Web3sec
An independent security firm for crypto and fintech teams. We review the smart contracts, the wallets, the apps, the infrastructure, and the people, so the product you ship holds up when it is actually attacked.
- Est.
- 2021
- Lead
- Chirag Agrawal (Raiders)
- Model
- Independent, lean
- Issue
- No. 001 / Vol. 6
Most audits stop at the smart contract. Attackers don't, and neither do we. We review every layer your product ships on, each one by a senior researcher who specialises in it, so the security you promise your users is security that actually holds.
What you get: a clear map of where you are exposed, a ranked list of what actually matters, and a remediation plan your engineers can act on this quarter. Written by the researcher who did the work, signed by Raiders.
Teams building the infrastructure and interfaces that move real money. Wallets, bridges, protocols, and the platforms that power them.
What we cover.
Nine practices, run in parallel by senior researchers who specialise in the layer they cover rather than generalists rotating through it.
- 01
Smart contracts
Protocol and contract reviews across DeFi, ZK, oracle systems, and TradFi crossovers. We read the code, model the economics, and stress the assumptions.
- 02
Mobile & wallet
iOS and Android security, wallet internals, and dApp clients. This is the layer we know best, and the one most teams underspend on.
- 03
Web & frontend
dApp interfaces and frontend integrity. The paths your users actually touch when money moves are the paths we test hardest.
- 04
Backend & cloud
APIs, backend services, cloud configuration, and day-to-day SOC operations. Reviewed against your real threat model, not a checklist.
- 05
DNS & domain
Domain and DNS security done properly. We are recognised contributors to the SEAL Alliance on this work.
- 06
Supply chain
Third-party and dependency risk, from build pipelines to runtime. We contribute to MITRE AADAPT on supply-chain TTPs.
- 07
Human layer
Social engineering, phishing, and access exercises run against your team so you learn how it lands before an attacker shows you.
- 08
AI & agentic
Security for AI systems and autonomous agents. An active research area for us, and one we bring into client work as it matures.
- 09
OpSec advisory
Access-control and personal OpSec reviews for teams and founders. Our public work on this lives at digibastion.com.
How we work with you.
We join your team as a partner, not a vendor. Three clear phases, one dedicated researcher, and direct access from day one.
- 01
Discovery
We start with your product, your threat model, and your shipping cadence. Raiders and the lead researcher meet your team to understand what you are building, where the sensitive assets live, and what keeps you up at night. No generic checklists. We scope to your reality, and you get a written plan within 48 hours.
- 02
Review
The same senior researcher who scoped the work does the review. We test every layer your product ships on, report findings as we find them so your engineers can patch in parallel, and stay in your Slack or Telegram so nothing gets lost in a PDF. You are never waiting on us to know what matters.
- 03
Remediation plan
We deliver a ranked list of what to fix, why it matters, and how to do it. Each item comes with severity, effort estimate, and sample code or configuration where it helps. Then we verify your fixes so the report you share with investors, partners, and users is clean and current.
From $6k a week, shaped to the scope in front of us. We are independent and lean, so we can start the week you say yes.
The firm.
Web3Sec is an independent firm led by Raiders. Every engagement is staffed by senior researchers who are certified and top ranked in the discipline they cover, whether that is mobile, cryptography, DNS, or supply chain. Raiders stays on the review with you from the first call through to the remediated report. No rotating bench, and no juniors learning on your code.
Alongside client work we contribute to industry security groups, publish original research, and hold two Ethereum Foundation grants. Full portfolio and past reports are available on request.
- SEAL Alliance · Domain & DNS
- MITRE AADAPT · Supply chain
- 2× Ethereum Foundation grantee
- 18+ independent engagements
- 7,000+ practitioner community
Questions we get.
Straight answers to the things founders and security leads ask on the first call.
- How is a Web3Sec review different from a typical audit?
- We review the full surface your product ships on, not just the smart contract. That means mobile, wallet, frontend, backend, DNS, supply chain, and the human layer, each covered by a senior researcher who lives in that discipline.
- Who actually does the work?
- The named researchers you meet on the kickoff call. Raiders leads every engagement end to end. No rotating bench, no juniors learning on your code.
- What does an engagement cost?
- From $6k a week, shaped to the scope in front of us. Fixed-scope audits, retainers, and short advisory engagements all work. We will send a written scope after a 20-minute call.
- How fast can you start?
- Usually the same week you say yes. We are independent and lean, so there is no long queue and no account managers between you and the researcher.
- Do you sign NDAs and work under existing MSAs?
- Yes to both. We work with legal, security, and procurement teams regularly and can operate under your paper.
- Can we see past reports?
- Redacted samples and a full client list are available on request after a short intro call.