Tell us what you're solving

We've spent decades building software. We know exactly where the cracks hide.

We pentest apps, APIs, and AI systems for teams that need straight answers, not a sales pitch. And when the right tool doesn't exist, we build it.

A real person reads every one of these. Seriously.

Submitting sends us an email — we use your details only to reply, nothing more. How we handle your info.

Jason Gillam, founder of Mechanical Drake

Jason Gillam

Founder, CISSP

Building software since the Vic-20, breaking it professionally for 16 years. Yes, the Hawaiian shirts are intentional.

  • IANS Research Faculty
  • ISC2 Charlotte Metro — Board Member
  • OWASP Project Committee Member

The market profits from your confusion. We don't.

You've sat through the demos. The dashboards, the slide that just says AI now, the quote that somehow triples by the third call. None of it tells you where your software actually stands. We think you deserve a straight answer to that question, and we think it shouldn't require a decoder ring.

16+ yrs

breaking software professionally

Hundreds

of SMB pentests

C-suite

security and engineering experience

What we do

Pentesting

Attackers are already using AI. Your pentest should too. We test apps, APIs, and the software built around AI, like chatbots and agents, for the flaws that actually get exploited. And we bring AI-driven tooling to every engagement, because testing like it's 2019 tells you nothing about 2026.

→ See how we test

The Lab

Where we chase the problems that fascinate us. No roadmap by committee, no investor deck, just interesting security problems and working solutions. Some become tools you can use. Right now on the bench: Web Attack Surface Monitor, a high-volume web app scanner we're building, and experiments in AI-directed pentesting, putting frontier security agents through their paces to see what they can really do.

→ See what's cooking

Approach

The Plan

01

Scope it right

First we get our heads around what you've actually built, the app, the API, or the AI system, and what's worth putting under the microscope. That tells us the real level of effort, so the scope fits the work instead of the work getting stretched to fit a quote.

02

Test with the lights on

We cover the standards you're expected to meet, OWASP Top 10 and the rest, then keep going for the flaws a checklist never catches. And we do it in the open: you'll know when testing starts and stops, you'll hear from us the moment we find something serious instead of waiting for the report, and if you spot anything strange on your network while we're in there, tell us. It's probably us. But probably isn't certainly, so don't assume.

03

We don't disappear when the report lands

The report is the start of the fix, not the end of the conversation. For 90 days, the people doing the fixing can bring us questions, and we'll make sure they can reproduce every issue we found. Once you've patched the high and critical findings, we retest them and reissue the report and attestation, one cleanup pass inside that same window.

Ways to work

Single pentest

A focused engagement with a clear start and finish. You've got an app, an API, or an AI system that needs testing. We scope it, test it, and hand you a report you can actually act on. Best when something specific is driving it: an audit, a customer asking for proof, a launch you want to get right.

Targeted review

Not everything calls for a full pentest. Sometimes you need one specific thing looked at: a code review that satisfies a customer or checks a compliance box, a read on your architecture, a hard look at how your software actually gets built. Could be one of those, could be several. You tell us what's driving it and we scope to exactly that, nothing you don't need. Code reviews are human-led with AI in the loop, which works the same whether your team wrote the code or a model did. Best when you already know the gap you want closed, or you want someone with the range to help you find it.
Something That Doesn't Fit Either Box?
That's usually the most interesting conversation. Tell us what you're wrestling with and we'll find the shape together.

Every engagement is scoped to the actual work, not pulled off a rate card. You'll have a straight number before anything starts.

So, where does your software actually stand?

If we can help, we'll tell you how. If we can't, we'll tell you that too.

Start the conversation