POLKASPOTS
You break it, you buy it.
So let us break it first.
You're about to buy a company. We break into it first and tell you what we find. Then we work with their team to sort it out.
security@polkaspots.comThe Problem
Traditional due diligence is broken. You get a 200-page report written by someone who's never touched a terminal. It's full of risk matrices and colour-coded tables. The deal closes. The report goes in a drawer. Six months later something blows up that was buried on page 147.
Compliance certifications mean someone filled in a form correctly. They don't mean the production database isn't open to the internet.
What We Do
We try to break in — the same way a real attacker would. When we find something, we don't just write it up and walk away. We tell you what it means for the deal, give you a plan to fix it, and work with the target's engineers to get it done.
We get into the target's systems. Infrastructure, apps, cloud, data, code — we find out what's actually going on versus what's in the data room. Then we tell you plainly: walk away, renegotiate, or close with a plan and a budget to fix things.
Most security reviews stop when the deal closes. We don't. We work with the target's engineers to sort out what we found — here's what to fix first, here's how, here's what it'll take. Not auditors standing over their shoulder. Engineers who've done this before.
For firms with a portfolio, we keep watching. You'll know when something's gone wrong before it becomes a headline, not at the next annual review.
You get a short report that tells you what's wrong, how bad it is, and what it'll cost to sort out. Plus the full technical detail if your engineers want it. Not a 200-page PDF that nobody reads.
Fixed price. Usually takes a week or two. We can start fast — send us the details and we'll quote you within a day. You talk to the person doing the work, not a sales team.
What We've Found
Someone was about to put serious money into a SaaS company. We got into their entire customer database in four hours through a misconfigured API. Wasn't in the data room. Deal got renegotiated. We locked it down within a week of close.
PE firm buying a fintech platform. Production database was sitting on the open internet with default credentials. The company had a current ISO 27001 cert. We gave the buyer a plan to fix it before close and built the cost into the deal. Sorted within the first week.
Growth equity deal for an infrastructure company. Three critical unpatched holes in their customer-facing services, plus AWS keys hardcoded in a public GitHub repo. Seller had called their security posture "mature." Keys rotated, services patched, proper secrets management in place within ten days.
Strategic acquisition of a crypto exchange. The technical docs said hot and cold wallets were segregated. They weren't. Material misrepresentation caught before close. Wallet architecture redesigned post-acquisition.
Token acquisition of a DeFi protocol. Found a reentrancy vulnerability in the core Solidity contracts that would let an attacker drain the liquidity pool. A well-known audit firm had signed off on them. Contracts rewritten and redeployed before the deal closed.
PE roll-up of a healthtech platform. Chained three weaknesses together — an open endpoint leaked an internal API, which leaked staff credentials, which got us into the patient records database. None of them looked critical on their own. Together they were devastating. Full chain closed within two weeks.
Late-stage VC round in a B2B SaaS company. Found an admin panel at a predictable URL with no login. Full tenant data for every customer — including the investor's own portfolio company. Found it in the first thirty minutes.
Strategic investment in a smart contract platform. The deployed contracts had privileged owner functions with no timelock and no multisig. One compromised key and all user funds were gone. Governance and key management overhauled after close.
These are representative. Real engagements are confidential.
Who This Is For
If you're buying a company — or investing in one — and you want to know whether the tech is actually solid before you sign, talk to us.
We work with PE firms, VCs, M&A lawyers, corporate finance advisors, insurance underwriters, and anyone else involved in a deal who'd rather find out now than find out later.
Who We Are
PolkaSpots was founded by Simon Morley. 20+ years breaking into things and building things. We've been the CTO — built trading platforms, managed thousands of devices, shipped blockchain infrastructure. We know where engineers cut corners because we've been the ones doing it under pressure. That's why we find things others miss, and why we can help fix what we find instead of just writing it up.
We're also building NullRabbit — autonomous security tooling for critical infrastructure.
Get Started
- Send us the target details — company name, sector, what you know so far.
- We'll quote you within a day. Fixed price, no surprises.
- We find what's wrong, tell you what it means, and work with their team to sort it out.
Send us an email. We'll reply today.