Lawful decryption of locked or encrypted devices and forensic-grade scans for spyware, stalkerware and nation-state implants — including Pegasus-class commercial spyware. For journalists, executives, activists, family-law cases and anyone who has reason to believe their device is compromised.
Lawful, forensically-preserved decryption of locked or encrypted devices and volumes — performed with recovery keys, credentials, or lawful escrow access. The original device and image are preserved unaltered; the decryption produces a working forensic copy for examination.
Forensic-grade scans for commercial spyware (Pegasus, Predator, Reign), nation-state implants and consumer-grade stalkerware (mSpy, Cocospy, FlexiSpy). We pull a full file system image and inspect for indicators most consumer "antivirus" apps cannot detect — because they don't have permission to look where these implants hide.
Investigative reporters working on sensitive subjects — corruption, organized crime, state actors. Pegasus and Predator have been used against journalists worldwide.
C-suite, board members and high-net-worth individuals targeted by competitors, hostile actors, or socially-engineered intrusions tied to M&A, IP, or financial movements.
Human-rights defenders, political organizers and diaspora communities under surveillance pressure. Coordinated discreetly with established advocacy partners.
When a former partner is suspected of installing stalkerware, tracking GPS, or accessing accounts. Evidence-preserving sweeps that can support legal action.
Law firms whose clients suspect device compromise. We work under retaining-counsel engagement, with all findings privileged and reports addressed to counsel.
Battery drains, hot devices, strange behaviour, anomalous notifications, or specific incidents that suggest unauthorized access. The diagnostic itself is the answer.
Device security work is sensitive by definition. If you're worried about who's watching you, the last thing you want is a vendor that publicizes case studies, posts client logos, or talks to the press.
We don't. Every engagement starts with an NDA. Reports are addressed to your counsel, not to you directly when retaining-counsel engagement is used. We destroy our copies on a timeline you specify.
If we find something, we tell you. If we find nothing, we still produce a written report you can rely on. Either way — quiet, defensible, discreet.
Mutual NDA before any device touches a workstation. Identity protected. Counsel-routed reporting available.
No case studies, no logos, no quotes, no press. Your name does not appear in our marketing. Ever.
Signal / encrypted email for communication. Air-gapped analysis bench. Encrypted return of any findings.
We delete our forensic copies on the timeline you specify — typically 30 / 90 / 365 days. Cryptographic erasure attestation provided.
Quiet, NDA-first answers for people who suspect their phone or laptop has been compromised.
Yes, in most cases. We image the device with licensed forensic tooling, then run forensic verification toolkits plus our own indicator-of-compromise (IOC) database against the image. We check for known Pegasus process names, file paths and network destinations; anomalous Wi-Fi sync logs; tampered baseband logs; and unexpected app entitlements.
Pegasus is sophisticated and updates frequently — we don't claim a 100% detection rate, but we'll tell you what we found and what we didn't.
Stalkerware is covert surveillance software typically installed on a phone by someone who has physical access — usually an intimate partner. Unlike legitimate parental controls, stalkerware hides its app icon, hides its data usage and ships extracted messages / location / calls to an attacker-controlled dashboard.
Common examples we see: mSpy, FlexiSpy, Cocospy, Spyzie, KidsGuard Pro, Hoverwatch, Eyezy. Detection is straightforward when the device is rooted/jailbroken (most stalkerware requires it); harder on stock devices where it leverages MDM or accessibility-service abuse.
We image the device on our bench rather than scanning it in place. The scan runs against the offline forensic image — meaning no installed app, telemetry signal, or network traffic gives away the investigation.
If the device must remain in active use during the scan (executive on the road, journalist mid-assignment), we offer a shadow phone — a hardened parallel device. The primary phone gets a fresh forensic image we work from.
Yes. Air-gapped analysis bench — no cloud upload, no telemetry, no third-party processing. The forensic image lives on encrypted storage segregated by case ID. We don't read personal content beyond what's needed to determine compromise.
Destruction on the timeline you specify (30 / 90 / 365 days) with cryptographic erasure attestation. We don't keep case studies. We don't publish anything that could identify you.
Most consumer stalkerware doesn't survive a factory reset — but persistence in firmware, baseband, or bootloader is technically possible and is the hallmark of nation-state implants like Pegasus and Predator.
If you need certainty after a suspected high-grade compromise, our recommendation is device replacement rather than reset. We can assist with secure provisioning of the replacement (compartmentalized accounts, hardened settings, supply-chain verification).
The standard high-risk loadout is three compartmentalized phones:
Primary: day-to-day life, family, banking. Travel phone: used in adversary jurisdictions, wiped and re-provisioned on return. Comms phone: used only with sensitive contacts (sources, counsel), kept in a Faraday pouch except when in use.
Plus a hardened laptop (Lockdown Mode on Mac / Defender Application Guard on Win11) and a YubiKey-backed identity profile. We help design the loadout per threat model.
