Oak Security
Security audits Operational security review Continuous audit vCISO service Penetration testing Op-sec training Security & economic advisory Technical due diligence Research TRACE framework Pre-Audit Agent Op-Sec Academy Request a quote

Operational Security Review

Your code is audited.
Is your operation?

An audit covers the protocol layer. The Operational Security Review covers the other two: how your system is built and deployed, and how your team runs it. Code and operations are two different threat surfaces. An audit only looks at the first one.

Request a review Built on TRACE
52%
of all Web3 user-fund losses since 2022 came from human-vector attacks, not code defects
6/10
of the largest exploit-loss categories cannot be found through code review
$7.76B
lost across 218 documented incidents, 2022 – Q1 2026 (source: our research with rekt.news)

Why it matters

Where the big losses actually originate

Multisig misconfigurations, key management failures, governance exploits, deployment mistakes. A perfectly audited contract offers no protection if the deployer key is compromised. Our State of Web3 Security report shows human-vector attacks now exceed every code-level defect category combined.

Scope

What the review covers

Multisig design & signing

Threshold design, signer independence, signing ceremonies, out-of-band verification.

Key management

Generation, storage, rotation, and revocation of deployer, admin, and validator keys.

Access control

Who can touch what: accounts, devices, repositories, cloud consoles, and SaaS.

Governance & timelocks

Quorums, delegation, emergency powers, and whether timelocks sit on the critical path.

Deployment security

CI/CD integrity, bytecode verification, upgrade paths, and release authority.

Validator infrastructure

Node operations, monitoring, and the control planes behind your network presence.

Incident response

Runbooks, pause authority, escalation paths, and recovery ability.

The review applies TRACE for Systems and TRACE for Organisations: a structured model of your trust boundaries, privileged roles, and critical invariants, with a prioritised risk register and a 30/60/90-day hardening roadmap, not a compliance checkbox. We tailor the scope to your setup. Complex environments (validators, multi-chain, custody) are quoted individually.

Security Alliance (SEAL)

Get SEAL certified on the back of it

We're an accredited firm for the Security Alliance (SEAL) operational security certification. The same review can take you through their framework, and when you pass, SEAL issues a verifiable on-chain attestation through the Ethereum Attestation Service. It covers multisig ops, treasury, incident response, infrastructure, DNS, and identity.

See the SEAL framework

Request a review

Tell us about your project and we will get back to you within one business day.

Subscribe to our newsletter

Security research, audit insights, and ecosystem analysis — straight to your inbox.