koscak.ai · cyber

Every dam has cracks.
Find yours first.

Shadow-mode pentesting, AI red-teaming, and infrastructure drift-checks for teams building on the edge of what's possible.

Run a free ghostride What we do →

Scroll to begin ↓

New koscak cyber.

Four lenses. One report. Zero writes to production.

    audit-dive
23 minmedianFrom scan start to first verified critical finding. Hand-triaged, chained into attack paths, CVSS-scored, remediated.
Learn more →
    ghost-hunt
6 classesof AI riskPrompt injection, RAG poisoning, tool-use abuse, model exfil, supply-chain, perimeter erosion — tested against your stack.
Learn more →
    ironsight
Every edgemappedPrecision pass on cloud config, IAM, secrets, network topology. No guessing — every privilege edge proven or disproven.
Learn more →
  

audit-dive

Outlandish precision.

Deep audit of a specific surface — web, API, cloud, model. Not a CVE list. A remediation roadmap.

23m cold-start to first critical

koscak · audit-dive · example.com

~koscak audit-dive --ghostride example.com

# shadow-mode · read-only · no writes

✓ DNS + WHOIS + CT-logs resolved

✓ 7 subdomains found · 2 externally reachable

✓ stack: Apache · Node/Express · PostgreSQL

# ironsight · privilege-edge mapping…

⚠ missing HSTS on login endpoint

⚠ 3 cookies without HttpOnly/Secure

● CRITICAL unauth admin at /admin/api

● CRITICAL spoofable sender on mail relay

# drift-check scheduled · 7d

~report ready · 23.4s elapsed

chained

IDOR → SSRF → RCE

We don't stop at the first flag. Every finding is walked to its blast radius.

mapped

CVSS 3.1 + CWE + OWASP

Auditor-ready tagging on every finding, not a generic severity estimate.

forensic

SHA-256 evidence trail

Every probe response hashed and archived. Reproducible, non-repudiable.

ghost-hunt

The surface nobody
is testing.

Every LLM you deploy, every agent you ship, every RAG you wire up is a new class of risk. The people writing exploits are already automating against yours.

01

Prompt injection

Attacker-crafted text hidden in documents, emails, or tool outputs hijacks your AI into running their instructions.

02

RAG poisoning

Seeding your knowledge base with adversarial content that changes what your assistant answers. Invisible in logs.

03

Supply-chain compromise

Malicious packages, poisoned weights, typosquatted deps. One bad import and you ship an attacker's backdoor.

04

Model extraction

Systematic querying that reconstructs your fine-tuned model's behaviour for the cost of an API budget.

05

Tool-use abuse

Your AI agent has filesystem, shell, and network access. One crafted instruction and it runs attacker commands.

06

Perimeter erosion

Dev envs exposed publicly. Webhooks from third parties. OAuth scopes past memory. Classic holes, modern scale.

ironsight

Precision posture.

Every privilege edge mapped. Nothing guessed.

01

Cloud IAM edge-map.

Every role, every trust relationship, every permission boundary enumerated. We find the paths your compliance scan misses because it stops at the policy document.

02

Network segmentation audit.

Actual reachability tested from every segment, not just "the VLAN diagram says so." We ping every edge your engineers trust.

03

Secrets-in-source scan.

Full-history scan across every repo you own — not just current HEAD. The leaked key from 2022 is still valid until you rotate it.

04

Supply-chain pipeline.

Build steps, artifact provenance, dep-confusion surface. One bad import is the quiet win attackers are looking for.

hymn

The report.
Built to be read.

Executive summary for the board. CVSS-scored findings for security leads. Copy-pasteable remediation for the engineers who'll fix it. English always + any second language you request.

report_language

EN + ?

EN always included. Pick your second language. SK · CZ · DE · FR ship same-day. ES · PL · HU · UA · RO add 3 business days for linguistic review. Others on request.

12

findings / avg engagement

100%

CVSS + CWE + OWASP tagged

0

writes to your systems

90 days

evidence retention

compare

Us. A scanner.
Your in-house SOC.

Numbers, not narrative. One engagement, three lenses.

koscak · audit-dive

23m

to first verified critical

Human-in-the-loop triage. Every flag hand-verified, chained into attack paths with CVSS and fix.

Automated scanner

14k

raw CVE matches

Qualys / Nessus / Burp Scanner. Fast, broad, noisy — and you still need to triage every finding yourself.

In-house SOC

0

external-perimeter tests / yr

Your team is busy running the business. An outside eye catches what familiarity hides.

team

Built by
people who ship.

Small Slovak-based team. We reverse our own hardware, find 0-days in enterprise kit, train our own models, and write the tooling we use on every engagement.

JK

Dr. Juraj Koščák

Lead scientist · PhD

PhD in stochastic sparse learning. 10+ papers from the '80s–'90s laying the algorithmic foundations KSS-LoRA draws on today. 30 years of industrial security across enterprise Slovak deployments. Reviews every engagement's threat model before testing begins.

FK

Filip Koščák

Research architect

Rust-native security tooling. Multi-pod GPU-mesh for red-team automation. Reverse-engineered his own ASUS laptop firmware to find a vendor 0-day that had been shipping in signed builds for 11+ months. Primary maintainer of the tengu-lexicon framework.

LI

Laura Ilčin

Brand · delivery

Human side of a technical engagement. Scope, rules of engagement, deliverables, 30/60/90-day drift-check cadence. Bilingual clarity pass on every hymn before it ships. The reason our clients call us back.

ghostride

See your cracks
in 90 seconds.

Drop your URL. Non-destructive read-only ghostride. Lighthouse-style report of what's externally visible. No credit card, no trial limit.

Every dam has cracks.Find yours first.