cyber security services

We are a team of cybersecurity professionals from Ukraine. Our consulting services include the assessment and implementation of information security, as well as training and workshops. 

We cover all stages of the system life cycle – from planning and engineering to security management and incident investigations. Our experience includes both security governance and deep technical skills, including software reverse engineering, 0-day vulnerability research, manual security review of source code, Red Team exercises, etc. 

The highest qualification, flexibility and reliability are our main distinctions:

- Experience in information security. We work in cyber security since 2001, in different sectors. Late in 2015, we initiated the H-X project. 

- International security certifications. We earned and keep up-to-date international security certifications (CISSP, CISA, CEH, OSCP, CLPTP, etc.). 

- Absolute legitimacy and confidentiality. The employees of H-X technologies strictly adhere to laws, regulations, corporate Code of Ethics and Penetration Testing Code of Ethics. We are ethical, white-hat hackers. Our specialists sign your commitment forms personally, just like your employees. 

- The highest customization and flexibility. Our approach allows the customer to understand more accurately what they pay for. This is our know-how and our main distinction from competitors.

- The highest quality. H-X uses modern comprehensive methodologies and tools. In every project, we develop suggestions for continuous improvement and track changes in the security of our customers over the years.

 

 
$1,000+
 
$25 - $49 / hr
 
10 - 49
 Founded
2015
Show all +
Kyiv, Ukraine
headquarters

Portfolio

Key clients: 

IT companies (both product and outsourcing ones), as well as construction, automotive, e-commerce, industrial, medical, pharmaceutical, telecommunication, retail, insurance companies, banks and governmental organizations, etc. Any company that values its information, online services, compliance, privacy and business continuity is our potential client. We negotiate with the company owners, directors, CEO, CIO, CSO, CISO, CTO, CAE, CFO, IT and security specialists, or similar roles.

Security incident response. Forensic investigations Image

Security incident response. Forensic investigations

It is always wiser and cheaper to prevent than to ‘cure’ or to ‘make an autopsy’, but if you are under attack now or require a cyber security incident investigation, you can get help here.

Our experts help mitigate and cease cyber attacks and other computer incidents, restore data and normal operations. Specialists of H-X Technologies take into account your business goals to choose the right incident response strategy

and give corresponding priorities to your data integrity or confidentiality, your business continuity, identification of the attackers or their prosecution.

We provide detailed forensic examination and analysis of computers, hard drives, mobile devices and digital media. We know how to investigate difficult cases and employ cutting-edge techniques such as analysis of Random-Access Memory (RAM), registry, shadow volumes, timeline analysis and other methods.

Last few years, we have witnessed the increase of computer crimes. Criminals are becoming more aware of digital forensic and investigation capabilities, therefore use more sophisticated methods to commit their crimes without leaving usual evidences. To identify, respond, examine, analyze and report on the computer security incidents, computer forensics and digital investigation methods are constantly evolving.

Our skills include but not limited to:

  • Acquiring Data and Evidence
  • Live Incident Response and Volatile Evidence Collection
  • Advanced Forensic Evidence Acquisition and Imaging
  • File System Timeline Analysis
  • Advanced File & Registry Analysis including Unallocated Metadata and File Content Types
  • Discovering Malware on a Host
  • Recovering Files
  • Application Footprinting and Software Forensics
  • Data Preservation
  • System Media and Artifact Analysis
  • Database Forensic
  • Mobile Forensic
Managed Security and Compliance: ISO 27001, etc. Image

Managed Security and Compliance: ISO 27001, etc.

Audit, implementation and support of ISO 27001, PCI DSS, VDA, TISAX, ISO 16949, ASPICE, HIPAA, GDPR and other standards and regulations. Official certification

The international standard ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements” is the most recognized worldwide framework for building modern Information Security Management Systems (ISMS) and their

official certification.

Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.

When building an ISMS or security controls, we rely not only on ISO 27001/27002 or PCI DSS, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISF SoGP (Information Security Forum Standard of Good Practice for Information Security), COBIT (Control Objectives for Information & Associated Technologies), VDA ISA (Verband der Automobilindustrie - Association of the Automotive Industry - Information Security Assessment), TISAX (Trusted Information Security Assessment Exchange), ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination), HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Privacy Regulation), and so on.

