Oak Security
Security audits Operational security review Continuous audit vCISO service Penetration testing Op-sec training Security & economic advisory Technical due diligence Research TRACE framework Pre-Audit Agent Op-Sec Academy Request a quote

Research

Security research,
published openly.

Reports, open methodologies, and articles from our researchers. It's how we think out loud about protecting Web3, in public.

Flagship report · May 2026

The State of Web3 Security 2022 – Q1 2026

Four years of data: 23,818 published audit findings from 22 firms, and 218 real-world exploit incidents worth US$7.76 billion in losses. Built with rekt.news.

23,818
audit findings analysed
218
exploit incidents documented
$7.76B
aggregate losses
52%
of losses are human-vector
Open methodology · CC BY 4.0

TRACE. Threat modelling for organisations without a perimeter.

Threat actors, Roles, Assets, Critical invariants, Edges. One method, applied across protocols, systems, and organisations. We built it through our Web3 work, but it fits any team that no longer has a clean security perimeter.

Explore the framework GitHub repository

Articles

From our researchers

Operational security

Most Web3 losses don't start in the code

A perfectly audited contract won't help you if the deployer key leaks. Here's what an operational security review actually looks at.

June 4, 2026 Research

The State of Web3 Security 2022 – Q1 2026: six key findings

What 23,818 audit findings and 218 exploit incidents tell us about where Web3 actually loses money.

May 28, 2026 TRACE

Introducing TRACE: threat modelling without a perimeter

Why we built our own threat modelling methodology, what the five model objects are, and why it works beyond Web3.

May 20, 2026

Looking for our audit reports?

Every final audit report is transparently published to our GitHub repository.

Published audit reports

Subscribe to our newsletter

Security research, audit insights, and ecosystem analysis — straight to your inbox.