Trusted Services For What Matters

elttam is an independent security company providing research-driven security assessment services - we combine pragmatism and deep technical insight to help our customers secure their most important assets.

Insightful Security Auditing.

We work with product teams and security engineers to perform technical security assessments across a variety of software and hardware following a white-box or black-box approach.


White-box Security Assessment


What? A code-assisted approach to audit the security of software and Infrastructure as Code. We identify vulnerabilities in design and implementation and provide tailored remediation guidance.

How? First we build an understanding of the architecture, threat model, and objectives of a target; we then carefully combine entry-point analysis, static analysis, runtime testing, and dynamic analysis methods to find vulnerabilities.

When? Baseline assessment for new products; Products or features requiring high security assurance; Security evaluations during Mergers and Acquisitions; and in-depth technical assessments.

Black-box Product Assessment


What? A "zero-access" approach to audit the security of software or hardware. We identify implementation vulnerabilities in high risk attack surface and security controls and provide remediation guidance.

How? After understanding the threat model and priorities, we combine reverse engineering, network protocol analysis, fuzzing, runtime testing, instrumentation, and hardware testing methods to find vulnerabilities.

When? Validation of product or feature security claims; Independent third party product assessments; Embedded device assessments; and Technology supply-chain assessments.

Software Products

We have extensive experience reviewing a variety of software products. Some examples of projects we've worked on include:


Web

Auditing and testing of web applications built in modern frameworks & languages, enterprise web application architectures, authentication protocols and services, APIs, micro-services, and bespoke gateways.

Mobile

Auditing and testing of iOS and Android applications including security-critical features such as biometrics, NFC, Bluetooth interfaces, bespoke client-side crypto, and low-level libraries and SDKs.

Native

Auditing and testing of client/server applications, libraries, OS kernels and drivers, hypervisors, firmware, and other proprietary or open-source software.

Security Software

Auditing and testing of antivirus and next-gen endpoint protection, identity & access management platforms, network security software appliances, and sandboxing technologies.

Cloud Services

We have extensive experience reviewing a variety of cloud services. Some examples of projects we've worked on include:


Infrastructure as Code

Auditing and testing of infrastructure as code (IaC) for cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud.

Data Warehouses and Analytics

Auditing and testing of data warehouse and analytics systems, including highly scalable data processing systems that do machine learning on sensitive data.

CI/CD Pipelines

Auditing and testing of Continuous Integration and Continuous Delivery (CI/CD) pipelines for platforms like GitHub, GitLab, Azure DevOps, Bamboo and Jenkins.

Serverless Applications

Auditing and testing of serverless cloud applications including the various cloud serverless runtimes, platform functions and serverless databases.

Embedded Devices

We have extensive experience reviewing a variety of embedded devices. Some examples of projects we've worked on include:


Internet of Things (IoT)

Auditing and testing of IoT devices, including smart network routers, smart-home devices, VoIP systems and CAN Bus integrated IoT devices.

Firmware

Auditing and testing of device firmware running on consumer hardware such as wireless keyboards/mice, network printers and IP cameras.

Financial Devices

Auditing and testing of Point Of Sale (POS) terminals, digital wallets which support cryptocurrency and bank-used electronic vaults.

Security Hardware

In-depth research on secure bootloaders, reverse engineering and auditing portable VPN devices, and physical alarm systems.



Realistic Adversarial Simulations.

Working with network engineers and security operations teams, we evaluate remote compromise threats and run assumed breach scenarios from specific points in a network.


Remote Compromise


What? A scenario-driven testing approach to simulate remote attackers aiming to breach perimeter defenses via remote infrastructure weaknesses or via targeted attacks against user end-point systems.

How? We learn the current threat model, agree on scenarios to simulate with time-limits and terms, then play each out, documenting observations, findings, and countermeasures. Scenarios can include:

  • Network Perimeter Attacks: Perform OSINT and map internet attack surface then attempt to gain access to sensitive system data or establish a network foothold.
  • Phishing Simulations: Measure specific security controls and awareness training for users and high-value targets (spear-phishing campaigns) that could result in compromised credentials and malware.

When? Periodically (e.g. quarterly, bi-annually) to incrementally measure and improve defences; Ad-hoc to verify major infrastructure changes; Annually to get the most out of penetration testing obligations.

Assumed Breach


What? A scenario-driven testing approach that assumes breach of specific network assets aiming to identify weaknesses and gaps in security controls in place to protect business critical assets.

