Skip to content

The evidence.

We've completed 58 assessments across 8 industries. The patterns are consistent. The exposures are predictable. The fixes are straightforward. Here is what we find — and what it costs you to ignore it.

Exhibit A

Email & Identity

We sent an email as your CEO. It arrived.

DMARC misconfiguration. We find it at 40% of the companies we assess. It means anyone — a competitor, a disgruntled employee, a sixteen-year-old in another country — can send email that appears to come from your managing director. Your recipients cannot tell the difference. Your email provider will not flag it. The fix takes less than a day.

40% of assessed companies. Average wire fraud exposure: $5M–$50M.

Exhibit B

Web Infrastructure

Your staging environment is public. Your error pages are confessing.

Development servers left running. Error messages that reveal your database structure. Admin panels with default credentials. Technology stack information that tells an attacker exactly which known vulnerabilities to try first. We've found customer data in publicly accessible staging environments at firms managing billions in AUM.

Found in 6 of 8 industries assessed. Average exposure: $1M–$10M per instance.

Exhibit C

Cloud & SaaS Exposure

Your vendors are leaking. About you.

Every SaaS tool you use — your CRM, your project management, your analytics — leaves fingerprints. DNS records that map your entire vendor ecosystem. OAuth configurations that reveal internal org structure. API keys committed to public repositories. We don't need to breach your systems. Your tools already told us everything.

12 exposed services per company. Average exposure: $500K–$5M per vendor chain.

Exhibit D

Credentials & Access

We found your keys. They were on the sidewalk.

Auth0 client configurations exposed in page source. Hardcoded API credentials in client-side JavaScript. Session tokens stored in ways that don't meet compliance requirements your own legal team set. These aren't exotic attacks. They're unlocked doors that nobody thought to check because the building looked fine from outside.

Found in 70% of assessments. Average exposure: $2M–$15M per organization.

The verdict

3.2/10

Average across 58 assessments and 8 industries. Not theoretical risk. Real-world exploitability measured against what an actual attacker would find in the first hour of looking.

3.2

Private Equity

2.8

Family Offices

3.6

Venture Capital

2.9

Growth-Stage

The scores are low because the attention isn't there. The fixes are straightforward because nobody's tried them yet.

This is what's in the report.
Want to see yours?

Get Your Assessment

Confidential. Under NDA. We delete everything if you walk away.