Our approach to implementation begins with simple steps in order to give you the first value for free, to introduce you to the process and to allow you to understand clearly the essence of the implementation works and your role in them.

Audit of Smart Contracts Image

Audit of Smart Contracts

We review and verify project specifications and the source code of smart contracts to assess their overall security, with a focus on weaknesses and potential vulnerabilities. We complement our findings with solutions that mitigate the risk of future attacks or loopholes.

PROBLEMS OF SMART CONTRACTS

  • Inconsistency between specification and implementation
  • Flawed design, logic, or access
control
  • Arithmetic overflow operations (integer overflow and underflow)
  • Reentrancy attacks, code injection attacks, and Denial of Service attacks
  • Exceeded limits on bytecode and gas usage
  • Miner attacks on timestamp and ordering, transaction-ordering dependence (TOD)
  • Race conditions, other known attacks and access control violations
  • METHODS AND TOOLS

    Our audits of smart contracts comply with the following requirements:

    1. The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
    2. The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
    3. The smart contract audit includes the following stages:
    4. The tests are conducted by a team of specialists with more than 17 years experience in different IT security domains; CISSP, OSCP, CISA and CEH certification holders.
    5. In general, the code review follows the best practices: Solidity Style Guide and Ethereum Smart Contract Security Best Practices.

    The tools we use: Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Geth, Ganache, Mist, Metamask, solhint, mythx, etc.

     

    VDA ISA and TISAX implementation Image

    VDA ISA and TISAX implementation

    International information security standard VDA ISA was developed by the German Association of the Automotive Industry VDA (Verband der Automobilindustrie) based on ISO/IEC 27001 and 27002 standards.

    Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.

    The standard VDA ISA (Information Security

    Assessment) contains strictly structured information security assessment criteria, KPIs and additional optional modules:
    • Connection to 3rd parties
    • Data protection
    • Prototype protection

    TISAX (Trusted Information Security Assessment Exchange) is a framework for VDA ISA which allows independent vendors to share their certification and assessment results with their customers (usually from the automotive industry).

    When building an Information Security Management System (ISMS) and security controls, we rely not only on ISO 27001/27002, VDA ISA and TISAX requirements, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination), GDPR (General Data Privacy Regulation), and so on.

    Our approach to implementation begins with simple steps so that you receive the first results for free. That would also introduce you to the process and help you understand how the implementation works and your role in it.

    Security audit and Penetration testing Image

    Security audit and Penetration testing

    Penetration testing (pentest, pen-test)  — is a security assessment of IT systems, personnel or the whole organization, using ethical hacking methods ("white hat"). Security experts simulate the behavior of computer criminals to assess whether unauthorized access, leakage of confidential information, interruption of service, physical intrusion, or other security incidents are possible. Pentest is not only an automated

    vulnerability scan, but mostly manual work. Depending on your preferences, the pentest may include interaction with your staff (social engineering).

    We have a wide, deep and unique experience and competence in IT and corporate security. Both in GRC (Governance, Risk management and Compliance), and in technical security. Both in Defensive Security and Offensive Security.

    We are highly qualified, flexible and reliable:

    • Experience in information security
    • International security certificates
    • Absolute legitimacy and confidentiality
    • Highest customization and flexibility
    • Highest quality

    Our pentests are at the highest level: reverse engineering, 0-day vulnerability research, Red Team, etc.

    • We participate in and win CTF and bug bounty.
    • We effectively do security analysis of source code and find vulnerabilities and problems that even commercial static security scanners cannot find.
    • We have rare competencies, such as the auditing of smart contracts.
    • We teach software architects, developers and testers how to program securely.
    • We have decades of experience in large international corporations.
    Security of industrial information technology (IT) and operational technology (OT) Image

    Security of industrial information technology (IT) and operational technology (OT)

    Security of industrial information technology (IT) and operational technology (OT): Industrial Control System (ICS) and Supervisory Control And Data Acquisition (SCADA)

    We provide Industrial IT/OT Security audit, implementation and training services together with our partners AT Engineering (ATE). This is a team of software, electrical and industrial process engineers who specialize in the field of industrial automation.

