We identify how organisations unintentionally expose sensitive data through misconfigured consent mechanisms, uncontrolled third-party scripts, and inadequate security headers — using only publicly available information.
This website sets zero cookies — first-party or third-party. Your browser receives nothing to store.
No analytics scripts, no pixels, no tag managers. No data leaves your browser to any third party.
Standard Apache access logs. IP addresses anonymised. Retained 7 days for security diagnostics. Not linked to any profile.
Consent Management Platforms are widely deployed but rarely effective. Tracking scripts routinely fire before consent is obtained. In regulated sectors — healthcare, finance, legal services — this turns routine website visits into unlawful processing of special category data.
Focused, technical work. No sales decks. No retainer bloat.
We verify whether your CMP actually works. Race conditions, preload bypasses, misconfigured domain groups, missing consent-gate integration with tag managers — we document every failure point with reproducible evidence.
Complete inventory of every script executing on your public-facing pages. We identify what data leaves your domain, where it goes, and whether it has a legal basis. Includes cross-origin configuration review and cookie synchronisation mapping.
Content Security Policy, Subresource Integrity, Referrer-Policy, X-Frame-Options. We assess your HTTP response headers against current best practice and document specific formjacking and XSS exposure vectors.
Actionable technical recommendations with implementation priority. We provide specific CSP directives, consent-first loading patterns, SRI hashes, and API hardening guidance — not generic checklists.
All findings are obtained from publicly served content. We do not authenticate, scan, probe, or deploy automated tools against your infrastructure.
HTML source inspection. HTTP response header analysis. Browser console log capture. Network request monitoring. Standard developer tools only.
Every finding is tied to specific, reproducible evidence — console errors, cookie values, header responses, script execution sequences. No assumptions. No extrapolation.
Executive briefing for decision-makers. Technical annex for your engineering team. Remediation roadmap with prioritised actions. Delivered under terms you define.
Any organisation where a website visit implies something about the visitor — their health, their finances, their legal situation — faces elevated compliance risk from misconfigured tracking.
When we identify privacy or security issues affecting an organisation, we follow the UK NCSC Vulnerability Disclosure Toolkit framework.
We contact the appropriate person directly — typically the Data Protection Officer, General Counsel, or designated security contact. We provide a clear summary of findings and ask which channel they prefer for confidential delivery of the full report.
There is no time pressure, no condition attached, and no public disclosure. If the organisation wishes to engage us for remediation, that conversation happens separately and on their terms.
This is the standard we hold ourselves to. Every engagement begins with trust, and trust begins with how you handle the first contact.