About — Built by operators, for operators

// Our origin

The gap we couldn't ignore.

We watched too many enterprises pass an audit on Friday and get breached on Monday. The disconnect was structural: most security firms graded paperwork, not posture. The ones that did real work were boutique to the point of being unreachable.

Velarynt was built to occupy the space in between — boutique-grade execution at the scale and predictability a regulated enterprise actually needs.

Today we run engagements across six continents, operate a 24/7 SOC out of two regions, and publish original research that's cited by CISA and MITRE.

~/principles.txt

# What we believe ▸ Findings without exploitation are hypotheses, not vulnerabilities. ▸ A red team that doesn't make defenders better is just bragging. ▸ Reports are written for engineers. Executives get the narrative. ▸ Every operator on staff has built systems, not just broken them. ▸ If we can't explain the fix, we haven't earned the finding.

// What guides us

Five operating principles.

Adversarial empathy

We model the actual attacker — funded, patient, and goal-oriented. Not a checklist.

Engineering rigour

Every operator can read source, ship a patch, or explain a fix line by line.

Operational humility

We disclose responsibly, retest thoroughly, and never overclaim impact.

Transparent process

Daily standups with your team. Live finding boards. No black-box deliverables.

Continuous research

Ten percent of every consultant's time is reserved for original research.

Earned trust

Background-checked operators, scope-bound contracts, and full chain-of-evidence on every engagement.

// Leadership

Operators, not pitchmen.

The people running Velarynt still carry pagers. Every member of leadership has shipped engagements within the last quarter.

M. Reyes

Founder & CEO

Former red team lead at a Fortune 50 financial. OSCE, OSEP, GXPN.

A. Okonkwo

Chief Technology Officer

15 years in platform security. Maintainer on three OSS projects.

L. Hartwell

VP, Offensive Operations

Built and led adversary-emulation programs for two cloud providers.

S. Demir

VP, Threat Intelligence

Former intelligence analyst. Co-authored CVEs in industrial control systems.

J. Ortega

Director of Incident Response

Led response on 200+ incidents including three nation-state intrusions.

P. Bhattacharya

Director of Research

Published in Black Hat, DEF CON, and IEEE S&P. PhD, applied cryptography.

// Credentials & affiliations

Verified expertise across the discipline.

Our consultants hold senior offensive certifications and our company maintains the operational standards expected by regulated clients.

OSCP OSCE OSEP OSWE GXPN GPEN GWAPT GCIH CISSP CCSP CREST CRT CREST CCT SOC 2 Type II ISO 27001 PCI QSA MITRE Engenuity FIRST Member

// Work with us

Talk to a senior operator.

No SDR funnel. The first call is with someone who's actually run engagements.

Get in touch →

Built by operators. For organizations that take threats seriously.