Trusted Services For What Matters

elttam is an independent security company providing research-driven security assessment services - we combine pragmatism and deep technical insight to help our customers secure their most important assets

Insightful Security Auditing.

We work with product teams and security engineers to perform technical security assessments across a variety of software and hardware following a white-box or black-box approach


White-box Security Assessment


What? A code-assisted approach to audit the security of software and Infrastructure as Code. We identify vulnerabilities in design and implementation and provide tailored remediation guidance

How? First we build an understanding of the architecture, threat model, and objectives of a target; we then carefully combine entry-point analysis, static analysis, runtime testing, and dynamic analysis methods to find vulnerabilities

When? Baseline assessment for new products; Products or features requiring high security assurance; Security evaluations during Mergers and Acquisitions; and in-depth technical assessments

Black-box Product Assessment


What? A "zero-access" approach to audit the security of software or hardware. We identify implementation vulnerabilities in high risk attack surface and security controls and provide remediation guidance

How? After understanding the threat model and priorities, we combine reverse engineering, network protocol analysis, fuzzing, runtime testing, instrumentation, and hardware testing methods to find vulnerabilities

When? Validation of product or feature security claims; Independent third party product assessments; Embedded device assessments; and Technology supply-chain assessments

Software Products

We have extensive experience reviewing a variety of software products. Some examples of projects we've worked on include:


Web

Auditing and testing of web applications built in modern frameworks & languages, enterprise web application architectures, authentication protocols and services, APIs, micro-services, and bespoke gateways

Mobile

Auditing and testing of iOS and Android applications including security-critical features such as biometrics, NFC, Bluetooth interfaces, bespoke client-side crypto, and low-level libraries and SDKs

Native

Auditing and testing of client/server applications, libraries, OS kernels and drivers, hypervisors, firmware, and other proprietary or open-source software

Security Software

Auditing and testing of antivirus and next-gen endpoint protection, identity & access management platforms, network security software appliances, and sandboxing technologies

Cloud Services

We have extensive experience reviewing a variety of cloud services. Some examples of projects we've worked on include:


Infrastructure as Code

Auditing and testing of infrastructure as code (IaC) for cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud

Data Warehouses and Analytics

Auditing and testing of data warehouse and analytics systems, including highly scalable data processing systems that do machine learning on sensitive data

CI/CD Pipelines

Auditing and testing of Continuous Integration and Continuous Delivery (CI/CD) pipelines for platforms like GitHub, GitLab, Azure DevOps, Bamboo and Jenkins

Serverless Applications

Auditing and testing of serverless cloud applications including the various cloud serverless runtimes, platform functions and serverless databases

Embedded Devices

We have extensive experience reviewing a variety of embedded devices. Some examples of projects we've worked on include:


Internet of Things (IoT)

Auditing and testing of IoT devices, including smart network routers, smart-home devices, VoIP systems and CAN Bus integrated IoT devices

Firmware

Auditing and testing of device firmware running on consumer hardware such as wireless keyboards/mice, network printers and IP cameras

Financial Devices

Auditing and testing of Point Of Sale (POS) terminals, digital wallets which support cryptocurrency and bank-used electronic vaults

Security Hardware

In-depth research on secure bootloaders, reverse engineering and auditing portable VPN devices, and physical alarm systems


How We Work › Contact Us »

Realistic Adversarial Simulations.

Working with network engineers and security operations teams, we evaluate remote compromise threats and run assumed breach scenarios from specific points in a network


Remote Compromise


What? A scenario-driven testing approach to simulate remote attackers aiming to breach perimeter defenses via remote infrastructure weaknesses or via targeted attacks against user end-point systems

How? We learn the current threat model, agree on scenarios to simulate with time-limits and terms, then play each out, documenting observations, findings, and countermeasures. Scenarios can include:

  • Network Perimeter Attacks: Perform OSINT and map internet attack surface then attempt to gain access to sensitive system data or establish a network foothold
  • Phishing Simulations: Measure specific security controls and awareness training for users and high-value targets (spear-phishing campaigns) that could result in compromised credentials and malware

When? Periodically (e.g. quarterly, bi-annually) to incrementally measure and improve defences; Ad-hoc to verify major infrastructure changes; Annually to get the most out of penetration testing obligations

Assumed Breach


What? A scenario-driven testing approach that assumes breach of specific network assets aiming to identify weaknesses and gaps in security controls in place to protect business critical assets

How? We understand the high-level threat model, agree on scenarios, time limits, and terms; then play out each scenario, documenting the approaches, techniques, findings, and countermeasures. Scenarios can include:

  • Internal Endpoint Pivoting: Understand lateral movement, information disclosure and elevation of privilege attacks for cloud and enterprise networks
  • Malicious Insider Attacks: Simulate a malicious insider with privileged access (e.g. developer or network engineer), to identify weaknesses that enable a breach of important assets

When? Periodically (e.g. quarterly or bi-annually) to incrementally measure and improve defences; Ad-hoc testing to verify recent changes or new controls; As an add-on to specific security auditing services


How We Work › Contact Us »

How We Work.

