How a Sigma Prime security audit works.

We review the codebase, architecture, documentation, deployment plans, and any prior security work. We confirm the target commit, the systems in scope, the main risks, and any exclusions. Scoping ends with a written proposal covering scope, timeline, team, and fixed fee.

The engagement starts with a technical walkthrough between Sigma Prime engineers and the client team. We review the architecture, trust boundaries, threat model, deployment assumptions, and any known areas of concern. Communication channels are opened at kickoff, and the reviewed commit is locked unless changes are explicitly agreed.

Most of the engagement is spent in manual review. The team size depends on scope and can range from two engineers to a larger multi-engineer review team for broader systems. Findings are filed during the review so the client can start triage early. Questions and clarifications are handled directly with the engineering team throughout the engagement.

Automated analysis runs in parallel with manual review. We use standard industry tooling, internal tooling, and custom AI-assisted workflows built to help with codebase understanding, variant analysis, and bug pattern discovery. These systems support the review process, but findings are still validated, prioritised, and written up by engineers.

Findings are consolidated into a written report with severity, impact, affected code, and remediation guidance. Deliverables go through internal QA before delivery, including review by senior engineers and director-level oversight. The client receives the private report first, and publication timing is agreed separately.

After fixes are submitted, we verify each remediation against the original finding and check for incomplete fixes or follow-on issues. The final report records the status of every finding so there is a clear record of what was addressed before publication.

Review team sized to scope

We staff reviews according to the size and complexity of the system. Smaller engagements may have two engineers. Larger protocol or infrastructure reviews can involve several engineers working in parallel. Reports are reviewed internally before delivery.

Continuous findings flow

Findings are shared during the engagement so the client team can start triage and remediation immediately. The final report is the reviewed record of the work, not the first time the client sees the issues.

Fixed-fee engagement

The engagement is scoped and priced up front. We do not charge by finding count, severity, or remediation round. The proposal sets out what is covered and who will work on it.

Engineer-led review

Manual review remains the core of the engagement. Tools help with coverage, pattern detection, and code navigation, but engineers decide what matters, reproduce issues where needed, and write every finding that goes into the report.

Reproductions for material issues

Where feasible and relevant, especially for more complex or higher risk issues, we implement proof of concept exploits or other concrete demonstrations so the client team can verify the issue and validate the fix.

Publication by agreement

Reports remain private unless the client agrees to publication. Where publication is approved, the final report is released with remediation status through the normal Sigma Prime process.

Critical

A direct and severe security failure with immediate risk to funds, protocol integrity, or core system operation. Requires urgent remediation before deployment or continued operation.

High

A significant break in a stated security property under realistic conditions. Can place funds, protocol behaviour, or critical workflows at meaningful risk.

Medium

A meaningful weakness that requires specific conditions, supporting assumptions, or interaction with other issues to produce broader impact.

Low

A hardening or robustness issue with limited immediate security impact, but still worth addressing as part of normal engineering maintenance.

Informational

A code quality, maintainability, or documentation issue without direct security impact.

Static analysis

Standard industry tooling used to identify known classes of implementation risk and support coverage during review.

Fuzzing and property testing

Automated execution against invariants, edge cases, and state transitions relevant to the reviewed system.

Custom internal tooling

Sigma Prime tooling built to support protocol analysis, infrastructure review, and codebase-specific investigation.

AI-assisted review workflows

Custom AI solutions and agents used to help understand unfamiliar codebases, identify bug classes, and speed up reviewer workflows. These systems assist engineers and do not replace engineering judgment.

How long does an engagement take?

Timelines depend on scope, code volume, and system complexity. Smart contract reviews are typically shorter than protocol or infrastructure reviews. The written proposal sets out the review window, reporting timeline, and remediation review assumptions.

How many engineers will work on it?

The team size depends on the scope. Some engagements run with two engineers, while broader reviews may involve a larger multi-engineer team. The proposal names the team assigned to the work.

Do you charge by finding?

No. The fee is fixed at scoping and covers the full engagement including remediation review and final report. We do not charge per finding, per severity, or per remediation round.

Will the report be public?

Only with client consent. Reports are private by default. If publication is agreed, the final report is released through our standard public reporting process.

What if you find a Critical bug?

Critical findings are escalated immediately. We will explain the impact, provide the technical basis for the assessment, and work with the client team on remediation review before signoff.

How do you handle changes during the engagement?

Material changes to the reviewed codebase are handled explicitly. Depending on the change, we may pause, re-scope, or agree a revised review target. Fixed-scope audits should review a stable target. For very dynamic teams shipping rolling releases and frequent PRs, we can support a different operating model through Embedded Security Support, but that should be planned separately from a fixed-scope audit.