Skip to content
Unlisted / Security
About

A technical security firm,
not a compliance vendor.

Unlisted Security is a small, focused security firm. We exist because most security reviews look at individual components, and most serious vulnerabilities live between them.

Founded
2022
Team
Senior reviewers
Engagements
Boutique, deep
Coverage
Web2 + Web3
Why this firm exists

Most serious incidents we've seen — across DeFi protocols, fintech backends, and infrastructure compromises — were not the result of a single missed bug. They were the result of correct components, connected in a way nobody had fully modeled.

A contract that was technically correct against an oracle that was technically correct against a backend that was technically correct, and yet — together — allowed value to leak. A permission system that did exactly what it was specified to do, and an admin tool that quietly bypassed the specification. An IAM role that looked harmless until paired with a CI workflow that nobody had reviewed with security in mind.

We started Unlisted Security to do the kind of review that finds these things. Adversarial. System-level. Manual. Calibrated. Slow on purpose where it needs to be, fast where it doesn't.

The name comes from what attackers actually look for: the surfaces, behaviors, and assumptions that aren't in the documentation, the threat model, or the tracker — but are very much in the system.

How we work

The values that decide what we ship — and what we don't.

  • 01

    Adversarial first

    We are not auditors with a checklist. We are attackers who write reports.

  • 02

    Systems thinking

    Every component is reviewed in the context of the system it lives in.

  • 03

    Engineering respect

    We work with your engineers, not at them. Reports are written for the people who will fix them.

  • 04

    Calibrated, not loud

    We tune severity to your real threat model. We won't promote findings to look impressive.

  • 05

    Long-form trust

    We pick clients carefully. We turn down work we cannot do well. We are here to be the team you call back.

  • 06

    No security theater

    Every line of every deliverable is meant to be acted on. If it isn't useful, it doesn't ship.

Who we work with

Teams who can't afford to be wrong.

  • Pre-launch protocols who want to ship correct, not just code-complete.
  • Live DeFi protocols handling material TVL who need a deeper review than annual sweeps.
  • Custodians, exchanges, and infrastructure providers where a small bug is a public incident.
  • Backend and application teams whose compliance auditor said they're fine — but who know better.
  • Funds and acquirers running technical diligence on a target.

We're also happy to say no. If your engagement isn't a fit for us, we'll tell you that directly and, where possible, point you toward a firm that is.

Engagements opening Q1–Q2

Find what others miss.
Before attackers do.

Tell us what you're building. We'll come back with a focused scope, a fixed quote, and a sample of the kinds of risks we expect to find on a system like yours.

Request a Security ReviewView Sample Report