Web2 Security Audits
Cantina and Spearbit each deliver comprehensive Web2 security audits. This unified offering blends deep application-layer expertise with operational security (OpSec) assessments - identifying risks across everything from API integrations and authentication flows to device security and cloud configurations.What We Cover
We provide full-spectrum Web2 security audits spanning:Application Logic & Code
- Authentication and session management
- Backend APIs and automation scripts
- Business logic flaws and insecure integrations
- Injection vectors (IDOR, SSRF, RCE)
- SaaS misconfigurations and data leakage
Operational & Endpoint Security
- Employee and contributor account exposure
- Device hardening (MDM, EDR, VPN)
- Communication platforms (email, Discord, Slack)
- RBAC and secrets management
- Provisioning/offboarding workflows
Infrastructure & Cloud
- Admin panels and multisig dashboards
- CI/CD pipeline security
- Cloud environment misconfigurations and key exposure
Process Overview
Our Web2 Security audit process ensures thorough coverage across both application and operational layers:1. Scoping and Information Gathering
We begin by aligning on your organization’s unique risk profile:- Operational Assessment: Inventory of internal systems, endpoints, devices, and communication platforms
- Application Assessment: Technical specifications, source code, architecture overviews
- Documentation audit: Existing OpSec policies, infrastructure setups, and security procedures
- Stakeholder Interviews: Understanding workflows, roles, and risk tolerances
2. Statement of Work (SOW)
The SOW includes:- Scope Definition: Application codebases, APIs, devices, cloud assets, and more
- Deliverables: Security reports with actionable recommendations and remediation guidance
- Timeline: Audit duration and check-in cadence
- Team Composition: Assigned auditors with relevant expertise
- Access Requirements: Systems, code, documentation, and communication access
3. Kickoff
Following the SOW, we coordinate logistics and onboarding:- Kickoff Call: Walkthrough of scope, timelines, and workflows
- Access Provisioning: Secure access to repos, devices, and systems
- Channels Setup: Real-time coordination paths, escalation protocols
- Audit Synchronization: Aligned scheduling across application and operational streams
4. Security Audit Period
Parallel assessments by specialized researchers: Operational Security Audit- Device and configuration analysis (e.g. MDM, EDR, VPN)
- Communication tool and endpoint security
- Policy audits and RBAC gap detection
- Contributor access controls
- Manual and automated code analysis
- API and integration risk evaluation
- Authentication flow testing
- Infrastructure and deployment attack surface audit
- Regular syncs between application and OpSec auditors
- Shared threat modeling
- Identification of intersecting risks (e.g. cloud + SaaS + credentials)
5. Communication
Ongoing transparency throughout the engagement:- Daily Standups: Internal auditor coordination
- Weekly Client Updates: Status reports and early signals
- Urgent Escalations: Immediate flagging of critical issues
- Clarification Sessions: Optional deep-dives with your engineering or ops teams
6. Fix Period
Hands-on remediation guidance:- Prioritization: Joint evaluation of impact and exploitability
- Implementation Support: Recommendations on fixing both app and OpSec issues
- Dependencies: Help resolving cross-domain findings
- Progress Tracking: Dashboard of remediation status
7. Findings Call
Final walkthrough of results:- Joint Presentation: Unified report with correlated risks
- Strategic Takeaways: Systemic issues and structural fixes
- Interactive Discussion: Technical questions, rationale, and guidance
8. Final Report Delivery
The engagement concludes with a comprehensive package:- Executive Summary: High-level view of organizational posture
- Technical Findings: Deep dive into application and operational risks
- Unified Risk Matrix: Impact + likelihood evaluation
- Remediation Roadmap: Prioritized action items
- Forward Strategy: Recommendations for ongoing improvements
9. Closeout Call
Final audit and planning touchpoint:- Feedback: Audit process and outcomes
- Security Strategy: Long-term recommendations and risk trends
- Next Steps: Retainer or follow-up support options
- QBR Scheduling: Optional quarterly security audit
When to Engage
Web2 Security audits are especially valuable during: Pre-Launch Events- Token launches, governance activations, or frontend deployments
- Launching new SaaS dependencies or internal tools
- Contributor onboarding
- Organizational restructuring or jurisdictional expansion
- Following phishing, credential leaks, or infrastructure breaches
- Remediation validation after implementing MDM/EDR/SaaS controls
- Fundraising diligence
- Regulatory or partner-driven security requirements
- Annual posture audits
Target Organizations
This service is ideal for:- Protocols: With off-chain systems tied to governance, oracles, or multisig operations
- Foundations & DAOs: Coordinating large teams with SaaS exposure
- Exchanges & Custodians: With endpoint-heavy operational models
- Bridges & Rollups: Relying on Web2 infrastructure for cross-chain control
- Developer Teams: With modern CI/CD pipelines, APIs, and web frontends