Rabid Bloodhound

Find the weaknesses attackers would exploit—before they do.

Professional vulnerability assessments, penetration testing, and threat intelligence conducted under written authorization, defined scope, and clear Rules of Engagement.

Not a bug bounty. Not a scan you didn't authorize. A contractually authorized security engagement.

AUTHORIZEDCONFIDENTIALEVIDENCE-BASEDNEW JERSEY, USA
01

You don't know your attack surface

Shadow IT, forgotten cloud instances, expired certificates, and third-party integrations expand your risk profile daily. Most organizations discover exposures through incident response — not prevention.

02

Scanners alone aren't enough

Automated tools generate noise. False positives, missing business context, and no exploitation validation. Without manual verification, you don't know which findings are real threats.

03

Unauthorized testing creates legal risk

A well-intentioned scan without written authorization can trigger CFAA exposure, regardless of outcome. Professional assessments require documented consent, defined scope, and clear boundaries.

01

I need to identify vulnerabilities.

Start with a Vulnerability Assessment
02

I need to validate whether systems can be compromised.

Book a Penetration Test
03

I need continuous monitoring.

Explore Monitoring Retainers
04

I'm not sure — help me define the scope.

Free Scoping Call

Assess

Identify, validate, and prioritize vulnerabilities in your environment.

01

Vulnerability Assessment

From $1,500 per assessment

Authorized external and/or internal vulnerability scanning with manual validation. Includes credentialed and uncredentialed scans, configuration review, and prioritized findings. Delivered with executive and technical reports.

02

Penetration Testing

From $3,000 per engagement

Authorized, scoped penetration testing — internal, external, and web application. Manual exploitation testing beyond automated scanning. Clear Rules of Engagement with defined testing windows and emergency contacts.

03

Web Application Assessment

From $2,500 per application

Deep security review of web applications including authentication, session management, injection points, business logic flaws, and API security. OWASP Testing Guide aligned.

04

Cloud Security Assessment

From $2,000 per assessment

Review of cloud infrastructure configuration (AWS, Azure, GCP). Identity and access management, storage security, network segmentation, and compliance posture.

Monitor

Continuous visibility into your external attack surface, dark web exposure, and credential leaks.

01

External Attack Surface Monitoring

From $750 / month

Continuous discovery and classification of your external-facing assets. Identifies shadow IT, exposed services, misconfigured cloud resources, expired certificates, and third-party dependencies that expand your risk profile.

02

Dark Web Monitoring

From $500 / month

Continuous monitoring of criminal forums, paste sites, and dark web markets for mentions of your organization, domains, employees, and credentials. Monthly reports with actionable intelligence.

03

Credential Exposure Monitoring

From $400 / month

Ongoing monitoring for leaked or compromised credentials associated with your organization's domains and employees. Alerts on new exposures as they appear.

Coverage depends on lawful source availability and access. Monitoring does not guarantee visibility into every private forum, closed community or illicit marketplace.

Investigate

Intelligence-driven analysis of your digital footprint, brand exposure, and threat landscape.

01

Corporate OSINT

From $1,500 per assessment

Professional open-source intelligence gathering focused on your organization's digital footprint. Maps exposed credentials, leaked data, employee exposure, brand impersonation, and narrative risk across public sources.

02

Digital Exposure Assessment

From $2,000 per assessment

Comprehensive external posture review. Domain intelligence, certificate analysis, DNS enumeration, leaked data search, social media exposure, and third-party vendor risk.

03

Brand & Executive Threat Intelligence

From $2,500 per engagement

Targeted intelligence gathering on brand impersonation, executive exposure, deepfake risk, and narrative threats across open sources, social media, and dark web forums.

I want to know what's exposed externally

External Exposure Assessment

I want to find vulnerabilities

Vulnerability Assessment

I want to demonstrate whether they can be exploited

Penetration Testing

I want to review an application

Web Application Assessment

I want continuous security monitoring

Security Monitoring Retainer

I don't know what I need

Free Scoping Call
Executive Risk Brief

Overall risk posture. Business impact analysis. Top five priorities. 30/60/90-day remediation roadmap. Designed for leadership and board-level decision-making.

Technical Findings Report

Reproducible evidence with CVSS scores and business-impact weighting. Step-by-step reproduction steps. Prioritized remediation recommendations with references.

