A custody-grade audit of every wallet, vault, API key, signer, quorum and policy rule that stands between your business and a nine-figure loss. Built in Dubai for VARA, DFSA, ADGM, MiCA and NYDFS-regulated operators.
In nearly every major VASP incident ITSEC has been retained to investigate, the cryptography held. The signers held. The hardware modules held.
What gave way was the layer between them — the Transaction Authorization Policy that decides who can move what, to where, under which conditions, with which approvers.
A policy that ships secure on day one drifts over time. Engineering adds a rule for a one-off treasury sweep and never removes it. Finance requests read access and ends up with a key that enumerates every vault in the workspace. A deny rule is added below a broader allow and never fires. A quorum of three is satisfied by three people on the same Telegram group.
These are not theoretical. Our forensic practice has walked the timeline of insider-assisted custody attacks where the attacker did not break the custody platform — they walked through the door the policy left open. The telemetry was loud enough to detect them on day one, if anyone had been reading it.
The Digital Wallet Audit exists to close that door before someone else finds it.
Every engagement is scoped to your stack, but the canonical audit covers six interlocking layers — each with its own attack surface, failure modes, and evidence base.
Map the full topology — hot, warm, cold, deep-cold — across every asset and custody platform. Verify segmentation, key ceremony hygiene, backup material custody, signer device posture.
Line-by-line review of every policy rule. Test rule ordering, evaluation logic, deny precedence, source/destination filters, asset and amount thresholds, quorum integrity, callback fallback behavior.
Inventory every machine identity touching custody. Verify role-scoping vs. least-privilege, naming integrity, single-owner accountability, rotation history, IP allowlists, secret storage location.
Signer roster reconciliation, JML hygiene, device attestation, phishing-resistant authenticator coverage, signer-initiator separation, after-hours policy, break-glass account controls.
Verify every state-changing custody action emits a log, that logs reach a SIEM your SOC monitors, that anomalies trigger alerts, and that the on-call runbook for a suspected compromise is written, tested and owned.
Findings mapped to your applicable rulebook — VARA Custody & BD, DFSA Crypto Token, ADGM FSRA, MiCA Title V, NYDFS Part 200, MAS PSA — closing risk and compliance gaps simultaneously.
Each is a finding category in our register, ranked by exploitability, tied to specific rule IDs in your environment, and shipped with a remediation playbook.
The intent was correct; the ordering defeated it. The rule never executes. We rebuild the rule-evaluation tree, simulate the full traffic envelope, and surface every rule that is dead, shadowed, or unreachable.
The quorum is technically satisfied while the underlying principals are the same human across two devices, or a tight social cluster who approve each other by default. We re-derive the quorum graph and stress-test it.
No one reviews them. The TAP happily routes funds to whoever holds the key today. We audit every whitelist entry for freshness, ownership confirmation cadence, and procedural control.
An attacker who steals such a key cannot move funds — but can enumerate the full custody topology, identify high-value targets, and map signer behavior. Tens of thousands of enumeration calls can pass undetected.
A test or development workspace shares signer identities, whitelists, or API key conventions with production. Compromise of the lower-trust environment escalates trivially.
The fail-open path is rarely documented and almost never tested. We force every external callback into degraded states and observe what the TAP actually does when dependencies disappear.
A newly listed asset moves under default policy — almost always more permissive than curated rules. We verify listing-to-policy lag for every recently added token and the procedural control that should be closing it.
Signers approving hundreds of routine transactions stop reading destination, amount, or asset and approve on muscle memory. We measure approval latency, batch-approval patterns, and dwell time per transaction.
A standard Digital Wallet Audit runs four to six weeks, scaled to your custody footprint. Production operations are uninterrupted throughout.
Platform inventory, vault and wallet topology mapping, business-intent interviews with treasury, operations, and compliance, regulatory scope confirmation, evidence-collection plan, and signed scope agreement.
Read-only extraction of policy rules, API key inventory, signer rosters, whitelist registers, and access logs. Zero interruption to production. All evidence handled under signed scope and data-handling agreement.