    The experience in industrial automation and software of ATE's staff begins in 1995, and they have completed more than 120 projects. Since 2005, they have completed more than 80 projects with an average capacity of 500 man-hours each.

    Our international certifications in industrial IT/OT security are ISA CFS and CRS. Our international certifications in general information security are ISC2 CISSP and SSCP, ISACA CISA, Offensive Security OSCP, EC-Council CEH, ISO 27001 Audit/Implementation and others.

    To show the level of our competence and erudition, the methods and tools that we use in everyday work are listed below.

    For audits, consultations and implementations in the field of security of technological processes, operations, equipment and software of industrial IT/OT, we use the following standards, frameworks and methodologies:

    • ISO/IEC 27001, VDA/TISAX
    • ISA99, ISA/IEC 62443
    • North American Electric Reliability Corporation (NERC) Reliability and Security Guidelines
    • NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security, NIST Framework for Improving Critical Infrastructure Cybersecurity
    • DHS guidelines for critical infrastructure protection and the Critical Infrastructure Protection framework

    In the field of assessment and implementation of OT security, we work at the level of specific vendors. For example, we work with Siemens PLCs using Step7 and TIA Portal, with Schneider Electric equipment using Concept, UnityPro and SoMachine, with Mitsubishi using GX Works, with Omron using CXOne, with Carel using 1tool and with Wago using CoDeSys.

    In urgent cases, when it comes to preventing great material damage from a security incident, we are able to reverse engineer not only industrial software code, but also proprietary industrial protocols.

    We assess the security of SCADA computers and switches using common automatic and semi-automatic tools (vulnerability databases and scanners, exploits, IDS, IPS, EDR, SIEM, SOAR, etc.) with special configurations, and we also do manual analysis of SCADA scripts and other source code in white box mode.

    Security analysis of source code Image

    Security analysis of source code

    Get an outstanding level of security with our automated and manual analysis of source code of your applications, smart contracts, services and software components!

    You never get such level of assurance with penetration testing, solely automated code review or any other security activities. This service can be delivered as a separate project, in combination with white-box penetration testing or as a part of Application

    Security or Security Assessment services.

    Check out our business cases of security analysis of source code.

    The objective of this analysis is security assessment of the source code of your systems or applications: checking integrity and consistency of your code, secure coding principles, finding unsafe or deprecated functions, hidden logical bombs and traps, backdoors, undocumented features, non-optimal coding practices and OWASP top 10 vulnerabilities.

    We support the following languages:

    • .Net/ASP.Net
    • Java EE (JBoss, Tomcat, etc.)
    • Java Android
    • Objective-C/Swift iOS/MacOS
    • PHP
    • Javascript
    • Python
    • C/C++/Assembler
    • Solidity
    • Golang
    • Lua
    • your language or platform.

    To achieve the objectives, the auditors use two methods:

    • SAST (Static Application Security Testing), which allows analyzing source code for known vulnerabilities using automated tools.
    • Manual source code review and analysis, in order to reveal unsafe and non-optimal coding practices, hidden logical bombs and traps, backdoors and undocumented features.

     

    Reviews

    Sort by

    Cybersecurity for Cloud IT Solutions Company

    "They know what they're doing."

    Quality: 
    5.0
    Schedule: 
    5.0
    Cost: 
    5.0
    Willing to refer: 
    5.0
    The Project
     
    $10,000 to $49,999
     
    Jan. 2019 - Jan. 2020
    Project summary: 

    H-X Technologies provided security consulting and testing to help an IT firm qualify for an information security certificate. 

    The Reviewer
     
    51-200 Employees
     
    Kyiv, Ukraine
    Artem Savotin
    Managing Director, AMERIA UKRAINE
     
    Verified
    The Review
    Feedback summary: 

    The firm is now officially certified, and H-X Technologies's consulting and tests improved the client's software security. They led a smooth workflow from start to finish thanks to quick response times and a high level of knowledge.

    The client submitted this review online.

    BACKGROUND

    Please describe your company and your position there.

    I’m managing director of Germany IT / product company AMERIA AG in Ukraine.

    OPPORTUNITY / CHALLENGE

    For what projects/services did your company hire H-X Technologies?

