elttam is an independent security company providing research-driven security assessment services - we combine pragmatism and deep technical insight to help our customers secure their most important assets
We work with product teams and security engineers to perform technical security assessments across a variety of software and hardware following a white-box or black-box approach
What? A code-assisted approach to audit the security of software and Infrastructure as Code. We identify vulnerabilities in design and implementation and provide tailored remediation guidance
How? First we build an understanding of the architecture, threat model, and objectives of a target; we then carefully combine entry-point analysis, static analysis, runtime testing, and dynamic analysis methods to find vulnerabilities
When? Baseline assessment for new products; Products or features requiring high security assurance; Security evaluations during Mergers and Acquisitions; and in-depth technical assessments
What? A "zero-access" approach to audit the security of software or hardware. We identify implementation vulnerabilities in high risk attack surface and security controls and provide remediation guidance
How? After understanding the threat model and priorities, we combine reverse engineering, network protocol analysis, fuzzing, runtime testing, instrumentation, and hardware testing methods to find vulnerabilities
When? Validation of product or feature security claims; Independent third party product assessments; Embedded device assessments; and Technology supply-chain assessments
We have extensive experience reviewing a variety of software products. Some examples of projects we've worked on include:
Auditing and testing of web applications built in modern frameworks & languages, enterprise web application architectures, authentication protocols and services, APIs, micro-services, and bespoke gateways
Auditing and testing of iOS and Android applications including security-critical features such as biometrics, NFC, Bluetooth interfaces, bespoke client-side crypto, and low-level libraries and SDKs
Auditing and testing of client/server applications, libraries, OS kernels and drivers, hypervisors, firmware, and other proprietary or open-source software
Auditing and testing of antivirus and next-gen endpoint protection, identity & access management platforms, network security software appliances, and sandboxing technologies
We have extensive experience reviewing a variety of cloud services. Some examples of projects we've worked on include:
Auditing and testing of infrastructure as code (IaC) for cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud
Auditing and testing of data warehouse and analytics systems, including highly scalable data processing systems that do machine learning on sensitive data
Auditing and testing of Continuous Integration and Continuous Delivery (CI/CD) pipelines for platforms like GitHub, GitLab, Azure DevOps, Bamboo and Jenkins
Auditing and testing of serverless cloud applications including the various cloud serverless runtimes, platform functions and serverless databases
We have extensive experience reviewing a variety of embedded devices. Some examples of projects we've worked on include:
Auditing and testing of IoT devices, including smart network routers, smart-home devices, VoIP systems and CAN Bus integrated IoT devices
Auditing and testing of device firmware running on consumer hardware such as wireless keyboards/mice, network printers and IP cameras
Auditing and testing of Point Of Sale (POS) terminals, digital wallets which support cryptocurrency and bank-used electronic vaults
In-depth research on secure bootloaders, reverse engineering and auditing portable VPN devices, and physical alarm systems
Working with network engineers and security operations teams, we evaluate remote compromise threats and run assumed breach scenarios from specific points in a network
What? A scenario-driven testing approach to simulate remote attackers aiming to breach perimeter defenses via remote infrastructure weaknesses or via targeted attacks against user end-point systems
How? We learn the current threat model, agree on scenarios to simulate with time-limits and terms, then play each out, documenting observations, findings, and countermeasures. Scenarios can include:
When? Periodically (e.g. quarterly, bi-annually) to incrementally measure and improve defences; Ad-hoc to verify major infrastructure changes; Annually to get the most out of penetration testing obligations
What? A scenario-driven testing approach that assumes breach of specific network assets aiming to identify weaknesses and gaps in security controls in place to protect business critical assets
How? We understand the high-level threat model, agree on scenarios, time limits, and terms; then play out each scenario, documenting the approaches, techniques, findings, and countermeasures. Scenarios can include:
When? Periodically (e.g. quarterly or bi-annually) to incrementally measure and improve defences; Ad-hoc testing to verify recent changes or new controls; As an add-on to specific security auditing services
We follow the below process to deliver projects that are of a consistently high quality end to end
An informal chat to learn about the project requirements, goals, and timing
We like to ensure we're the right fit for a project before going further
We hold a meeting to understand project specifics in more detail to create a draft proposal
Each proposal is tailored to the unique requirements of every project we do
We ensure all materials and communications channels are setup in advance so we can hit the ground running
We loop in all key stakeholders and host a kick-off call to ensure everyone is across project specifics
We follow our internal methodologies for each activity of the project with regular updates throughout
Project activities are prioritised to meet objectives allowing us to focus on what's important
We hold a close-down meeting to present draft deliverables for initial review
We step through detailed findings, discuss the root-cause of issues, and summarise recommendations
We ensure final deliverables meet all requirements and expectations
As part of our project data safeguarding processes, we securely archive the project on completion
Founded in 2015, elttam was created with the mission to provide independent high-quality technical security services. Today, our team works closely with dozens of customers across numerous sectors and geographic regions that trust us to help protect their most important assets
As technology continues to evolve and intertwine in our lives, we want to be on the forefront to help manage the security and privacy threats for key technologies we all use and depend on
Our team spend their time delivering customer projects at a high-quality, performing R&D on popular & emerging technologies and helping behind the scenes to refine our craft
Through quality independent services we form genuine relationships with our customers and, as a result, have built a strong client base via word of mouth
Daniel Hodson and Matt Jones are the Directors and Co-Founders of elttam. They oversee all projects and are Principal Consultants in the team
They've both been active in the industry since the early 2000s, working in specialised teams for leading organisations, and years of experience freelancing on high-end technical projects
They decided to combine forces to create something which could be shared with others and they're proud to be part of
Finds bugs, breaches networks and strives to pop shells
Brisbane, Australia
Senior Consultant
Sydney, Australia
Operations Manager
Dijon, France
Senior Consultant
Audits code, hacks signals, writes code and leads gigs
Melbourne, Australia
Senior Consultant
Oversees gigs, audits low-level code, offensive R&D
Brisbane, Australia
Director
Oversees gigs, audits code, provides advisory services, internal R&D
Melbourne, Australia
Director
Finds intricate bugs and hacks a variety of software and devices
Queensland, Australia
Principal Consultant
Audits infrastructure, hacks networks and engineers solutions
Sydney, Australia
Principal Consultant
Handles accounts and does fistbumps when credits = debits
Sydney, Australia
Accounts
We perform research and development to stay on top of industry trends, find new attack vectors for technologies we assess in the field, and help contribute back to the community
Mon - Fri : 8am - 6pm
Time zone : AEST (GMT+10)
Email : hello@elttam.com
PGP Key: A105DCB5.gpg
36-38 Gipps Street
Collingwood VIC 3066
3 Albert Coates Lane
Melbourne VIC 2000
20-40 Meagher Street
Chippendale NSW 2008