Services

BOUTIQUE CYBER THREAT INTELLIGENCE
& OFFENSIVE SECURITY

Custom reports that show you if threat actors are actively going after your company, brand, executives, or infrastructure. We pull from the deep and dark web, closed underground forums, and our own sources inside each ecosystem we cover. We don’t take every project.

If you’re stuck with a CTI vendor sending you empty reports quarter after quarter, hop on a call. Bring up your pain points to us. We’ll tell you straight if we can help — and if we can’t, we’ll say that too.

We only take on projects where we see potential for findings and an end product that brings value to you.

Satisfied Clients

In our work we often find things that other vendors miss - that's a fact. For example for a banking client we identified a stored XSS on their main web application - this same client had a comprehensive black box run by their local vendor in the UK 2 months prior - which missed it, until we came in.

Another case was when we identified that employees of another client in [redacted] industry had exposed all access to internal databases with passwords, usernames and everything was week fresh - available for anyone who knew where to look.

If you are serious about actual intelligence and value real reports that were made with full attention to detail, your infrastructure, and your intelligence requirements - we're the address, we also offer competitive pricing compared to 'corporate level' reports that charge just for the people coming in to their 9-5 to run automated tools.

Note

We do not rely on automation or any "Threat Intelligence Platforms" that archive data from 2017 pastebin - our approach is almost entirely manual first. Where at the core - is the skill.

  • We can combine our reports with penetration testing (hybrid intelligence assessments) at the request of the client.
  • vHUMINT (engagement with threat actors to extract information) possible at the request of the client.

The report and its findings can be presented to the technical team on a f2f call.

The format of deliverable is PDF / Docx [per custom requirement].

Case files

Redacted findings from client engagements.

Three findings below. All three came out of manual testing. No scanner turned them up, no platform flagged them, no aggregator had them.

This is the tip of the iceberg. It’s what we can show.

We work by OWASP, and we run our own manual framework on top of it. OWASP is good — that’s not the argument. The argument is that a framework tells you what to check. It can’t tell you anything about your environment. Every client is built differently. Every asset sits where it sits for a reason. Every vulnerability lives in a specific place, on specific infrastructure, and you have to understand that place before a checklist means much.

That’s why a full OWASP engagement can come back clean and still miss what’s in Case 02. The framework was done right. It just isn’t enough on its own.

Big vendors put a set number of hours against a set scope, run their tools over it, and close the job when the hours are gone. Manual work does not fit that model. We take fewer jobs and give each one the time the analysis actually needs — the whole infrastructure, the real assets, the things that would genuinely hurt. Tools find what they were built to find. Everything below is what they were not.

Redacted screenshot of a stored cross-site scripting proof of concept executing on a financial institution's home page.
CASE 02

Stored XSS, sitting on the home page

The client came to us two months after finishing a full penetration testing programme with their existing vendor — white box and black box, internal and external, run against OWASP. The whole menu, done properly.

We identified a stored XSS on the home page through manual testing. The alert in the screenshot is ours — a harmless string, put there to show it fires.

Stored XSS lives on the server and runs in the browser of every person who loads the page. Nobody has to click anything. On a pension and finance platform, that means session hijacking, credentials lifted, or a quiet redirect to a page that looks exactly like theirs.

It was on the home page. The first thing every visitor loads. A complete OWASP programme had gone over it two months earlier and not seen it.

Client sector
Pension & finance
What was exposed
Stored XSS on the home page
The client’s previous vendor
Ran white box + black box, internal + external, against OWASP
That vendor’s result
Missed it
EPCYBER, 2 months later
Found it through manual testing
Redacted screenshot of a production application exposing its runtime configuration, including database and cloud credentials.
CASE 01

Full exposure of internal configuration and live credentials

A live production application was giving up its entire internal configuration to anyone who asked. No login. No exploit. No tools.

What we found within the first 40 minutes of the engagement: the database credentials. The cloud access keys. Third-party API secrets. And the application’s signing key — that one matters most, because it signs and encrypts every session cookie. Whoever holds it can mint a working session for any user on the platform.

No tool surfaced this. It came out of manual testing of the client’s external assets — not a scanner, and not any of the platforms the client was already paying for.

What was exposed
Database credentials, cloud access keys, application signing key, third-party API secrets
Access required
None
Automated tools and platforms
Found nothing
EPCYBER
Found it through manual testing
Outcome
Reported to the client. Keys rotated, config fixed.
Heavily redacted still from a live internal CCTV feed reachable from outside the client network.
CASE 03

Live internal CCTV, reachable from outside

We reached the client’s CCTV remotely — live cameras covering the inside of their premises, from outside their network.

