Security That Understands
Your Systems
Penetration testing, security auditing, and risk advisory from engineers who have built and secured enterprise infrastructure for two decades.
Request an Assessment Our Services
Penetration testing, security auditing, and risk advisory from engineers who have built and secured enterprise infrastructure for two decades.
Request an Assessment Our ServicesWe identify vulnerabilities before adversaries do. Our engagements combine automated tooling with deep manual analysis by engineers who understand production systems from the inside.
Network, application, and API penetration testing that goes beyond automated scans. We simulate real-world attack chains against your infrastructure, web applications, and internal systems.
Systematic review of your security posture, including access controls, network segmentation, encryption practices, and compliance alignment with SOC 2, ISO 27001, and NIST frameworks.
Deep assessment of PostgreSQL, MySQL, and cloud database configurations. We audit access policies, encryption at rest, query injection surfaces, migration safety, and backup integrity.
Manual and tool-assisted review of application source code for vulnerabilities, insecure patterns, dependency risks, and logic flaws. We read code the way attackers do.
Security assessment of AWS, GCP, and Azure environments. We evaluate IAM policies, network architecture, container security, CI/CD pipelines, and infrastructure-as-code configurations.
When a breach occurs, we provide rapid triage, forensic analysis, containment strategy, and post-incident remediation planning. Available on retainer or emergency engagement.
IT Risk Limited was founded in 2006 with a straightforward premise: the best security work comes from people who have built the systems they are asked to protect. Our founders came from database engineering and enterprise software development, bringing an operator's understanding of where real risk lives—not in theoretical attack trees, but in production configurations, migration scripts, and the code paths nobody tests.
In the early years, we focused on database security and application auditing for mid-market financial services firms. As our clients grew into cloud-native architectures, so did we—expanding into infrastructure security, container hardening, and distributed systems assessment. Our database security practice, built on years of PostgreSQL and enterprise database expertise, remains one of the deepest in the industry.
In 2018, we began publishing our technical research, contributing to the broader security community's understanding of topics from query-level exploitation to build system integrity. Our work on AI security and LLM risk assessment, begun in 2023, reflects our commitment to staying ahead of emerging threats.
Today, IT Risk Limited serves enterprises, growth-stage technology companies, and critical infrastructure operators across the United States. We remain a focused, senior-led practice—every engagement is staffed by experienced engineers, not junior analysts running automated scans.
Established as a database security and application auditing consultancy
Expanded into penetration testing and compliance auditing for regulated industries
Launched cloud infrastructure assessment services for AWS and GCP environments
Began publishing technical research on database security and code analysis
Pioneered security assessment using precise code intelligence and indexing techniques
Launched AI security practice addressing LLM hallucination risks and model integrity
Two decades of continuous operation, zero client breaches
Technical research and field notes from our engagements. We publish what we learn so the broader security community benefits.
How compiler-accurate code navigation data prevents hallucinated outputs in AI-assisted development tools, and why context quality beats model size.
Lessons from a multi-version upgrade system where broken migrations, deadlocked indexes, and schema drift created silent production vulnerabilities.
PostgreSQL's maintenance daemon can starve production queries if misconfigured. A guide to tuning vacuum behavior for high-transaction systems.
When migrating a terabyte of data from SQLite to PostgreSQL, missing indexes on multi-gigabyte tables turned a routine migration into a production outage.
How profiling-driven optimization of serialization, caching, and database write patterns reduced attack surface while improving throughput by 5x.
Pre-computed visibility maps replaced in-memory graph traversal, eliminating denial-of-service risks from repositories with hundreds of thousands of commits.
A code intelligence indexer consumed 8 minutes per run due to repeated AST traversals. A single-pass caching strategy reduced this to 24 seconds.
PostgreSQL triggers and JSONB provide application-agnostic audit trails without modifying a single line of application code. A pattern for compliance-ready systems.
A circular dependency between TypeScript modules caused a security-critical constant to silently evaluate to NaN, breaking git command parameters for two weeks undetected.
A developer's shell alias masked a malformed RPC call that passed in production. Why personal tooling configurations create invisible security gaps.
Go's os.RemoveAll entered an infinite loop when a directory contained over 1024 undeletable entries. A Docker UID mismatch turned routine cleanup into resource exhaustion.
When a Redis module API changed its function signature between builds, the linker stayed silent and the runtime crashed. Why unpinned dependencies are a supply chain risk.
Interface mocking patterns in Go that verify not just success paths but error handling, cache poisoning resistance, and parameter validation at system boundaries.
Upgrading from PostgreSQL 9.6 to 12 wasn't about features. Statement-level triggers with transition tables were the only way to build efficient audit logging without crippling write performance.
A series examining how innocuous-looking PostgreSQL queries can hide performance time bombs, from full table scans on billion-row tables to sampling strategies that expose sensitive data.
How a code intelligence backend evolved from Express/TypeScript to distributed Go across eight major rewrites, and what each transition revealed about operational security tradeoffs.
Every engagement begins with understanding your environment. Reach out for a confidential initial assessment.