With ∞ code analysis, our expert security analysts will fully review the current version of your code from a security perspective, after which they will follow along as you develop. This means that we review all new code that is committed (as long as it is within the limits defined by the subscription) on a monthly basis, typically before it hits production. Not literally as you type, but never later than a month from typing! Security issues will be shared as soon as found, and reports as often as you need them. Your software will receive attention for an amount of hours based on the development rate of your product.

Once our ∞ code analysis service is integrated with your project, our primary goal is to "catch up" with your development and acquire a full overview and understanding of all the security-sensitive functionality in your existing codebase. You can decide to spread this initial phase (and associated cost) over multiple months if you wish; or set the slider to 1 month if your goal is to achieve coverage as fast as possible.

Typically, after this one-off investment, monthly reviews of your updates require a smaller effort. This is why we differentiate these two phases, so you always pay for what you get.

Codean Labs takes security seriously, and employs industry-standard measures to protect your assets, such as your code and any potential findings. Because we connect straight to your code-hosting platform (e.g. Github, Gitlab, ...), there is no need to transfer ZIP files or use third-party cloud storage.

We try our best to meet your needs, aiming to start as soon as you are ready! Together with you, we will agree upon a specific start date.

Yes! You may need to give your client(s) or management an insight into the security of your product. We got you covered with periodical summary reports showing the overall security of your software (without revealing critical details) as well as your developments over time.

We have a very wide expertise in terms of software security. So anything from embedded to cloud and in between is within our capabilities to pentest. In practice, what we see most are web and mobile applications, and associated backend(s) and cloud infrastructure.

Even in the design phase, we can help by reviewing your planned technical design or architecture. By giving you early feedback from a security perspective, we can help you build a strong core, making sure no time is wasted refactoring it later.

We believe security review can be done both more throughly and more cost-efficient, whereas other labs often compromise on one of these two. We achieve this through our home-grown tooling and processes that we have optimized over time.

These are industry terms for approaches that can be taken when evaluating the security of software systems.

When using a whitebox approach, pentesters are given access to the source code of the software they are analyzing; this corresponds to our ∞ code analysis service. In contrast, a blackbox approach puts a pentester in the shoes of an external attacker having no confidential information like source code or documentation. A greybox approach is somewhat in between white- and black-box: typically the code is unavailable but some information is shared. Grey- and black-box approaches are followed in our ◦ codeless analysis service.

As a rule of thumb, request a whitebox approach for a more thorough analysis with clear coverage, and a grey- or black-box approach for a feel of what an external attacker could do in a defined timeframe.