Infrastructure Audits
Infrastructure audits cover the systems that build, deploy, operate, and protect blockchain software in production. That includes cloud environments, CI/CD, signer infrastructure, validator and sequencer operations, privileged access paths, and the operational controls that determine whether an attacker can bypass otherwise well-reviewed code.
What we cover.
Typical scope includes the production paths that matter most:
-
01
Cloud and network architecture. Account boundaries, segmentation, exposed services, service mesh assumptions, and access paths into production workloads.
-
02
CI/CD and release integrity. Branch protections, artifact provenance, build isolation, deployment approval, rollback paths, and secret exposure in pipelines.
-
03
Signer and privileged-access workflows. KMS or HSM usage, secret distribution, rotation procedures, emergency approvals, and the blast radius of a compromised operator or credential.
-
04
Runtime hardening. Kubernetes, container, VM, and host posture for systems running validators, sequencers, indexers, relayers, wallets, or RPC infrastructure.
-
05
Observability, response, and recovery. Logging coverage, alert quality, runbooks, escalation paths, and the controls needed to respond before value moves.
-
06
Targeted validation of likely compromise paths across infrastructure, applications, operator workflows, and third-party services.
How we run infrastructure audits.
We start from an asset and trust-boundary map, then follow realistic compromise paths from initial access to production impact.
The work combines architecture review, configuration inspection, and targeted validation of the most sensitive paths. The deliverable is not a checklist; it is a prioritized plan for removing credible attack paths.
Findings are written for engineering and operations teams to act on directly: affected control, exploit path, impact, recommended change, and validation step.
Where these audits find risk.
Audited code still depends on its environment
A contract, client, or sequencer can be well reviewed and still be exposed through the systems that build, deploy, configure, and operate it. Infrastructure review asks where an attacker can avoid the audited path entirely: a leaked token, a weak release gate, an overpowered cloud role, a CI job with production secrets, or an untested rollback path.
Signer and deployment boundaries matter
For blockchain teams, the sensitive boundary is often not the web server. It is the path to a deployment key, validator key, sequencer key, upgrade multisig, bridge relayer, admin panel, or production RPC credential. We map who can touch those paths and what has to fail before value or protocol control is affected.
Inputs that make the review sharper
-
Cloud account structure, network diagrams, production role maps, and access policies.
-
CI/CD configuration, artifact flow, branch protections, deployment approvals, and rollback process.
-
Secret handling, key custody, signer infrastructure, rotation procedure, and emergency access.
-
Alert rules, runbooks, incident history, and the current escalation path.
Related research and guidance.
-
security · 6 June 2025
A Security Engineer's Guide to Reviewing Core Blockchain Nodes
A comprehensive methodology for conducting security reviews of blockchain infrastructure, using Reth as a practical example
-
lighthouse · 10 February 2025
Lighthouse NAT Configuration
A guide to understanding, configuring and debugging NAT configurations to maximize a Lighthouse client's performance.
-
lighthouse · 24 February 2025
IPv6 in Lighthouse
for IPv6 Support in Ethereum
Frequently asked questions.
-
Is this a cloud security audit?
Cloud is usually part of the work, but the scope is broader. We review the full production path around a blockchain system: build, release, secrets, signer boundaries, runtime controls, observability, and incident response.
-
Can you review validator or sequencer infrastructure?
Yes. Validator and sequencer operations are a core fit because we operate production blockchain infrastructure ourselves.
-
Does this replace a smart contract or protocol audit?
No. It complements code review by testing the systems that deploy, operate, and protect that code in production.
Other engagements you might be considering.
-
Embedded Security Support
Embedded Security Support is an embedded service engagement for teams that need senior security leadership alongside hands-on review.
-
Security Training
Security training turns recurring audit and operational lessons into practical guidance for the teams building and running blockchain systems.
Scope an infrastructure audit.
Tell us what you run, how it is deployed, and which production paths matter most. We will propose a focused infrastructure audit.
Request a scoping call
Services
Products
Resources
Company
Social
© Copyright 2026 by Sigma Prime. All Rights Reserved.