Remediation Tracker

Open findings. In-progress fixes. Ready for retest. Verified closed. Live status tracking so your team knows exactly where each finding stands.

NIST-aligned risk assessment framework

OWASP Testing Guide for web applications

PTES-style penetration testing lifecycle

CVSS plus business-impact classification

Manual validation of automated findings

Evidence preservation and chain-of-custody practices

Remediation verification and re-testing

Rules of Engagement — by default

Every engagement begins with a documented framework that protects both parties. Nothing is assumed, nothing is left to interpretation.

Authorized IP addresses, domains, and applications

Testing dates and permitted hours

Allowed and prohibited techniques

Emergency and escalation contacts

Data-handling requirements

Third-party and cloud-provider restrictions

Stop-testing conditions

Evidence retention and destruction periods

Re-testing conditions

What we do not do

Discipline and ethics are non-negotiable. These boundaries are documented in every engagement.

No unauthorized scanning under any circumstances

No denial-of-service testing by default

No destructive testing without separate approval

No persistence or backdoors

No unnecessary collection of sensitive data

No testing of third-party infrastructure without authorization

No social engineering unless separately scoped

No public disclosure of client findings

U.S.-registered company (New Jersey)

Manual validation — not scanner-only reporting

Separate executive and technical deliverables

Secure evidence handling and chain of custody

Remediation support available post-assessment

Direct access to the lead consultant

No outsourced anonymous testing teams

Lead Consultant

Nathan Moore

Principal — Null Session Intelligence LLC

Lead security consultant at NSI. Background in cybersecurity operations, penetration testing, and OSINT methodology. Directly involved in every Rabid Bloodhound engagement.

LinkedIn

Security Exposure Review

From $750one-time
  • Non-intrusive external review
  • Public asset discovery and classification
  • Credential leak check
  • Executive summary report
  • Credited toward full assessment if upgraded
Book a Review
Recommended

Vulnerability Assessment

From $1,500per assessment
  • External and/or internal scanning
  • Manual validation of all findings
  • False positive elimination
  • Business-impact severity classification
  • Executive summary for leadership
  • Technical report with prioritized fixes
Schedule Assessment

Penetration Test

From $3,000per engagement
  • Authorized manual exploitation testing
  • Web application and/or infrastructure scope
  • OWASP/PTES-aligned methodology
  • Emergency escalation during testing
  • Executive + technical deliverables
  • Remediation verification retest
Book Pentest

Assessment + Remediation

Custom scopedassessment + fix
  • Full vulnerability or OSINT assessment
  • Remediation phase at separate rate
  • Architecture review included
  • Configuration hardening guidance
  • Verification re-test after fixes
Get a Quote

Continuous Monitoring

From $500/ month
  • Attack surface monitoring
  • Dark web and credential leak monitoring
  • Monthly executive reports
  • Priority advisory access
  • New vulnerability alerts
Start Monitoring
01

Discovery Call

Free 30-minute call to understand your environment, concerns, and objectives. No scope, no commitment.

1 day
02

Scope Questionnaire

Structured intake: assets, boundaries, third-party dependencies, compliance requirements, and restrictions.

1-2 days
03

Proposal & Authorization

NDA signed. SOW defined. Rules of Engagement documented with scope, testing windows, and emergency contacts. Nothing proceeds without written authorization.

1-3 days
04

Assessment Execution

Reconnaissance, testing, and manual validation within the authorized scope. No scope creep.

5-15 days
05

Critical Finding Escalation

Immediate notification if a critical-risk finding is identified during testing — before the formal report.

During assessment
06

Reporting & Debrief

Executive summary for management. Technical report with evidence, reproduction steps, and prioritized remediation recommendations. Presentation meeting included.

3-5 days
07

Remediation & Retest

Optional phase: we help your team fix findings, then verify closure with a second-pass retest.

2-5 days

By Sector

Financial
01🔴 CRITICAL

Unsecured Cloud Database

Firestore database with no security rules exposed 7,452 user profiles including national ID numbers, phone numbers, home addresses, and geolocation coordinates. Write access was also unrestricted.

SCOPEProduction user database
EXPOSURE7,452 records
PIINational IDs, phones, addresses, GPS
02🔴 CRITICAL

Web Application Vulnerabilities

Multiple critical findings including RCE, SQL injection, exposed admin panels with user enumeration, and unprotected internal documentation (412 MB of PDFs spanning 10 years).