    We develop a product Connected Experience and we had to get to another level of security and get automotive related ISO certificate called TISAX. Then we also orders back and grey box Pentest and still working on monthly fee to have permanent security officer from UA side.

    What were your goals for this project?

    We had to get a new level of official automotive certification TISAX

    SOLUTION

    How did you select this vendor?

    The company did security training for us in the past. We decided to go with them. But we made analysis of couple of other companies also from Germany.

    Describe the project in detail.

    We’ve got a full time person for TISAX preparation and constant consulting from the company. We planned many activities by flying to Germany to HQ many times and got on to the level to make an exam.

    What was the team composition?

    We had one full time employee from the company, me - accountable and then doing the exam, German security officer and couple of background people helped from both sides.

    RESULTS & FEEDBACK

    Can you share any outcomes from the project that demonstrate progress or success?

    We are TISAX certified, also made pentests, improved security of our software

    How effective was the workflow between your team and theirs?

    All was fine, liked response time and permanent cooperation

    What did you find most impressive about this company?

    They know what they're doing; they are great consultants.

    Are there any areas for improvement?

    Can’t say so at the moment

    5.0
    Overall Score
    • 5.0 Scheduling
      ON TIME / DEADLINES
    • 5.0 Cost
      Value / within estimates
    • 5.0 Quality
      Service & deliverables
    • 5.0 NPS
      Willing to refer

    Audit & Penetration Testing for Construction Company

    "We are completely satisfied with the work of H-X Technologies. Their colleagues fulfilled all our expectations."

    Quality: 
    5.0
    Schedule: 
    5.0
    Cost: 
    5.0
    Willing to refer: 
    5.0
    The Project
     
    Less than $10,000
     
    Aug. 2019 - Oct. 2019
    Project summary: 

    After helping with the planning phase of the project, H-X Technologies conducted an audit for a construction company. The team delivered reports outlining the assessment, any threats, and a few suggestions.

    The Reviewer
     
    1,001-5,000 Employees
     
    Nur-Sultan, Kazakhstan
    Altynay Lebakina
    Information & Analytical Department Head, BI Group
     
    Verified
    The Review
    Feedback summary: 

    The H-X Technologies team worked confidently and professionally throughout the engagement—from the planning phases through the final delivery. Although the majority of the partnership was remote, their team communicated clearly and completed each stage of the project on time. 

    The client submitted this review online.

    BACKGROUND

    Please describe your company and your position there.

    Our company is one of the biggest build company in Kazakhstan.

    OPPORTUNITY / CHALLENGE

    For what projects/services did your company hire H-X Technologies?

    Information security was introduced not so long ago In our company, so it became necessary to conduct an external audit for vulnerabilities and weaknesses

    What were your goals for this project?

    We wanted to see our weaknesses in business processes, infrastructure and web applications being developed

    SOLUTION

    How did you select this vendor?

    We were looking for a company that would suit us according to the principle: price-quality. Compared the methods and tools of the audit, requested samples of reports at the exit. As a result, two companies remained and the choice was made by H-X Technologies.

    Describe the project in detail.

    A project plan was developed, and online meetings were organized every week throughout the project. To conduct an audit of ISO27001, auditors came to our office for 2 days, other work was done remotely

    What was the team composition?

    Roles and responsibilities in each area were identified. I contacted a senior auditor who came to our office in person. The project leader was contacted only via Skype

    RESULTS & FEEDBACK

    Can you share any outcomes from the project that demonstrate progress or success?

    As a result, we received detailed reports in two areas of the project. Vulnerability report, process maturity assessment, general assessment of the information security status of our company. Recommendations for improving processes and enhancing protection against potential threats

    How effective was the workflow between your team and theirs?

    From the very beginning, the stages of the project were determined, all the work was done on time. Throughout the joint work, no conflicts arose.

    What did you find most impressive about this company?

    Colleagues showed a good and confident level of professionalism. All work was carried out clearly: from the start of negotiations to the presentation of the final report

    Are there any areas for improvement?

    We are completely satisfied with the work of H-X Technologies. Their colleagues fulfilled all our expectations.

    5.0
    Overall Score
    • 5.0 Scheduling
      ON TIME / DEADLINES
    • 5.0 Cost
      Value / within estimates
    • 5.0 Quality
      Service & deliverables
    • 5.0 NPS
      Willing to refer

    Cybersecurity Services for Migration Software Company

    "H-X Technologies has proper security practices."

