Skip to content
IronSOC/Research/Code Audit

Research

Root causes live in code. So do the fixes.

After an incident, the real question is what in your code or configuration let it happen. Code audit is how IronSOC's structural recommendations become concrete: a reviewed finding, a PR-able fix, and a detection that fires if the pattern ever comes back.

Audit scope

The code that decides your blast radius.

We audit the code paths incidents actually trace through — ranked by the same risk model that drives detection, so effort goes where exploitation is likely, not where the checklist starts.

Agent tools & MCP servers

Tool definitions, MCP server manifests, and agent permission scopes. The most common finding class in AI estates: tools that can do far more than the agent ever needs — excessive agency waiting for an injection to use it.

Infrastructure as code

Terraform, CloudFormation, and Kubernetes RBAC. Where an incident's root cause is a trust boundary that never existed, the fix is a diff to the IaC — segment the network, split the trust zone, retire the pattern.

CI/CD pipelines

Secrets handling, artifact provenance, and who-can-trigger-what. Pipelines are the highest-blast-radius code most organizations never review as an attack surface.

Identity & auth flows

OAuth grant flows, token lifetimes, service-account key hygiene, and session handling. The audit traces what a stolen credential could actually reach, not what the diagram says it should.

What a finding becomes

Three artifacts per finding. Zero shelfware.

A concrete, PR-able change

Every finding lands as a specific change to specific code or config — reviewable, revertable, and owned. Not 'improve secrets hygiene'; a diff.

A detection if the pattern returns

Alongside the fix, a detection ships that fires if the vulnerable pattern reappears — in a new repo, a new pipeline, a new agent. The audit keeps working after the engagement ends.

A nag until it lands

Structural findings feed the daily analysis. If the same root cause keeps producing incidents, the recommendation escalates in every report until the fix ships. It does not get tired of asking.

Our own code

Held to the same bar.

An auditor whose own code is unreviewable has no standing. Ours is built to be inspected.

  • Detection logic is code: version controlled, peer reviewed, promoted through eval CI. The same bar we hold your code to.
  • The triage scorer is a transparent model — every weight and every per-signal contribution is inspectable on the proof page.
  • Audit findings and their eval cases live in git with attribution, so 'why does this rule exist' always has an answer.

Honest status

Code audits run inside engagements, tied to real incidents and real estates. There are no public audit reports yet, and we will not list anonymized “selected findings” that cannot be verified. When a customer approves publication, it appears here.

Scope an audit