The cameras sat on internal infrastructure. So reaching them meant reaching that infrastructure. This isn’t a privacy problem with a camera. It’s someone outside the network standing inside it.

The host it ran on wasn’t a standard asset and wouldn’t surface in a routine sweep. We identified it through manual testing — having the time to assess what was actually deployed, rather than what a scan expects to find. This client had used other vendors before us. None of them identified it.

What was exposed
Live internal CCTV, and reach into the client’s internal network
Access required
Remote. No credentials.
The client’s previous vendors
Missed it
EPCYBER
Found it through manual testing
What we offer

Engagements we take on.

Every engagement is scoped to the client. These are the shapes they usually take — on their own, or combined.

01

Custom intelligence reports

Is anyone actually going after you. We work the deep and dark web, closed underground forums, and our own sources inside each ecosystem, then tell you what we found and what it means.

02

Targeting assessment

Your company, your brand, your infrastructure, your crown jewels — and your people. Executives, C-level, and the personnel an adversary would reach for first.

03

Dark web monitoring

Ongoing coverage of the forums, markets and channels that matter to you. Manual, sourced, and current — not an aggregator replaying 2017.

04

Penetration testing — web & API

Application and API testing against OWASP, with our own manual framework on top. The findings on this page came out of that second part.

05

Penetration testing — cloud & container

Cloud assets, Docker, and container infrastructure. Configuration, exposure, and what is reachable from outside that shouldn’t be.

06

Penetration testing — IoT & devices

Connected devices and the infrastructure behind them. Cameras included — see Case 03.

07

Hybrid intelligence assessments

Intelligence and penetration testing run as one engagement, so the findings inform each other instead of arriving in two disconnected reports.

08

vHUMINT

Direct engagement with threat actors to extract information. On request, and only where it is the right instrument.

09

Exposure & leak discovery

Credentials, databases, documents and configuration that ended up somewhere they were never meant to be. Third-party platforms included.

10

Executive & VIP exposure

What an adversary can build on your leadership from open sources, and what to do about the parts that matter.

11

Supply chain & third-party exposure

Your vendors are your attack surface. Most breaches arrive through someone you already trust.

12

China-focused intelligence

Chinese-language sources, platforms and infrastructure. The half of the picture most Western vendors cannot reach.

13

Russia-focused intelligence

Russian-language forums, underground communities and the infrastructure behind them. Where most of the dark web actually operates.

Industries we serve

Where the work happens.

BankingFinancePension & retirement fundsInsuranceAsset managementPrivate equityFintechPaymentsGovernmentDefenceDefence contractorsIntelligenceLaw enforcementCritical infrastructure
Oil & gasEnergy & utilitiesMiningChemicalsManufacturingConstructionAerospaceAutomotiveMaritime & shippingLogisticsTechnologyTelecommunicationsCloud & SaaSSemiconductorsHealthcarePharmaceuticals
Behind the tradecraft

At the core, the skill.

Everyone runs the same tools. The frameworks are public. What separates one engagement from the next is who is doing the looking — and what they have seen before.

Eva Prokofiev — Founder & CEOEP
Eva Prokofiev
Founder & CEO
EPCYBER LLCMiami · Florida, U.S.
RedRadar Technologies Inc.Delaware, U.S.
Background

A former Military Intelligence Officer from a Special Operations Division, working at the intersection of cyber threat intelligence, OSINT, and collection across high-risk digital environments.

Offensive work spans penetration testing across web, API, cloud, Docker and IoT — in practice since 2014, assessed against OWASP, with an internal manual framework layered on top. The findings above came out of that layer, not the checklist.

Intelligence work covers cyber threat intelligence, dark web collection, and vHUMINT — direct engagement with threat actors to extract what open sources will never hold. Alongside OSINT, IMINT, SOCMINT and GEOINT.

Over 15+ years: European defense contractors, US and NATO-aligned agencies, financial institutions, and intelligence teams working complex regions. An Oxford University Executive Leadership graduate (top honors), CISO certified at 22.

Former Military Intelligence · Special Operations Penetration testing since 2014 Web · API · cloud · Docker · IoT CTI · dark web · vHUMINT OSINT · IMINT · SOCMINT · GEOINT OWASP · plus an internal manual framework Oxford Executive Leadership · top honors CISO certified at 22
Contact

Got a question about our services ?

Boutique CTI engagements — custom intelligence reports, dark web monitoring, vHUMINT operations, and hybrid intelligence assessments.

cti@epcyber.com
Reach Our Experts