Yeti.Security on Yeti.Security — Pen-testing & security consulting

Penetration Testing

Thu, 15 Jan 2026 00:00:00 +0000

A scoped, time-boxed assessment against a defined surface. The most common engagement shape we run.

What’s in scope

Web applications — production-grade SPAs, APIs, admin consoles
Mobile — native iOS and Android binaries plus their backends (OWASP MASTG)
REST & GraphQL APIs — including auth-token replay, IDOR, rate-limiting
Cloud configuration — AWS, GCP, Azure (read-only review)

We do not test customer-leased on-premises hardware, third-party SaaS we don’t host, or anything you don’t have written authorization to test.

Red Team Engagement

Thu, 15 Jan 2026 00:00:00 +0000

A simulated adversary campaign with a defined objective (“exfiltrate the customer-PII bucket”, “deploy ransomware to the build server”, “obtain a production AWS access key”), tested across as many vectors as it takes.

What gets tested

Initial access — phishing, smishing, OSINT, supply-chain via dependency
Lateral movement — once in, can we move? what’s logged?
Privilege escalation — IAM, group policy, sudoer files, the lot
Detection & response — does your SOC see us? in how long? what gets paged?
Exfiltration — the final boss: can we leave with what we came for?

How it runs

Four-week minimum, six-week typical. We coordinate timing with a single point of contact on your side (usually CISO or VP Eng) who is not in the SOC. The SOC doesn’t know we’re coming — that’s the point.

Security Consulting

Thu, 15 Jan 2026 00:00:00 +0000

A monthly retainer for teams who want senior security guidance without hiring a full-time security engineer. The right shape for most Series A–B companies.

What’s included

Fractional CISO — a named senior practitioner who attends your weekly security/eng review and answers Slack
Threat modeling — quarterly half-day sessions to map what you’re shipping against what attackers want
Architecture review — every major system gets a read before it ships
SDLC integration — we set up the linters, the dependency scanning, the secret-detection in your CI, and tune them so they don’t get ignored
Incident retainer — on-call coverage for the first 24 hours of any declared incident; we then hand off to a forensics partner

How it works

Eight hours/week, billed monthly. We don’t track hours within the month — this isn’t an agency.

Crampon-7: credential-stuffing wave targeting fleet-management SaaS

Thu, 07 May 2026 00:00:00 +0000

// TLP:AMBER · limited distribution This brief contains active-campaign indicators. Share inside your organization and with trusted partners only. Do not redistribute publicly.

A coordinated credential-stuffing campaign is targeting US-based fleet-management platforms. Yeti has observed activity against three customers in the last 72 hours. Recommended actions are at the bottom of this post.

HIGH severity 11 known victims ~3% success rate 05.04 first seen

Summary

Threat actor CRAMPON-7 is replaying credentials harvested from a 2025 unrelated SaaS breach against fleet-management login endpoints. Distributed across approximately 4,200 residential proxies; rate-limited at 1.5 requests/second per IP — well below typical naive rate-limiting thresholds.

The first six findings we see, every time

Fri, 10 Apr 2026 00:00:00 +0000

Eighteen months in, we’ve completed 38 engagements. They span fintechs, fleet- management SaaS, two robotics companies, and a healthtech firm we can’t name. Different stacks, different teams, very different threat models.

And yet — the same six findings appear in roughly the same order, every time.

Treat this list as a pre-emptive remediation roadmap. If you can knock these out before our next visit (or, ideally, before someone else’s first visit), the rest of the engagement is materially more useful.

Northstar Robotics: fixing twelve findings before the report shipped

Sun, 22 Mar 2026 00:00:00 +0000

In Q2 2026 we ran a four-week penetration test against Northstar Robotics, a fleet-management SaaS for autonomous logistics vehicles. The engagement covered their production web app, the operator mobile apps (iOS + Android), and their customer-facing API.

We found 28 issues — two critical, four high, nine medium, eight low, five informational. None of those numbers are unusual. The unusual part: by the time we sent the final report, 20 of the 28 were already fixed. Six more had open PRs. Two were deferred deliberately, with a documented exception.

About Yeti

Thu, 15 Jan 2026 00:00:00 +0000

We’re a small offensive-security firm. We test other people’s systems for a living and we try to do it the way a senior practitioner would explain things to a peer they respect — direct, with the receipts, and without theatrics.

What we believe

Honest, never theatrical. We don’t dramatize findings to inflate scope. A medium is a medium. Reports describe risk in plain English with the math attached.

Practitioner-first. Everything we ship is something a working engineer can act on by Friday. No 200-page PDFs that nobody reads.

Get in touch

Thu, 15 Jan 2026 00:00:00 +0000

The fastest way to reach us is hello@yeti.security.

Tell us:

Roughly what you’d like tested (web app, mobile, infrastructure, all of the above)
A target window (the next 30 days? Q4? before your next SOC 2 audit?)
Whether you have a compliance trigger — and if so, which one

We’ll come back inside two business days with a scoped proposal. No sales motion attached, no follow-up sequences.

// for sensitive material If your message contains anything you’d rather keep private, use our PGP key — fingerprint 4F2A 1B7C 9E3D 8B41 6F02, full key at yetisecurity.cz/pgp.txt.

Other channels

Phone — +1 303 555 0100, business hours MT
Office — 1810 Blake St, Suite 400, Denver CO 80202
Signal — on request, after first contact
LinkedIn — linkedin.com/company/yeti-security

Responsible disclosure

If you’ve found a vulnerability in our systems — yetisecurity.cz, the verification service at verify.yetisecurity.cz, or anything we operate — see the disclosure policy and email security@yeti.security directly.

Inquiry received

Thu, 15 Jan 2026 00:00:00 +0000

Thanks for the details. We’ll review the scope and come back inside two business days.

If you need to send sensitive material, use our PGP key at yetisecurity.cz/pgp.txt or email security@yeti.security.

Privacy

Thu, 15 Jan 2026 00:00:00 +0000

We’re a security firm. We are not in the data-broker business. Specifically:

What we collect

On this website — a minimal analytics pixel (self-hosted) that records page, referrer, country (not IP), and rough screen size. No cookies. No fingerprinting. No third-party analytics.

Through contact forms — whatever you put in the form. We store it in our inbox until the engagement (if any) ends, then we archive and encrypt it.

Responsible disclosure

Thu, 15 Jan 2026 00:00:00 +0000

If you believe you’ve found a security issue in anything we operate — yetisecurity.cz, verify.yetisecurity.cz, our public tooling repos, or any service we host — please tell us. We will not pursue legal action against researchers acting in good faith under this policy.

In scope

yetisecurity.cz and all its subdomains
verify.yetisecurity.cz attestation service
Public repositories under github.com/yeti-security/*
Any artifact we explicitly publish (PGP keys, public reports, downloadable tooling)

Out of scope

Customer environments — even ones we’ve recently tested. Those belong to the customer; please report to them directly.
Findings that depend on physical access, social engineering of staff, or rate-limiting/DoS.
Reports generated by automated scanners with no manual validation.

How to report

Email: security@yeti.security — encrypted with our PGP key if the material is sensitive. Fingerprint 4F2A 1B7C 9E3D 8B41 6F02; full key at yetisecurity.cz/pgp.txt.