Services

Three surfaces. One certification.

Every engagement runs the same way regardless of what's being audited: an AI first pass wide enough to cover the whole surface, then a human analyst who confirms what's real before we certify anything.

01 — Websites

Website certification

What a visitor's browser actually sees and connects to — audited from the outside.

Transport & headers

TLS configuration, certificate hygiene, security headers, and cookie/session handling.

Exposed surface

Endpoints, admin panels, and staging paths that are reachable but shouldn't be discoverable.

Third-party exposure

Scripts, trackers, and embedded widgets that run in the same origin as your users' sessions.

02 — Application code

Codebase audits

The product itself, read file by file rather than probed at the edges.

Web & mobile clients

Client-side logic, storage, and the API contracts they depend on.

Backend services & APIs

Authorization boundaries, input handling, and the paths between services.

Infrastructure-as-code

Deployment configuration and access policy, since most incidents start there rather than in application logic.

03 — AI-powered features

AI-feature audits

Products that ship an LLM or agent carry a risk surface most security vendors don't have a checklist for yet.

Prompt injection

Where untrusted input reaches a model with the authority to take action or return data.

Tool & data exposure

What an agent's tool calls can reach, and whether that matches what the product actually needs.

Over-permissioned actions

Whether an AI feature can do more than the interface around it implies.

Jurisdictions

Compliance mapping

Each office anchors the regulatory context its region actually operates under.

OfficeRegionCompliance focus
Dublin, IrelandEuropean UnionGDPR-mapped data handling and processing review
California, USAUnited StatesCCPA-mapped consumer data review
SingaporeAsia-PacificPDPA-mapped data handling review
Engagement

One-time or continuous.

Point-in-time audit

A single full pass across the surfaces you choose, delivered as a report plus a certification mark reflecting the result at that moment.

Continuous certification

The mark stays live — re-checked as your code and site change, so "Certorasec Verified" reflects the current state, not a snapshot from six months ago.

Not sure which surfaces apply to you?

Tell us what you're running. We'll scope the audit before we start it.

Request an audit