Trusted Services For What Matters

elttam is an independent security company providing research-driven security assessment services - we combine pragmatism and deep technical insight to help our customers secure their most important assets

Insightful Security Auditing.

We work with product teams and security engineers to perform technical security assessments across a variety of software and hardware following a white-box or black-box approach


White-box Security Assessment


What? A code-assisted approach to audit the security of software and Infrastructure as Code. We identify vulnerabilities in design and implementation and provide tailored remediation guidance

How? First we build an understanding of the architecture, threat model, and objectives of a target; we then carefully combine entry-point analysis, static analysis, runtime testing, and dynamic analysis methods to find vulnerabilities

When? Baseline assessment for new products; Products or features requiring high security assurance; Security evaluations during Mergers and Acquisitions; and in-depth technical assessments

Black-box Product Assessment


What? A "zero-access" approach to audit the security of software or hardware. We identify implementation vulnerabilities in high risk attack surface and security controls and provide remediation guidance

How? After understanding the threat model and priorities, we combine reverse engineering, network protocol analysis, fuzzing, runtime testing, instrumentation, and hardware testing methods to find vulnerabilities

When? Validation of product or feature security claims; Independent third party product assessments; Embedded device assessments; and Technology supply-chain assessments

Software Products

We have extensive experience reviewing a variety of software products. Some examples of projects we've worked on include:


Web

Auditing and testing of web applications built in modern frameworks & languages, enterprise web application architectures, authentication protocols and services, APIs, micro-services, and bespoke gateways

Mobile

Auditing and testing of iOS and Android applications including security-critical features such as biometrics, NFC, Bluetooth interfaces, bespoke client-side crypto, and low-level libraries and SDKs

Native

Auditing and testing of client/server applications, libraries, OS kernels and drivers, hypervisors, firmware, and other proprietary or open-source software

Security Software

Auditing and testing of antivirus and next-gen endpoint protection, identity & access management platforms, network security software appliances, and sandboxing technologies

Cloud Services

We have extensive experience reviewing a variety of cloud services. Some examples of projects we've worked on include:


Infrastructure as Code

Auditing and testing of infrastructure as code (IaC) for cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud

Data Warehouses and Analytics

Auditing and testing of data warehouse and analytics systems, including highly scalable data processing systems that do machine learning on sensitive data

CI/CD Pipelines

Auditing and testing of Continuous Integration and Continuous Delivery (CI/CD) pipelines for platforms like GitHub, GitLab, Azure DevOps, Bamboo and Jenkins

Serverless Applications

Auditing and testing of serverless cloud applications including the various cloud serverless runtimes, platform functions and serverless databases

Embedded Devices

We have extensive experience reviewing a variety of embedded devices. Some examples of projects we've worked on include:


Internet of Things (IoT)

Auditing and testing of IoT devices, including smart network routers, smart-home devices, VoIP systems and CAN Bus integrated IoT devices

Firmware

Auditing and testing of device firmware running on consumer hardware such as wireless keyboards/mice, network printers and IP cameras

Financial Devices

Auditing and testing of Point Of Sale (POS) terminals, digital wallets which support cryptocurrency and bank-used electronic vaults

Security Hardware

In-depth research on secure bootloaders, reverse engineering and auditing portable VPN devices, and physical alarm systems



Realistic Adversarial Simulations.

Working with network engineers and security operations teams, we evaluate remote compromise threats and run assumed breach scenarios from specific points in a network


Remote Compromise


What? A scenario-driven testing approach to simulate remote attackers aiming to breach perimeter defenses via remote infrastructure weaknesses or via targeted attacks against user end-point systems

How? We learn the current threat model, agree on scenarios to simulate with time-limits and terms, then play each out, documenting observations, findings, and countermeasures. Scenarios can include:

  • Network Perimeter Attacks: Perform OSINT and map internet attack surface then attempt to gain access to sensitive system data or establish a network foothold
  • Phishing Simulations: Measure specific security controls and awareness training for users and high-value targets (spear-phishing campaigns) that could result in compromised credentials and malware

When? Periodically (e.g. quarterly, bi-annually) to incrementally measure and improve defences; Ad-hoc to verify major infrastructure changes; Annually to get the most out of penetration testing obligations

Assumed Breach


What? A scenario-driven testing approach that assumes breach of specific network assets aiming to identify weaknesses and gaps in security controls in place to protect business critical assets

How? We understand the high-level threat model, agree on scenarios, time limits, and terms; then play out each scenario, documenting the approaches, techniques, findings, and countermeasures. Scenarios can include:

  • Internal Endpoint Pivoting: Understand lateral movement, information disclosure and elevation of privilege attacks for cloud and enterprise networks
  • Malicious Insider Attacks: Simulate a malicious insider with privileged access (e.g. developer or network engineer), to identify weaknesses that enable a breach of important assets

When? Periodically (e.g. quarterly or bi-annually) to incrementally measure and improve defences; Ad-hoc testing to verify recent changes or new controls; As an add-on to specific security auditing services



How We Work.

We follow the below process to deliver projects that are of a consistently high quality end to end


1. Initial Chat


An informal chat to learn about the project requirements, goals, and timing

We like to ensure we're the right fit for a project before going further

2. Scoping


We hold a meeting to understand project specifics in more detail to create a draft proposal

Each proposal is tailored to the unique requirements of every project we do

3. Preparation


We ensure all materials and communications channels are setup in advance so we can hit the ground running

We loop in all key stakeholders and host a kick-off call to ensure everyone is across project specifics

4. Delivery


We follow our internal methodologies for each activity of the project with regular updates throughout

Project activities are prioritised to meet objectives allowing us to focus on what's important

5. Handover


We hold a close-down meeting to present draft deliverables for initial review

We step through detailed findings, discuss the root-cause of issues, and summarise recommendations

6. Closedown


We ensure final deliverables meet all requirements and expectations

As part of our project data safeguarding processes, we securely archive the project on completion


About Us.

Founded in 2015, elttam was created with the mission to provide independent high-quality technical security services. Today, our team works closely with dozens of customers across numerous sectors and geographic regions that trust us to help protect their most important assets


Mission

As technology continues to evolve and intertwine in our lives, we want to be on the forefront to help manage the security and privacy threats for key technologies we all use and depend on

Our team use their time with us delivering customer projects at a high-quality, performing R&D on popular & emerging technologies, and helping behind the scenes to refine our craft

This creates genuine relationships via quality independent services, then we let word of mouth be our organic marketing

Origin

Daniel Hodson and Matt Jones are the Directors and Co-Founders of elttam. They oversee all projects and are Principal Consultants in the team

They've both been active in the industry since the early 2000s, working in specialised teams for leading organisations, and years of experience freelancing on high-end technical projects

They decided to combine forces to create something which could be shared with others and they're proud to be part of

And Who

Follow us for news and research updates


@elttam

Research & Development.

We perform research and development to stay on top of industry trends, find new attack vectors for technologies we assess in the field, and help contribute back to the community



cover-img
Research Blog

Published blog posts from the team on security research

Read More
cover-img
Publications

Conference papers, slides, and public advisories

Read More
cover-img
libctf.so

A library of capture-the-flag levels we've shared for others to play

Read More

Media Coverage

Enquiries & Locations

Contact Us.

Service Enquiries

Office Hours
Enquiries



Office Locations

Collingwood
Melbourne QV
Sydney Central