Every founder we talked to had the same problem: security firms built for enterprises, pitching startups like enterprises.
ReguSec Group started because we kept seeing the same pattern: startups getting sold enterprise-scoped engagements that produced reports no one read. Security firms quoting twelve-week timelines for what should take two. Pentest deliverables written for auditors, not engineers.
We're a small team by design. Every engagement is led by a senior practitioner, not handed off to a junior consultant after the scoping call. We've built products, broken into systems, and responded to real incidents. That experience shapes how we scope, how we test, and how we write.
We don't sell you services you don't need. We don't inflate findings to justify our fee. And we don't disappear after the report lands, because remediation is where the actual security improvement happens.
Every vulnerability comes with reproduction steps, impact context, and a fix suggestion specific to your stack. Not a generic CWE link.
We rate findings on actual exploitability in your environment, not theoretical worst-case. A medium that's trivially exploitable beats a critical that isn't.
We stay available through fix-and-retest. The engagement isn't done when the PDF lands: it's done when the finding is resolved.
No bait-and-switch. The person who scopes the engagement is the person who executes it. Every engagement is led by a certified senior practitioner.
Senior practitioners only. No juniors running your engagement while the person you met leads the next sales call.
Co-Founder & Principal Consultant
OSCP, OSCE, CISSP. NYU. Michael spent his career in offensive security, most recently as a Principal Security Engineer on Apple's Product Security team, where he assessed cloud services infrastructure at scale. He co-founded ReguSec in 2019 to bring that caliber of testing to startups that couldn't access it.
Co-Founder & Defensive Security Lead
CompTIA Security+. NYU. Carl spent a decade on the defensive side, most recently as a Software Engineering Technologist at Western Digital, where he owned security for cloud-connected consumer storage products serving millions of users. At ReguSec, he architects detection and response programs and leads blue team engagements.
Security Engineer
B.S. Computer Science, UT Austin. Adam is a traditional pentester focused on web applications and APIs. He works primarily with Burp Suite and the OWASP testing framework to identify injection flaws, authentication bypasses, and business logic vulnerabilities that automated scanners miss.
Security Engineer
B.S. Computer Science, Carnegie Mellon. Ron came from two major blockchain security auditing firms, including a leading Ethereum infrastructure company, where he audited smart contracts and decentralized protocols. At ReguSec, he focuses on cryptographic protocol analysis and forensic investigation of decentralized systems.
Certifications establish baseline competence. What differentiates us is what we've done with it: real breaches contained, real vulnerabilities found in production systems, real security programs built from zero.
Research and writing from our team on the vulnerabilities, attack patterns, and defensive strategies we encounter in our work.
How harmful skills can weaponize enterprise automation, and what security teams should do about it.
Threat LandscapeWhat every business leader needs to know about the industrialized threat landscape in 2026.
ResearchInside the skill-reading exploit and why current safety guardrails aren't enough.
SOC 2 compliance wins enterprise deals. A clean pentest report builds customer trust. Security done right opens doors. We help you open them.
Start a Conversation