SCOPEProduction web app + internal storage
EXPOSURE12 vulnerabilities (3 critical, 4 high)
PIIInternal docs, admin credentials
Government
01🔴 CRITICAL

PII Leak via Unauthenticated API

Public POST endpoint with no authentication returned national identity records. Each request returned full name and ID number. 5,000+ records accessible with simple pagination.

SCOPEPublic API endpoint
EXPOSURE5,000+ identity records
PIIFull names, national ID numbers
02🟡 HIGH

Citizen Data Platform — Hardcoded Secrets

Mobile application with hardcoded OAuth client secret exposed an API gateway returning: full name, national ID, date of birth, blood type, home address, driver's license photo, and traffic violations for any authenticated user.

SCOPEMobile app + REST API (10+ endpoints)
EXPOSURE6 data categories per citizen
PIIID, DOB, blood type, address, photo, fines
Healthcare
01🔴 CRITICAL

Shared Credentials Across Institutions

Hospital management platform using identical credentials across 9 healthcare institutions in 4 countries. A single password granted access to 58,997 patient records including medical history and personal data.

SCOPEMulti-tenant healthcare platform
EXPOSURE58,997 patient records
PIIMedical history, patient personal data
Fintech / Mobile Apps
01🟡 HIGH

Hardcoded API Keys in Mobile Apps

Analysis of 10+ financial mobile applications revealed hardcoded Firebase API keys, backend URLs, and internal service endpoints in decompiled APKs. Multiple apps used the same insecure cloud configuration patterns.

SCOPE10+ Android APKs
EXPOSURE10+ Firebase keys, API endpoints
PIIInternal URLs, cloud credentials
Infrastructure
01🟡 HIGH

Publicly Accessible LLM Servers

22 Ollama inference servers exposed to the public internet without authentication. Models accessible included Qwen2.5:72B, DeepSeek-R1, and Gemma3. Several servers were actively compromised with reverse shells and data exfiltration artifacts.

SCOPEPublic-facing AI servers
EXPOSURE22 servers, 15+ models per server
PIIN/A — server access, model manipulation

Want to know if your organization has similar exposures?

Schedule a Confidential Assessment

*These case studies represent anonymized findings from authorized security assessments and responsible disclosure engagements. All identifying information has been removed. NSI LLC complies with all applicable laws including the CFAA and state data breach notification laws.

Common Questions

What organizations ask before engaging.

What if you don't find anything critical?+

That is valuable intelligence too. An expert assessment that confirms your security posture is sound gives your leadership confidence and your compliance team documented due diligence. The report includes scope, methodology, risks found, risks ruled out, and maturity assessment — you pay for our time and expertise, not for finding vulnerabilities.

How is this different from a bug bounty?+

Bug bounty programs are typically public, reward-based, and scope-limited. Our engagements are private, contractual, and comprehensive. We work within a signed SOW with defined Rules of Engagement. You know exactly what will be tested, when, and how.

Do I need technical knowledge to engage?+

No. We handle the technical work. You define what you want protected and authorize the scope. We translate findings into language your management and technical teams can both understand — separate reports for each audience.

What if I only want passive reconnaissance?+

That is a valid engagement scope and we offer it as Corporate OSINT or Digital Exposure Assessment. Passive reconnaissance carries lower legal exposure than active scanning. We document the scope accordingly.

How do you handle sensitive data found during testing?+

Any sensitive data discovered during authorized testing is handled per the ROE. Our standard practice: document the finding as evidence, do not exfiltrate, and include it in the confidential report. If credential exposure is found, we follow responsible disclosure protocols.

What methodologies do you follow?+

We align with NIST risk assessment frameworks, the OWASP Testing Guide for web applications, and PTES-style penetration testing lifecycles. All findings are classified by CVSS plus business-impact weighting, and every automated finding is manually validated.

Ready to engage?

Authorized assessments.

No surprises.

Start with a 30-minute exploratory call. No scope, no commitment — just a conversation about what you need protected and how we can help.

Free. Confidential. No obligation.

Or email us securely at security@nullsessionintelligence.com

PGP key available for secure communication

By inquiring, you agree to our Privacy Policy and Terms of Service.