Every engagement runs the same way regardless of what's being audited: an AI first pass wide enough to cover the whole surface, then a human analyst who confirms what's real before we certify anything.
What a visitor's browser actually sees and connects to — audited from the outside.
TLS configuration, certificate hygiene, security headers, and cookie/session handling.
Endpoints, admin panels, and staging paths that are reachable but shouldn't be discoverable.
Scripts, trackers, and embedded widgets that run in the same origin as your users' sessions.
The product itself, read file by file rather than probed at the edges.
Client-side logic, storage, and the API contracts they depend on.
Authorization boundaries, input handling, and the paths between services.
Deployment configuration and access policy, since most incidents start there rather than in application logic.
Products that ship an LLM or agent carry a risk surface most security vendors don't have a checklist for yet.
Where untrusted input reaches a model with the authority to take action or return data.
What an agent's tool calls can reach, and whether that matches what the product actually needs.
Whether an AI feature can do more than the interface around it implies.
Each office anchors the regulatory context its region actually operates under.
| Office | Region | Compliance focus |
|---|---|---|
| Dublin, Ireland | European Union | GDPR-mapped data handling and processing review |
| California, USA | United States | CCPA-mapped consumer data review |
| Singapore | Asia-Pacific | PDPA-mapped data handling review |
A single full pass across the surfaces you choose, delivered as a report plus a certification mark reflecting the result at that moment.
The mark stays live — re-checked as your code and site change, so "Certorasec Verified" reflects the current state, not a snapshot from six months ago.
Tell us what you're running. We'll scope the audit before we start it.