Line-by-line policy review, business-intent re-derivation, role and quorum reconstruction, telemetry gap analysis. Where authorized, controlled adversary emulation against staging workspaces validates detection coverage.
Findings ranked by exploitability and regulatory exposure. Remediation steps with owner and effort estimate. Draft policy revisions in your platform's native rule syntax — ready to apply. Executive readout and board-grade summary suitable for supervisory submission.
After your team applies remediations, we re-test to confirm closure and issue a verification letter suitable for regulators, audit committees, and counterparty due diligence.
Board and regulator-grade summary of findings, risk posture, and remediation status. Submissible to supervisory authorities under NDA.
Every finding with severity, exploit path, evidence, affected rule, and remediation owner. Indexed against F-01 through F-08.
Your TAP rewritten from business-intent first principles, in your platform's native rule syntax, ready to stage and apply.
Inventory of every machine identity with role, owner, rotation status, downstream consumer, and recommended action.
Every state-changing custody event mapped to its log source, SIEM destination, and alert rule, with gaps highlighted and detection content recommended.
Findings mapped to VARA, DFSA, ADGM, MiCA, NYDFS, or MAS obligations — closing risk and compliance gaps simultaneously.
Issued after remediation. Suitable for supervisory submission, audit committees, and counterparty due diligence.
"ITSEC's TAP review identified policy gaps our internal team and previous Big-4 auditor had missed for over a year. The re-derived policy was production-ready and the verification letter saved us six weeks of regulator back-and-forth." — Head of Compliance, UAE VASP (Name withheld per NDA)
Custody, Broker-Dealer, Exchange, VA Management & Investment categories.
Issuers and custodians operating in or from the DIFC.
OTC, exchange, and custody categories under FSRA oversight.
Preparing for or operating under Title V custody obligations.
Counterparty settlement at scale; treasury and prime-broker custody.
Proprietary, omnibus, and segregated customer custody operations.
RWA reserve custody and backing collateral protection.
Institutional MPC, multi-sig, balance-sheet digital asset holdings.
| Capability | ITSEC | Big 4 Firms | Local Boutiques |
|---|---|---|---|
| Audit delivery | 4 – 6 weeks fixed | 3 – 4 months | 6 – 10 weeks variable |
| Methodology depth | Built backwards from real custody breaches | Generic SOC 2 / ISO templates | Surface checklist audits |
| TAP re-derivation | Native syntax · production-ready | Not offered | Recommendations only |
| VARA / DFSA / ADGM relationships | 100% pass rate · direct supervisory access | No specialised knowledge | Limited project base |
| Pricing model | Fixed-price packages | T&M billing (unpredictable) | Variable pricing |
| Team location | UAE-based · onshore delivery | Offshore fly-in | UAE but small bench |
| Forensic provenance | 8-figure custody breach investigations | Audit-only · no IR exposure | None published |
A single point-in-time audit for regulatory submission or board readiness — or a 12-month continuous assurance program for VARA-licensed operators carrying ongoing supervisory obligations.
Single 4–6 week engagement. Point-in-time custody control evidence for VARA submission, board readiness, counterparty due diligence, or M&A diligence.
Annual subscription for VARA-licensed VASPs and institutional custodians carrying ongoing supervisory obligations. Baseline audit + four quarterly delta reviews + continuous SIEM monitoring.
Multi-entity engagements, additional custody platforms, and enterprise group programs priced on request. All engagements fixed-price (no T&M billing). Onshore UAE delivery. NDA signed before scoping. Speak with an expert →
Slither, Mythril, Echidna, Manticore + manual review. 500+ contracts audited, $2B+ secured.
End-to-end security validation for cryptocurrency exchanges. VARA compliance-focused.
VARA-compliant verification, cryptographic attestation, Merkle tree validation.
Ongoing security oversight for evolving blockchain platforms and protocols.
Virtual executive security leadership for regulated digital asset operators.
Deep-dive on the regulatory framework governing virtual asset operations in Dubai.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.
Usually replies within 1 hour
AI-Powered • 24/7 Active