We work with product teams and security engineers to perform technical security assessments across a variety of software and hardware following a white-box or black-box approach.
What? A code-assisted approach to audit the security of software and Infrastructure as Code. We identify vulnerabilities in design and implementation and provide tailored remediation guidance.
How? First we build an understanding of the architecture, threat model, and objectives of a target; we then carefully combine entry-point analysis, static analysis, runtime testing, and dynamic analysis methods to find vulnerabilities.
When? Baseline assessment for new products; Products or features requiring high security assurance; Security evaluations during Mergers and Acquisitions; and in-depth technical assessments.
What? A "zero-access" approach to audit the security of software or hardware. We identify implementation vulnerabilities in high risk attack surface and security controls and provide remediation guidance.
How? After understanding the threat model and priorities, we combine reverse engineering, network protocol analysis, fuzzing, runtime testing, instrumentation, and hardware testing methods to find vulnerabilities.
When? Validation of product or feature security claims; Independent third party product assessments; Embedded device assessments; and Technology supply-chain assessments.
We have extensive experience reviewing a variety of software products. Some examples of projects we've worked on include:
Auditing and testing of web applications built in modern frameworks & languages, enterprise web application architectures, authentication protocols and services, APIs, micro-services, and bespoke gateways.
Auditing and testing of iOS and Android applications including security-critical features such as biometrics, NFC, Bluetooth interfaces, bespoke client-side crypto, and low-level libraries and SDKs.
Auditing and testing of client/server applications, libraries, OS kernels and drivers, hypervisors, firmware, and other proprietary or open-source software.
Auditing and testing of antivirus and next-gen endpoint protection, identity & access management platforms, network security software appliances, and sandboxing technologies.
We have extensive experience reviewing a variety of cloud services. Some examples of projects we've worked on include:
Auditing and testing of infrastructure as code (IaC) for cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud.
Auditing and testing of data warehouse and analytics systems, including highly scalable data processing systems that do machine learning on sensitive data.
Auditing and testing of Continuous Integration and Continuous Delivery (CI/CD) pipelines for platforms like GitHub, GitLab, Azure DevOps, Bamboo and Jenkins.
Auditing and testing of serverless cloud applications including the various cloud serverless runtimes, platform functions and serverless databases.
We have extensive experience reviewing a variety of embedded devices. Some examples of projects we've worked on include:
Auditing and testing of IoT devices, including smart network routers, smart-home devices, VoIP systems and CAN Bus integrated IoT devices.
Auditing and testing of device firmware running on consumer hardware such as wireless keyboards/mice, network printers and IP cameras.
Auditing and testing of Point Of Sale (POS) terminals, digital wallets which support cryptocurrency and bank-used electronic vaults.
In-depth research on secure bootloaders, reverse engineering and auditing portable VPN devices, and physical alarm systems.
Working with network engineers and security operations teams, we evaluate remote compromise threats and run assumed breach scenarios from specific points in a network.
What? A scenario-driven testing approach to simulate remote attackers aiming to breach perimeter defenses via remote infrastructure weaknesses or via targeted attacks against user end-point systems.
How? We learn the current threat model, agree on scenarios to simulate with time-limits and terms, then play each out, documenting observations, findings, and countermeasures. Scenarios can include:
When? Periodically (e.g. quarterly, bi-annually) to incrementally measure and improve defences; Ad-hoc to verify major infrastructure changes; Annually to get the most out of penetration testing obligations.
What? A scenario-driven testing approach that assumes breach of specific network assets aiming to identify weaknesses and gaps in security controls in place to protect business critical assets.
How? We understand the high-level threat model, agree on scenarios, time limits, and terms; then play out each scenario, documenting the approaches, techniques, findings, and countermeasures. Scenarios can include:
When? Periodically (e.g. quarterly or bi-annually) to incrementally measure and improve defences; Ad-hoc testing to verify recent changes or new controls; As an add-on to specific security auditing services.
We follow the below process to deliver projects that are of a consistently high quality end to end.
An informal chat to learn about the project requirements, goals, and timing.
We like to ensure we're the right fit for a project before going further.
We hold a meeting to understand project specifics in more detail to create a draft proposal.
Each proposal is tailored to the unique requirements of every project we do.
We ensure all materials and communications channels are setup in advance so we can hit the ground running.
We loop in all key stakeholders and host a kick-off call to ensure everyone is across project specifics.
We follow our internal methodologies for each activity of the project with regular updates throughout.
Project activities are prioritised to meet objectives allowing us to focus on what's important.
We hold a close-down meeting to present draft deliverables for initial review.
We step through detailed findings, discuss the root-cause of issues, and summarise recommendations.
We ensure final deliverables meet all requirements and expectations.
As part of our project data safeguarding processes, we securely archive the project on completion.
elttam are very professional and efficient in their approach to work.
They work hard to understand their customers requirements and always
They are also highly skilled and experts in their field.
elttam were excellent at communicating with both technical and non-technical members of our team before, during and after the engagement. Their presence was felt as an extension of the team rather than external auditors, which made for a great working relationship.
Depth of knowledge, professionalism and dedication to getting a great outcome on this test. Also, the reporting quality and post testing artefacts (scripts/configurations used) were all excellent and handed over/explained very well to the team.
Founded in 2015, elttam was created with the mission to provide independent high-quality technical security services. Today, our team works closely with dozens of customers across numerous sectors and geographic regions that trust us to help protect their most important assets.
As technology continues to evolve and intertwine in our lives, we want to be on the forefront to help manage the security and privacy threats for key technologies we all use and depend on.
Our team spend their time delivering customer projects at a high-quality, performing R&D on popular & emerging technologies and helping behind the scenes to refine our craft.
Through quality independent services we form genuine relationships with our customers and, as a result, have built a strong client base via word of mouth.
Daniel Hodson and Matt Jones are the Directors and Co-Founders of elttam. They oversee all projects and are Principal Consultants in the team.
They've both been active in the industry since the early 2000s, working in specialised teams for leading organisations, and years of experience freelancing on high-end technical projects.
They decided to combine forces to create something which could be shared with others and they're proud to be part of.
We perform research and development to stay on top of industry trends, find new attack vectors for technologies we assess in the field, and help contribute back to the community
If you're interested in auditing source code to find security bugs, hacking on a variety of different technologies, and working closely with well-known organisations around the world to help make them more secure, we’d love to hear from you!
We work with companies who share our values and have a strong desire to improve their security. You will have a lot of independence and be a part of a flexible work environment with exposure to a diverse range of technologies in a variety of industries. elttam places a focus on the self-development and well-being of our staff and fosters a supportive workplace where you can learn and grow.
We’re looking for an entry level or early career security consultant to join our team. This person will have the opportunity to work alongside our team and hone their skills while gaining valuable exposure to an array of customer tech stacks.
We’re looking for a senior level security consultant to join our team. This person will have a solid background in consulting and compliment our team by bringing their unique knowledge and perspective of security to help us continue to improve and refine our craft.