We follow the below process to deliver projects that are of a consistently high quality end to end


1. Initial Chat


An informal chat to learn about the project requirements, goals, and timing

We like to ensure we're the right fit for a project before going further

2. Scoping


We hold a meeting to understand project specifics in more detail to create a draft proposal

Each proposal is tailored to the unique requirements of every project we do

3. Preparation


We ensure all materials and communications channels are setup in advance so we can hit the ground running

We loop in all key stakeholders and host a kick-off call to ensure everyone is across project specifics

4. Delivery


We follow our internal methodologies for each activity of the project with regular updates throughout

Project activities are prioritised to meet objectives allowing us to focus on what's important

5. Handover


We hold a close-down meeting to present draft deliverables for initial review

We step through detailed findings, discuss the root-cause of issues, and summarise recommendations

6. Closedown


We ensure final deliverables meet all requirements and expectations

As part of our project data safeguarding processes, we securely archive the project on completion


Services › Contact Us »

elttam are very professional and efficient in their approach to work. They work hard to understand their customers requirements and always deliver.
They are also highly skilled and experts in their field.

Senior Security Manager Federal Government

elttam were excellent at communicating with both technical and non-technical members of our team before, during and after the engagement. Their presence was felt as an extension of the team rather than external auditors, which made for a great working relationship.

Chief Information Security Officer Major SaaS Platform

Depth of knowledge, professionalism and dedication to getting a great outcome on this test. Also, the reporting quality and post testing artefacts (scripts/configurations used) were all excellent and handed over/explained very well to the team.

Technical Security Team Lead Financial Services

About Us.

Founded in 2015, elttam was created with the mission to provide independent high-quality technical security services. Today, our team works closely with dozens of customers across numerous sectors and geographic regions that trust us to help protect their most important assets


Mission

As technology continues to evolve and intertwine in our lives, we want to be on the forefront to help manage the security and privacy threats for key technologies we all use and depend on

Our team spend their time delivering customer projects at a high-quality, performing R&D on popular & emerging technologies and helping behind the scenes to refine our craft

Through quality independent services we form genuine relationships with our customers and, as a result, have built a strong client base via word of mouth

Origin

Daniel Hodson and Matt Jones are the Directors and Co-Founders of elttam. They oversee all projects and are Principal Consultants in the team

They've both been active in the industry since the early 2000s, working in specialised teams for leading organisations, and years of experience freelancing on high-end technical projects

They decided to combine forces to create something which could be shared with others and they're proud to be part of

And Who

Brendan

Finds bugs, breaches networks and strives to pop shells

Brisbane, Australia

Brendan Scarvell

Senior Consultant

Nina

Sydney, Australia

Nina Rodgers

Operations Manager

Seb

Dijon, France

Sebastien Macke

Senior Consultant

Mike

Audits code, hacks signals, writes code and leads gigs

Melbourne, Australia

Mykel Pritchard

Senior Consultant

Dan

Oversees gigs, audits low-level code, offensive R&D

Brisbane, Australia

Daniel Hodson

Director

Matt

Oversees gigs, audits code, provides advisory services, internal R&D

Melbourne, Australia

Matt Jones

Director

Luke

Finds intricate bugs and hacks a variety of software and devices

Queensland, Australia

Luke Jahnke

Principal Consultant

Faraz

Vulnerability research and offensive R&D projects

Perth, Australia

Syed Faraz Abrar

Researcher

Ben

Audits infrastructure, hacks networks and engineers solutions

Sydney, Australia

Ben Cambourne

Principal Consultant

Alice

Handles accounts and does fistbumps when credits = debits

Sydney, Australia

Alice Chung

Accounts

Follow us for news and research updates


@elttam

Research & Development.

We perform research and development to stay on top of industry trends, find new attack vectors for technologies we assess in the field, and help contribute back to the community



cover-img
Research Blog

Published blog posts from the team on security research

Read More
cover-img
Publications

Conference papers, slides, and public advisories

Read More
cover-img
libctf.so

A library of capture-the-flag levels we've shared for others to play

Read More

Media Coverage

Enquiries & Locations

Contact Us.

Service Enquiries

Office Hours

Mon - Fri : 8am - 6pm
Time zone : AEST (GMT+10)

Enquiries

Email : hello@elttam.com
PGP Key: A105DCB5.gpg




Office Locations

Collingwood

36-38 Gipps Street
Collingwood VIC 3066

Melbourne QV

3 Albert Coates Lane
Melbourne VIC 2000

Sydney Central

20-40 Meagher Street
Chippendale NSW 2008