I do focused security reviews for B2B SaaS teams. Maybe a bigger customer’s
security review is holding up a deal, or you’ve wired an AI agent or MCP server into
customer data and don’t know its blast radius. Either way, your engineers get
findings they can act on, with the exploit path and how to fix it.
I led a multi-quarter authorization and multi-tenant isolation overhaul that took a
SaaS platform upmarket: rolling tenant isolation through 45+ data models, designing
an access-rules system, and hardening the boundaries that stop one customer ever
seeing another’s data. Before that I founded
Percy (visual testing, acquired by BrowserStack) and
Respondly (acquired by Buffer).
I’ve spent years reading code for security bugs, and that judgment is what the
engagement buys. Tools surface candidates fast. I decide which are real, what it
would take to exploit them, and which to fix first.
I’ve run the bug bounty programs at all three companies, so I know what
crowdsourced testing and external pentests turn up, and where they stop. Most of that
stays at the surface of the running app, hitting APIs and poking at inputs. The problems
that actually breach you sit deeper, in the code and the release path and how access
gets enforced. That’s what I read for. Recently I reported cross-tenant and injection
flaws in Chatwoot, a multi-tenant SaaS. They’re fixed upstream and public, and one is
rated CVSS 8.5 (CVE-2026-44706). At the end of an engagement I put my name on
an attestation you can hand a prospect’s security team.
Authorization & Cross-Tenant Isolation Review
from $10,000
Broken access control is the most common way B2B SaaS leaks data across tenants.
It’s a logic bug, and it lives in the code, so the scanners hitting your running
app at the surface walk right past it. I read the actual code: the database queries,
the access checks, the tenant boundaries. The same bug class shows up everywhere you
hand out data now: your APIs, your MCP servers, and the AI agents you’ve given
access to it. The review covers all three.
I don’t just flag it. I make one test account reach another customer’s data,
then hand you the reproducible steps, the fix, and how to keep it from creeping back as
you ship.
Scope: application authorization and tenant isolation, code-level, across APIs, MCP
servers, and multi-tenant SaaS. Not cloud or runtime infrastructure.
Also
Supply Chain & Release Integrity Audit
from $5,000
Often the same enterprise review asks how your code ships. Poisoned dependencies,
compromised GitHub Actions, leaked publish tokens, a pipeline one bad PR can subvert. I
review dependency intake, CI/CD, release provenance, and secret hygiene, and hand back
ranked findings with a real exploit path and the fix. Up to publish, not cloud or
runtime.