Track Record

Evidence of partnership engagements — what we can show without crossing the NDA boundary.

Public engagement portfolio, redacted to respect signed NDAs. Full detail unlocks with an executed mutual NDA and an identity-verification step. We respond personally.

Request engagement

What “engagement evidence” means here.

Most security firms publish detailed case studies with named clients. We don’t. Every QSearch engagement carries an NDA, and we honor it absolutely.

Below: a redacted glimpse of the engagement portfolio. Each card shows sector, scope class, and engagement-outcome class. Client names, specific findings, and technical detail stay behind the NDA gate.

If you’re evaluating QSearch as a partner: complete the verification flow, the full engagement records unlock, and we respond personally. There’s no drip funnel on the other side.

Engagement portfolio

Fiduciary · SwitzerlandContinuous engagement

Swiss fiduciary, multi-decade history, audit-grade client portfolios under management.

Continuous attack surface monitoring across redacted surfaces
Adversarial testing of redacted integrations and data flows
Compliance gap mapping against FADP and GDPR

Outcome: critical-class findings disclosed and resolved without operational interruption. Engagement ongoing.

E-commerce · EUAssessment

European e-commerce operator, multi-tenant SaaS surface, regulated-payment integrations.

Authentication boundary analysis across redacted customer flows
API authorization audit against redacted payment endpoints
Business-logic-flaw chain testing across checkout funnels

Outcome: working-evidence findings delivered; transition to continuous engagement initiated.

Web agency · EUEngagement scoping

Multi-client web agency, AI-augmented development velocity, mixed client-side exposure.

Per-client surface inventory across redacted active properties
AI-augmented dev workflow review against shipped code paths
Cross-client credential-exposure mapping

Outcome: per-client risk register produced; engagement scoped for staged remediation.

Unlock the full engagement records.

Two-minute form. We sign and counter-sign within one business day. After identity verification, the full engagement records unlock for thirty days.

Researcher-quality signal

Engagement work isn’t where our researchers stop.

400+

Outside of partnership engagements, the QSearch team runs an active bug-bounty practice across HackerOne, Bugcrowd, Immunefi, and direct-disclosure channels. The result, as of this page’s last publication: 400+ vulnerabilities confirmed by vendors including Google, Telegram, PayPal, OSL, Brave, GitLab, and others — every disclosure resolved under coordinated channels.

The same researcher caliber attacks your environment in an engagement. Bug-bounty work is the lab; engagements are the practice.

Platform recognition

HackerOneBugcrowdImmunefi

Verifiable through public bug-bounty disclosure records. Bug-bounty work is independent of partnership engagements; the disclosure timeline is set by each vendor.

Outcome distribution

Across the engagement portfolio, findings break down by severity class. Counts shown reflect the latest engagement-log refresh.

Critical-class findings disclosed23
High-class findings disclosed41
Compliance gaps mapped67
Engagements with zero post-engagement incidents5/5

Operating under Swiss law.

FADP
GDPR-aligned
EU AI Act compliant
Swiss-based offensive security

Every QSearch engagement carries my signature.

If you’ve read this far, what you’ve seen is the public surface of the engagement portfolio — redacted because that’s what NDAs mean. If you’re evaluating QSearch as a partner, complete the verification flow above and the full record unlocks. I’ll respond within one business day.

— QSearch Security Research · Switzerland

Speak with the founder Start the walkthrough