    Quality: 
    5.0
    Schedule: 
    5.0
    Cost: 
    4.0
    Willing to refer: 
    5.0
    The Project
     
    Less than $10,000
     
    Jan. - Apr. 2019
    Project summary: 

    H-X Technologies did a security audit of the company’s cloud infrastructure as well as an external penetration test, identifying all security gaps and providing a report after which they did another test round.

    The Reviewer
     
    11-50 Employees
     
    Ukraine
    Victoria Pogrebniak
    IT Manager, FluentPro
     
    Verified
    The Review
    Feedback summary: 

    The project team found several critical vulnerabilities in the system in the span of three months and provided two kinds of reports based on their findings. Through weekly status reports and overall effective communication, H-X Technologies delivered on time and did an extensive and thorough job.

    A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.

    BACKGROUND

    Introduce your business and what you do there.

    I’m an IT project manager for FluentPro. Our main office is located in Redmond, Washington, but we have a customer care team in Ukraine as well as a development team and other resources.

    OPPORTUNITY / CHALLENGE

    What challenge were you trying to address with H-X Technologies?

    We have cloud-based applications and provide cloud services for project and portfolio management to customers working with Microsoft Project. One of our goals was to find a third-party enterprise that could do a penetration testing audit for us. Our cloud service provider is G Suite, and we identified H-X Technologies as an external provider for a security audit and penetration test for our service.

    SOLUTION

    What was the scope of their involvement?

    H-X Technologies conducted a security audit of our cloud infrastructure. This included an analysis of the kinds of security gaps we had on our cloud service and an external penetration testing of our application. Specifically, it was gray-box penetration testing. We provided them access to our cloud platform but without any login credentials or other details. We wanted to see how hackers from the outside world could enter our system.

    I believe they tested the application for one month and provided us with a penetration test report with recommendations on what we should improve in our company and solutions. After some research and after following their recommendations, we mitigated the high-risk exposures and relaunched the website. They performed another brute-force and penetration test after we took those mitigation measures, and worked according to OWASP 10.

    How did you come to work with H-X Technologies?

    I assessed different providers in Ukraine and H-X Technologies had very good reviews from other companies. They also had a great price and quality according to those reviews. We had a call with them, and they satisfied our requirements for the basic security tests we needed.

    How much have you invested with them?

    We invested $4,000 on this project.

    What is the status of this engagement?

    The collaboration lasted for three months and ended six months ago, around April 2019. There was a pre-security assessment, the testing itself, and a retesting after following their recommendations.

    RESULTS & FEEDBACK

    What evidence can you share that demonstrates the impact of the engagement?

    H-X Technologies was contracted for three months to look for various kinds of vulnerabilities, according to OWASP 10. In terms of success, they found vulnerabilities that were critical for our project. Every security company has its own approach for security testing, and we couldn’t know what kind of vulnerabilities H-X Technologies would find, so we didn’t track exact metrics.

    How did H-X Technologies perform from a project management standpoint?

    Project management was handled well. They sent us project status reports once a week and we always got effective communication from their side. They also sent us two kinds of reports that were agreed upon in the contract.

    What did you find most impressive about them?

    H-X Technologies has proper security practices. We checked a lot of things following the security assessment on our side as well and found the same vulnerabilities. Overall, H-X Technologies did an extensive assessment. They also provided an internal report for our company, along with a report we could show customers without confidential information around our vulnerabilities.

    Are there any areas they could improve?

    I haven’t dealt with other security companies, so I don’t have a something to H-X Technologies with. We had a really good experience.

    Do you have any advice for future clients of theirs?

    I’d definitely recommend them to others, and we plan to use some of their services in the future for an ISO 27001 certification and other security audits.

    5.0
    Overall Score
    • 5.0 Scheduling
      ON TIME / DEADLINES
    • 4.0 Cost
      Value / within estimates
      I believe we found some cheaper companies, but it’s difficult for me to compare their quality to what H-X Technologies can do.
    • 5.0 Quality
      Service & deliverables
    • 5.0 NPS
      Willing to refer