// MODULE_07 · APPSEC · CODE_ASSURANCE · HITL_REVIEW

Application Security
& Code Assurance

Static analysis, dependency auditing, and human-in-the-loop threat review — baked into your SDLC before code ships. We surface what automated scanners miss.

// WHY_TTD_APPSEC

Most local pentest firms run commodity scanners.
We intercept what they miss.

Standard scanners — SonarQube, basic dependency checkers, off-the-shelf DAST — catch known CVEs. They weren't built to catch logic bombs with date triggers, obfuscated Blob URL injections, or framework impersonation payloads hidden in third-party assets and outsourced code.

Built for ASEAN's software supply chain: mixed internal/vendor codebases, government portals, fintech under BNM RMiT scrutiny. We're premium advisory — not commodity scanning.

Anti-evasion analysis — catches what automated tools miss
MITRE ATT&CK mapping on every finding
Human analyst review — no unreviewed reports
Structured JSON trigger records, SIEM-ready
BNM RMiT + PDPA alignment, built in
HRD Corp claimable training format

// SERVICE_OFFERINGS

01 From RM 15K / engagement

Premium Secure Code Review

Enterprises — fintech startups, e-commerce platforms, PLCs, GLCs — send us their critical code repositories or third-party web assets. Our analysis pipelines screen for logic bombs, obfuscated payloads, bypass techniques, and supply-chain injection vectors that standard tools cannot reach. Financial entities under Bank Negara Malaysia’s RMiT guidelines require rigorous application security testing — we deliver audit-ready output aligned to those requirements.

  • Target: Malaysian FinTech, E-commerce, PLCs, GLCs
  • Per-project fixed rate based on Lines of Code and complexity
  • Senior auditor day rate: RM 2,500 – RM 4,500 / day
  • Deliverable: annotated findings report + clean-vs-flagged diff + JSON trigger records
02 From RM 30K / corporate batch

HITL Analyst Training & SOC Upskilling

The same HITL Reviewer dashboard doubles as a hands-on AppSec training environment. We run corporate training for junior SOC analysts, QA engineers, and internal security teams — teaching them to identify code anomalies automated tools were never designed to catch. Structured around real threat scenarios: logic bomb analysis, framework impersonation, payload decoding, and MITRE ATT&CK classification with full Approve / Flag / Escalate workflow and structured JSON output.

  • Target: Corporate IT depts and internal security teams at Malaysian banks and financial institutions; Cyberjaya and Penang tech hubs
  • HRD Corp claimable — eligible under HRDF/HRD Corp scheme for enterprise training budgets
  • 2-day corporate workshop: from RM 3,000 / participant (min. 10–15 seats)
  • Content licensing: full dashboard + 20+ custom test cases — RM 20K – RM 40K flat fee
03 From RM 1,200 / month

Custom DevSecOps Tooling Integration

The core script parser and automated scoring engine, packaged as a plug-and-play internal code gatekeeper integrated directly into your CI/CD commit pipeline. Every pull request is scanned before merge. Critical findings block the build. SIEM-compatible JSON trigger records emitted automatically. Built for dev houses and system integrators handling outsourced government applications where third-party code could survive standard review processes.

  • Target: Software dev houses, system integrators, outsourced government application vendors
  • GitHub Actions, GitLab CI, Bitbucket pipelines — build gate on critical findings
  • B2B SaaS subscription: RM 1,200 – RM 3,500 / month (billed annually)
  • Enterprise licence option: RM 25,000 one-time setup + annual maintenance

// SCAN_COVERAGE

Static Code Analysis
AST-level scanning for injection vectors, hardcoded secrets, insecure patterns, and logic vulnerabilities across your full codebase.
SAST Secrets IaC
Dependency Auditing
CVE matching against your full dependency tree — npm, pip, composer, maven. Known vulnerabilities surfaced before they reach production.
SCA CVE SBOM
Frontend Payload Detection
Obfuscated script detection, base64 payload decoding, logic bomb identification, and framework-spoofing pattern matching in HTML and JS bundles.
XSS Logic Bombs Obfuscation
Human-in-the-Loop Review
Every automated flag reviewed by a security analyst. Structured threat records, decision audit trails, and JSON trigger records exported for your SIEM.
HITL Audit Trail MITRE ATT&CK
API & Endpoint Security
Authentication schema validation, rate limiting gaps, IDOR exposure, and insecure direct object reference scanning across REST and GraphQL surfaces.
OWASP API IDOR AuthZ
CI/CD Pipeline Integration
Scan gates baked into your GitHub Actions, GitLab CI, or Bitbucket pipelines. Fail builds on critical findings before merge.
Shift Left Gate PR Check

// HOW_WE_WORK

01
Ingest
Source files fed into the scanner on a rolling schedule — or on every pull request via CI hook. No agent install required for web assets.
02
Detect
Multi-pattern engine decodes obfuscated payloads, matches threat signatures, scores severity 0–100, and maps findings to MITRE ATT&CK. Detection logic runs server-side — not inspectable from the browser.
03
Review
Flagged files enter the HITL queue. Analyst approves, flags for fix, or escalates — with full annotated diff and structured JSON trigger record.
04
Remediate
Findings delivered as actionable tickets with clean-vs-flagged diff, remediation guidance, and optional code-level patch suggestions.

// LIVE_DEMO · HITL_REVIEWER

Try the Threat Reviewer — live

Analyse any HTML, JS, JSON, or PHP file for hidden threats — load a sample scenario, upload a file, or paste source code directly.

Detects

  • Base64 + Blob URL payload decoding
  • Logic bomb & date-trigger detection
  • Framework impersonation (Next.js, Nuxt, Gatsby)
  • Data exfiltration & cookie-steal patterns
  • MITRE ATT&CK classification on every finding

Output

  • Exportable JSON trigger record + .txt report
  • Server-side analysis — pattern library never exposed

Privacy & Limits

  • No file stored — scanned in memory, then discarded
  • Fair-use limits apply to keep the demo available for everyone
TTD Defence Scanner — HITL Reviewer Live

// DEMO INSTANCE — Production deployments include SIEM webhook output, analyst SSO gating, scan history logging, and full BNM RMiT audit trail.

// TOOLS_WE_USE

Semgrep Trivy Snyk OWASP ZAP Terser GitHub Actions GitLab CI MITRE ATT&CK Custom HITL Engine JSON Trigger Records BNM RMiT Aligned HRD Corp Claimable

// NEXT_STEP

Talk to Our Security Team Back to Services