Company

We find it first.

Offensive security that finds exploitable weaknesses before adversaries do. An offensive security firm of operators who would rather break your systems in a controlled engagement than read about it in the news.

Why we exist

Built to intercept the breach before it happens.

SubZeroSec was founded in 2019 by operators who spent years breaking into the systems other people assumed were secure. The pattern was always the same: the weakness was there long before the breach, waiting to be found. The only question was who found it first.

So we built a firm around a single discipline — offensive security. We intercept vulnerabilities on the path to becoming zero-days through penetration testing, red teaming, threat hunting, OSINT, and attack surface analysis, so that a breach never happens in the first place.

Our mission is simple: see your organization the way an adversary does, and tell you what they would do about it — before they get the chance. That is the meaning behind Before Zero. Beyond Breach.

What we stand for

The principles behind every engagement.

Offense informs defense

We earn our findings by compromise, not checklists. Everything we recommend is grounded in how a real attacker would actually break in.

Confidential by default

We hold our clients' most sensitive systems in trust. Discretion, tight scoping, and careful handling of evidence are non-negotiable.

Reports you can act on

A finding nobody can fix is noise. We prioritize by real business impact and write so engineers and executives both know what to do next.

Always a step ahead

Adversaries evolve, so we do too. We track the threat groups that matter and fold live tradecraft back into every engagement.

By the numbers

Findings that matter.

+127+ Critical Findings

Critical Findings

Confirmed critical-severity issues proven exploitable across client engagements.

+340+ Assessments Delivered

Assessments Delivered

Penetration tests, red-team operations, and hunts completed to date.

%98% Remediation Rate

Remediation Rate

Share of high and critical findings verified closed at retest.

+15+ Industries Secured

Industries Secured

Regulated and high-target sectors served, from banking to telecoms.

Leadership

The operators behind the work.

A senior bench of testers, red teamers, and intelligence specialists who have spent careers on the offensive side.

Meet the full team

Ahmed Raza

Co-Founder & CEO

Ahmed co-founded SubZeroSec to put offensive security within reach of organizations that can't afford to learn from a breach. He still reads every critical finding before it reaches a client.

Bilal Khan

Co-Founder & CTO

Bilal co-founded SubZeroSec and leads the technical practice — setting the bar for every engagement across application security, cloud, and the messy seams where they meet.

Standards

Built around the standards that matter.

We align our work to the standards and frameworks that set the bar, and hold our own house to the same scrutiny we apply to clients.

CREST

Independent accreditation of penetration testing and red-team services to a recognized professional standard.

Offensive Security

OSCP / OSCE

Hands-on, exploitation-focused certifications held by our operators, earned through practical compromise rather than multiple choice.

ISO/IEC 27001

ISO 27001

International standard for information security management, governing how we handle our own and our clients' data.

SOC 2 Type II

SOC 2

Independent attestation of our security, availability, and confidentiality controls over a sustained period.

PCI DSS

QSA

Qualified Security Assessor capability for testing and validating environments that store or process payment-card data.

CHECK

NCSC

UK National Cyber Security Centre scheme for delivering penetration testing to public-sector and critical national infrastructure.

See our full security posture on the Trust & Compliance page.

Get started

Before attackers find it.We will.

Book a security assessment and see your organization the way an adversary does.

Book Security Assessment Explore services

Confidential by default
NDA on request
Findings you can act on