AI-native QA + security studio · Beirut → worldwide

Ship with proof, not promises.

Evidence-backed QA and security testing for web & mobile apps — delivered in about 12 hours. Every pass, every failure, every vulnerability is backed by a screenshot, trace, or reproducible artifact you can open and verify yourself.

0hTurnaround
0%Regression coverage gate
AWS certified
#0IBM Security Hall of Fame
What we do

Five ways we help you ship provably good software.

One studio for quality, security, and the AI workflows behind them — so you don't stitch together three vendors, three reports, and three retest cycles.

01 / QA

Full QA testing — web & mobile

Manual-grade QA depth at AI speed. Every result is tied to real evidence, never a claim from memory.

  • Functional & regression at three depths — sanity, smoke, full regression — behind a coverage gate
  • Every PASS backed by a current-run screenshot, independently reviewed before it ships
  • Data-integrity & calculation checks: totals, rounding, chart-vs-table reconciliation
  • Console errors, duplicate API calls, slow endpoints, accessibility & UX findings
  • BDD / Gherkin suites + a coverage matrix delivered as your assets
flagship 02 / SECURITY

Security testing & vulnerability assessment

Evidence-gated security reviews where every confirmed finding is reproducible — never a scanner's guess.

  • High-impact web classes: DOM XSS, credential/API-key exposure, SQL injection, IDOR/BAC
  • Cross-identity authorization testing with two client-owned accounts
  • Zero-false-positive discipline: evidence gate + adversarial review + real PoC
  • Non-destructive by design — stops at proof-of-concept, secrets stored redacted
03 / DELIVERY

Rapid, fully-tested app delivery

New websites, web apps, and mobile apps — built, tested, and security-checked — fast.

  • Full-stack build on 12+ years of AWS architecture: serverless, microservices, event-driven
  • Every build ships through our own QA + security pipelines before handover
  • Multi-cloud deploy & cost modeling (AWS / Azure / GCP) from official pricing
  • Evidence-backed handover with no platform lock-in
04 / AI

AI / LLM solution delivery

Production-grade AI systems built with the same guardrails and evidence discipline we hold ourselves to.

  • LLM & agentic apps: agents, subagents, skills, tool-use, retrieval
  • Guardrail engineering — permission-gated hooks, deterministic validators
  • Anti-hallucination architecture: evidence-or-nothing, disk-backed, resumable runs
05 / TRAINING

AI-workflow workshops & training

Upskill your team to automate real work with AI pipelines that are fast and miss nothing.

  • Hands-on: agents, subagents, skills, guardrails & hooks
  • Evidence contracts & deterministic validators for trustworthy AI output
  • Safe-by-construction, permission-gated automation for production
The turnaround

A full evidence-backed report suite — by tomorrow morning.

Traditional pentests take four to six weeks. Even “fast” platforms need days just to start. Our AI-native workflows run generation, testing, and verification in parallel overnight — with human review at both ends — so you get a report you can act on in about 12 hours, not next quarter.

Why Cedarproof

The middle ground the market left empty.

Self-serve tools leave you doing the work. Managed outcomes start at $50k+ a year. We deliver a done-for-you, evidence-backed outcome — at boutique speed and price.

~12-hour turnaround

A complete QA or security report suite delivered in about half a day — unmatched in either market.

Evidence, not assertions

Every finding ships with a screenshot, HTTP trace, reproducible PoC, or failing test. No scanner PDF dumps.

Guardrailed AI workflows

Permission-gated hooks, forked single-purpose agents, and evidence contracts keep the AI fast and honest.

QA + security in one

Functional regressions and exploitable vulnerabilities in a single engagement, a single report.

Your assets, no lock-in

You keep the test suites, scripts, and findings. Nothing held hostage in a vendor portal.

Principal-level attention

The same two senior operators review every engagement — a cloud architect and a security researcher.

Proof, not promises

We hunt the vulnerabilities others miss — and we can prove it.

Our security practice is led by a researcher recognized on public leaderboards and disclosure programs. These are the vulnerability classes we hunt and have found in the wild.

VULNERABILITY CLASSSEVERITY
CWE-639IDOR / broken access controlcross-identity object access → PII exposureCRITICAL
CWE-918Server-side request forgeryblind SSRF via webhook validationHIGH
CWE-400GraphQL batch-query DoSresource exhaustion / availabilityCRITICAL
CWE-79DOM-based XSScontrolled source → sink, proven by effectHIGH
CWE-200Information disclosureGraphQL introspection / exposed schemaHIGH
CWE-522Credential / API-key leakagesecrets in JS bundles & traffic, stored redactedCRITICAL
CWE-284Unauthenticated data exposureopen storage / database read accessCRITICAL
How it works

Scope today. Evidence tomorrow.

1

Scope

A short authorized intake: your app, target areas, accounts, and the exact boundaries we will not cross.

→ signed scope + authorization
2

AI-native run

Guardrailed agents recon, generate, test, and attempt exploits in parallel — every step captured to disk.

→ screenshots, traces, PoCs
3

Evidence report

Human-reviewed findings, each with severity, reproduction, impact, and a fix — nothing unverified ships.

→ report suite in ~12h
4

Fix & retest

You fix; we re-verify fast. Retesting after fixes is built into how we work, not an upsell.

→ verified-closed findings
How we compare

Boutique speed. Enterprise rigor. Startup price.

 
Cedarproof
Typical vendor
Turnaround
~12 hours
2–6 weeks
QA + security together
One engagement
Two vendors, two reports
Evidence per finding
Screenshot / trace / PoC
Scanner PDF, few repros
Web + mobile
Both
Often web-only
Deliverables you own
Suites & findings, no lock-in
Locked in a portal
Retest after fixes
Built in
Extra cost / window
Entry price
Boutique / fixed-scope
$50k+/yr managed
The team

Security research and senior cloud education — a sister and brother, building from Beirut.

MA

Malak Abadi

Founder · Security & QA

Application & API security researcher focused on GraphQL, SSRF, CORS, access control, and information disclosure. Reached #1 on the IBM Security Hall of Fame and discloses responsibly across HackerOne, Bugcrowd, Microsoft MSRC, and NASA VDP.

IBM Hall of Fame #1HackerOne Milestone L1Black Hat 2026BlueHat Asia 2026Burp · DevTools
LinkedIn ↗
MA

Mohammed Abadi

Education & Training · AWS

AWS Solution Architect and Udemy instructor with 12+ years across cloud, serverless, microservices, and event-driven systems. At Cedarproof he leads education and training only — hands-on workshops and corporate courses on AWS, AI workflows, and QA automation.

7× AWS CertifiedAWS Community BuilderTeam LeaderUdemy Instructor
Educational & training services only
Let's talk

Ship your next release with proof.

Tell us the app and the deadline. We'll come back with a scope and an evidence-backed plan — QA, security, or both.