We find the access-control flaws that scanners miss, and prove every one.
ROMAD Cyber Systems specializes in API authorization testing for multi-tenant SaaS: BOLA/IDOR, broken object- and property-level authorization, and tenant-isolation failures. We do not infer bugs and flood you with noise. We confirm each finding by logging in as two real, separate accounts and showing the exact request that lets one tenant reach another's data. If we cannot reproduce it with two accounts, it does not go in the report.
Productized security assessments
Fixed scope, fixed price, and a report your auditor and your enterprise buyers will accept. Pick the depth that fits where you are.
API & Access-Control Audit
The foot-in-the-door engagement. We map your client-to-API contract, then test the authorization layer for BOLA/IDOR, BOPLA/mass-assignment, and tenant-isolation gaps. Report with CVSS, a one-request reproduction, and a concrete fix for each issue.
API / Web Penetration Test
Full coverage: authentication matrix, JWT handling, two-account BOLA, CORS/CSRF, and business-logic abuse. Prioritized report, positive controls noted, and a free retest after remediation.
Attack-Surface Review
External surface, exposed source-map and JavaScript leaks, infrastructure hygiene, and the internal API surface a published source map quietly reveals. A clear map of what an attacker sees first.
vCISO / Security Advisory
A monthly retainer for teams without a full-time security lead: assessment triage, remediation guidance, and supervised disclosure handling, in board-level language.
Coordinated Disclosure Support
Triage and reproduce inbound vulnerability reports, score them honestly, and turn them into a clear remediation plan. We separate the real issues from the scanner noise.
Remediation Retest
Independent verification that a fix actually closes the issue, with a signed retest letter for your SOC 2 / ISO 27001 evidence and your enterprise security questionnaires.
AI for breadth. Two real accounts for proof.
Most tools, and most "AI pentest" services, infer access-control bugs and drown you in false positives. Independent research measures LLM-only IDOR detection at under 25% precision. We use AI to get broad coverage fast, then we prove every single finding by hand with two separate accounts. You get signal, not a noise dump.
We work strictly within written authorization and scope, never touch production data, and report under your Safe Harbor or rules of engagement. Each finding ships with the exact one-request reproduction your own team can run.
- No false positives. Reproduced with two accounts or it is not reported.
- Honest severity. CVSS validated component by component against the evidence.
- Positive controls too. We document what is secure, so the report is auditor-ready.
- Minimal-impact proof. We confirm reachability without touching anyone else's data.
- Authorization first. Signed scope, Safe Harbor, no surprises.
- Free retest. After you ship the fixes, we verify them.
Built by people the industry already vetted
ROMAD Cyber Systems grew out of an endpoint-protection (EDR) company recognized by working CISOs and industry analysts.
Yevgen Melnyk - Founder & CEO
Security engineer and product leader
Yevgen co-founded and led ROMAD Cyber Systems, an endpoint-protection company that won Security Current's CISO-judged "Security Shark Tank" at RSA Conference 2017 and 2016 and was named a MarketsandMarkets EDR "Key Innovator." He has since focused on hands-on security research and advisory work: coordinated vulnerability disclosure on HackerOne and contracted access-control assessments for multi-tenant SaaS, under written authorization.
Tell us your stack, we will scope it this week
Tell us what your product is built on and what "tenant isolation" should mean for it, and we will scope a fixed-price audit of your API's authorization layer, with a free retest after your fixes. Capability-first, no scan-and-shame.
We work only within written authorization and published scope. We do not test third parties without permission and we do not exfiltrate real user data.