How? We understand the high-level threat model, agree on scenarios, time limits, and terms; then play out each scenario, documenting the approaches, techniques, findings, and countermeasures. Scenarios can include:

  • Internal Endpoint Pivoting: Understand lateral movement, information disclosure and elevation of privilege attacks for cloud and enterprise networks.
  • Malicious Insider Attacks: Simulate a malicious insider with privileged access (e.g. developer or network engineer), to identify weaknesses that enable a breach of important assets.

When? Periodically (e.g. quarterly or bi-annually) to incrementally measure and improve defences; Ad-hoc testing to verify recent changes or new controls; As an add-on to specific security auditing services.



How We Work.

We follow the below process to deliver projects that are of a consistently high quality end to end.


1. Initial Chat


An informal chat to learn about the project requirements, goals, and timing.

We like to ensure we're the right fit for a project before going further.

2. Scoping


We hold a meeting to understand project specifics in more detail to create a draft proposal.

Each proposal is tailored to the unique requirements of every project we do.

3. Preparation


We ensure all materials and communications channels are setup in advance so we can hit the ground running.

We loop in all key stakeholders and host a kick-off call to ensure everyone is across project specifics.

4. Delivery


We follow our internal methodologies for each activity of the project with regular updates throughout.

Project activities are prioritised to meet objectives allowing us to focus on what's important.

5. Handover


We hold a close-down meeting to present draft deliverables for initial review.

We step through detailed findings, discuss the root-cause of issues, and summarise recommendations.

6. Closedown


We ensure final deliverables meet all requirements and expectations.

As part of our project data safeguarding processes, we securely archive the project on completion.


About Us.

Founded in 2015, elttam was created with the mission to provide independent high-quality technical security services. Today, our team works closely with dozens of customers across numerous sectors and geographic regions that trust us to help protect their most important assets.


Mission

As technology continues to evolve and intertwine in our lives, we want to be on the forefront to help manage the security and privacy threats for key technologies we all use and depend on.

Our team spend their time delivering customer projects at a high-quality, performing R&D on popular & emerging technologies and helping behind the scenes to refine our craft.

Through quality independent services we form genuine relationships with our customers and, as a result, have built a strong client base via word of mouth.

Origin

Daniel Hodson and Matt Jones are the Directors and Co-Founders of elttam. They oversee all projects and are Principal Consultants in the team.

They've both been active in the industry since the early 2000s, working in specialised teams for leading organisations, and years of experience freelancing on high-end technical projects.

They decided to combine forces to create something which could be shared with others and they're proud to be part of.

Follow us for news and research updates


@elttam

Research & Development.

We perform research and development to stay on top of industry trends, find new attack vectors for technologies we assess in the field, and help contribute back to the community



cover-img
Research Blog

Published blog posts from the team on security research.

Read More
cover-img
Publications

Conference papers, slides, and public advisories.

Read More
cover-img
libctf.so

A library of capture-the-flag levels we've shared for others to play.

Read More


Media Coverage

Our Careers.

If you're interested in auditing source code to find security bugs, hacking on a variety of different technologies, and working closely with well-known organisations around the world to help make them more secure, we’d love to hear from you!


Why Work With Us?

We work with companies who share our values and have a strong desire to improve their security. You will have a lot of independence and be a part of a flexible work environment with exposure to a diverse range of technologies in a variety of industries. elttam places a focus on the self-development and well-being of our staff and fosters a supportive workplace where you can learn and grow.

Perks & Benefits

  • Dedicated research time
  • Professional development budget
  • Performance based bonuses
  • Flexible work locations including work from home
  • Flexible work hours
  • Travel opportunities
  • Health and wellness programme
  • Annual off-site team get together

Security Consultant - Remote

We’re looking for an entry level or early career security consultant to join our team. This person will have the opportunity to work alongside our team and hone their skills while gaining valuable exposure to an array of customer tech stacks.

Senior Security Consultant - Remote

We’re looking for a senior level security consultant to join our team. This person will have a solid background in consulting and compliment our team by bringing their unique knowledge and perspective of security to help us continue to improve and refine our craft.

Application Process

  1. To express interest, please complete any libctf.so challenge(s) of your choice and e-mail a write-up of your solution along with your CV and role you're applying for to hello@elttam.com
  2. We will organise a chat between you and our Operations Manager and a Security Consultant so we can learn more about you and you can learn more about us
  3. If you seem like a suitable fit, you will have an interview with the company Directors

Contact Us.

Service Enquiries

Office Hours
Enquiries



Office Locations

Collingwood
Melbourne QV
Sydney Central