We break
your apps.
before they do.
Rexar is a boutique offensive security operation specializing in modern API surfaces — GraphQL, REST, gRPC, and the broken assumptions between them. No bots. No checklists. Real attackers, real impact, written reports an engineer would respect.
Fintech / SaaS / Health
≥1 High-Severity Finding
// Manually Verified
Recon. Exploit.
Impact. Report.
Every Rexar engagement follows a four-phase offensive workflow modeled on real adversary tradecraft (PTES/OWASP/MITRE ATT&CK aligned). No automated scanners filling pages. No "informational" findings padding the deliverable. Every line in our reports is a thing an attacker can do, and what it costs you when they do it.
Recon
- Asset enumeration
- Schema introspection
- Auth flow mapping
- Threat model
Exploit
- Manual testing
- Custom tooling
- Chained vulns
- Privilege escalation
Impact
- Business risk modeling
- CVSS v4 scoring
- Blast radius analysis
- Proof-of-concept
Report
- Engineering writeup
- Executive summary
- Remediation guide
- Re-test included
Modern APIs.
Where the bugs
actually live.
While most pentest shops are still clicking through web forms, the attack surface has moved. Today's product is a GraphQL gateway, a webhook handler, a batch endpoint, a JWT issued by something that probably shouldn't be issuing JWTs.
Rexar leads with deep API expertise — including original research into GraphQL alias overloading, batch-query DoS amplification, and authorization edge cases that no signature-based scanner will ever find.
GraphQL Alias Overloading → Rate Limit Bypass & DoS Amplification
# Single request executes 1,000 password resets, # trivially bypassing per-IP rate limits. mutation { r1: passwordReset(email: "a@x.com") { ok } r2: passwordReset(email: "b@x.com") { ok } ... r1000: passwordReset(email: "z@x.com") { ok } }
No scanner-output theatre.
Operator-led, every engagement.
You'll work directly with the person doing the testing. No outsourced overflow, no junior consultants. Same name on the proposal as on the report.
Reports your engineers will actually read.
Every finding includes reproducible PoC, the exact remediation, and a re-test after you patch. No 90-page PDFs of CVE references padded into oblivion.
Original research backs every test.
We don't just run the playbook — we publish to it. The bugs nobody else finds in your stack are the ones we've already found in someone else's.
Fixed scope. Fixed price.
You'll know the cost before kickoff. Surprise change-orders are how you destroy trust. We don't.
NDA / liability insured.
Engagement terms, data handling, and professional indemnity all in writing before a single packet moves. Standard for us, often hard to get elsewhere.
Re-test & remediation included.
One free re-test cycle within 60 days of the report. We confirm fixes work. Otherwise the findings aren't really closed.
Pick a target.
We'll do the rest.
- Single application or API
- Black-box external testing
- Standard severity report
- One round of remediation re-test
- Multi-surface: web + API + auth
- Authenticated + unauthenticated
- Business-logic + chained findings
- Executive + technical reports
- Two re-test rounds
- Slack channel for live questions
- Continuous PTaaS — quarterly cycles
- New feature reviews on demand
- Live findings dashboard
- SOC 2 / ISO evidence package
Find it
before they do.
Drop a brief description of your target and timeline. We respond within one business day with a scoped proposal — no sales calls required to get a quote.