud configuration review
    WebAuthn / FIDO2 / passkeys (registration, authentication, recovery)Network or perimeter security
    Session management & token handlingFrontend XSS not related to authentication
    + 4 more rows · View full scope ↓

    Built for teams who care about getting authentication right.

    This is for you if:

    • You ship a SaaS product, fintech app, or platform with a login flow
    • You're implementing or have implemented passkeys, WebAuthn, OAuth2, or OIDC
    • You're preparing evidence for SOC 2, ISO 27001, DORA, or NIS2
    • You're answering a customer security questionnaire and need a third-party review
    • You've shipped auth code with AI assistance and want a specialist to validate it

    This is not for you if:

    • You need a full penetration test (we don't do dynamic testing in this engagement)
    • You need infrastructure, cloud, or network security review
    • You need a regulatory compliance certificate (we provide evidence, not attestation)
    • You're looking for a free security audit
    • You need a lighter-weight first scan of your web app or API — try our AI Security Scan

    Scope

    Fixed scope protects the fixed price. Everything below is agreed upfront.

    ✅ In scope❌ Out of scope
    Manual code review of authentication & identity componentsImplementation of fixes
    OAuth2 / OIDC flows (auth code + PKCE, client credentials, token exchange, refresh)Infrastructure or cloud configuration review
    WebAuthn / FIDO2 / passkeys (registration, authentication, recovery)Network or perimeter security
    Session management & token handlingFrontend XSS not related to authentication
    Federation, multi-tenant isolation, SSO integrationDynamic testing or runtime traffic
    Threat modeling of the auth surfaceSocial engineering or phishing assessment
    One repository or one auth flow per engagementMobile binary or reverse-engineering work
    Standards-mapped findings (OWASP ASVS, RFCs, FIDO/W3C specs)Regulatory certification or compliance attestation

    Process & timeline

    Productized means predictable. Here's exactly what happens, day by day.

    DayWhat happens
    Day 0Scoping call. Engagement letter + NDA signed. Read-only repository access granted.
    Day 1Kick-off. Architecture walk-through with your team (~30 min).
    Days 2–6Review work. Code analysis, threat modeling, finding validation.
    Day 7Draft report delivered.
    Day 8Internal review and revisions.
    Day 10Final report delivered (encrypted PDF).
    Day 10–1260-minute review call with your engineering team.
    Day 11–4030-day follow-up window for written questions.

    Pricing

    Fixed-fee, visible upfront. Prices exclude VAT (21% BTW/TVA, where applicable).

    Single Flow Review
    €1,500

    One authentication flow (e.g., OAuth2 login, WebAuthn registration, or SSO integration). One repository.

    Book a scoping call
    Full Auth Surface Review
    €3,500

    Up to three flows, one repository. Includes federation and multi-tenant analysis if applicable.

    Book a scoping call

    Add-ons (priced separately)

    Add-onPrice
    Re-review of fixes (scoped to changes only)€750
    Additional auth flow added to existing engagement€900
    Rush delivery (5 business days instead of 10)+€500
    On-site review session (Brussels / Benelux)+€600

    What we need from you to start

    A short list of requirements that keeps the engagement on track and prevents delays.

    • Read-only access to the repository or relevant code (private repo invite is fine)
    • An engineering point of contact for a 30-minute kick-off call
    • A short description of the authentication flow(s) in scope
    • A list of identity providers, OAuth2/OIDC clients, or WebAuthn relying parties involved
    • Signed engagement letter and mutual NDA (templates provided)

    How we review

    Reviews are conducted against established standards and specifications. Every finding in the report is mapped to one or more of these standards, so your auditors and engineering team can verify against a known reference.

    • OWASP ASVS v4

      Sections V2 (Authentication), V3 (Session Management), V7 (Cryptography)

    • OWASP Authentication & Session Management Cheat Sheets

    • OAuth 2.0 & extensions

      RFC 6749, PKCE (RFC 7636), OAuth 2.0 for Native Apps (RFC 8252), Token Exchange (RFC 8693)

    • OpenID Connect Core 1.0

      And relevant OpenID Foundation specifications

    • W3C WebAuthn Level 2 & FIDO2 / CTAP2

    • NIST SP 800-63B

      Digital Identity Guidelines, Authentication Assurance

    Frequently asked questions

    Do you sign NDAs?
    Yes. A mutual NDA is part of every engagement. Templates available, and we can sign yours instead if you prefer.
    Do you run code or just review it?
    Code review only. No dynamic testing, no production traffic, no fuzzing in this engagement. If you need dynamic testing, we can refer you or scope a separate engagement.
    What languages and frameworks?
    We review code in Go, TypeScript / JavaScript, and Python by default. Other languages on request — contact us to confirm before booking.
    What if you find nothing?
    The report still includes a positive attestation: what was reviewed, the methodology used, and confirmation of controls that are correctly implemented. This is what auditors actually want as evidence.
    Do you use AI tools during the review?
    Yes. We use AI-assisted code analysis (Anthropic Claude via API, under a data processing agreement that prohibits training on customer data) to accelerate the reading phase. All findings are validated and authored by the human reviewer. Your code is never sent to consumer AI products.
    How is my code kept confidential?
    Code is accessed via read-only repository invite, processed locally, never stored beyond the engagement window, and findings are delivered as an encrypted PDF. AI subprocessors (e.g., Anthropic API) are bound by DPAs. Full subprocessor list available on request.
    Can I get a re-review after we fix the findings?
    Yes — €750 for a re-review scoped to the changes, delivered within 5 business days.
    Does this satisfy SOC 2 / ISO 27001 / DORA / NIS2?
    The report provides evidence that auditors can use to assess your authentication controls. It is not itself a regulatory attestation or certification — those are issued by accredited auditors. Most clients use our report as supporting evidence in their broader compliance program.
    Are you a certified pentester (OSCP, CREST, etc.)?
    The reviewer holds an engineering background in identity systems with multiple years of production experience on WebAuthn, OAuth2, and OIDC implementations. This is a code review service, not a pentest — see "Scope" above.
    Can the review be done on-site / in Brussels?
    Yes, for an additional €600 covering travel and on-site time within Benelux. The kick-off and review call can also be remote at no extra cost.

    How we handle your code

    Confidentiality

    Mutual NDA on every engagement. Code is accessed via read-only repository invite, processed in our local environment, and not retained beyond the engagement window.

    Encrypted delivery

    Final reports are delivered as password-protected PDFs, with passwords transmitted via a separate channel.

    AI-assisted analysis

    We use Anthropic Claude (via API) for code analysis under a data processing agreement that prohibits training on customer data. We do not use consumer AI products on client code.

    No subprocessor uses your data for training

    All AI and infrastructure subprocessors are contractually bound. Other model providers used (if any) are listed in our subprocessor register, available on request.

    Liability

    This engagement provides findings and recommendations. The client retains responsibility for assessing and implementing them. No security review can guarantee absence of vulnerabilities. This engagement is not a regulatory compliance attestation. Full terms and liability limits in our engagement letter.

    Ready to review your authentication code?

    Book a free 30-minute scoping call.

    No payment required. We confirm scope, answer questions, and quote within 24 hours.