- Home
- Case Studies
- About
- ServicesSoftware Engineering
- Custom SaaS DevelopmentNewMulti-tenant, billing, SOC 2-ready, AI-native.
- Next.js DevelopmentProduction Next.js 15 with App Router, RSC & edge.
- Python & FastAPIHigh-performance APIs, microservices, AI inference.
- Mobile App DevelopmentNewReact Native & Flutter — iOS + Android.
- Web ApplicationsFull-stack web apps, portals & dashboards.
- Custom SoftwareBespoke software, sprint delivery, real PMs.
AI & Data- AI Agent DevelopmentLangChain, OpenAI Agents SDK, Claude — RAG + tools.
- Custom RAG DevelopmentNewHybrid search, reranking, evals & citations.
- MCP Server DevelopmentNewExpose your tools to Claude, Cursor, ChatGPT.
- AI & ML DevelopmentComputer vision, predictive analytics, fine-tuning.
17 years · 1000+ projects · Toronto HQ - Clients
- Career
- Contact
- Blog
Quick answer
UnlockLive IT delivers end-to-end cybersecurity services for North American businesses, plus emerging-area work in LLM red teaming and AI agent security — penetration testing (web, mobile, cloud, internal), 24/7 SOC monitoring on Splunk / Sentinel / Elastic, vulnerability management, incident response with a 1-hour SLA on retainer, and full compliance programs for SOC 2, ISO 27001, PCI DSS, and HIPAA. Toronto-managed delivery with security engineers certified across OSCP, CISSP, CCSP, AWS Security Specialty, and (for AI work) practical experience with Garak, PyRIT, NeMo Guardrails, and the OWASP LLM Top 10.
What we deliver
Penetration testing:Black-box, grey-box, and white-box pen tests. Web app pen tests against OWASP Top 10. Mobile app pen tests for iOS and Android (OWASP MASVS). Cloud configuration reviews for AWS, Azure, GCP. Internal network pen tests with Active Directory exploitation. Every engagement includes a written report and a remediation re-test.
LLM red teaming & AI agent security:Prompt-injection testing, jailbreak resistance, training-data extraction, model denial-of-service, RAG poisoning, indirect prompt injection through retrieved sources, agent tool-misuse, and supply-chain attacks on MCP servers. The new attack surface no traditional SOC is testing for.
SOC 2, ISO 27001, PCI DSS, HIPAA readiness:Gap assessment, control implementation, evidence collection, policy and procedure authoring, internal audit prep, and liaison with your external auditor. We integrate Vanta or Drata for evidence collection. Most clients reach SOC 2 Type II audit-ready in 4-6 months.
24/7 SOC monitoring & incident response:Fully-managed SOC or augmentation of your in-house team. Integrate with your existing SIEM (Splunk, Sentinel, Elastic, Wazuh) or stand one up. Tie in EDR feeds (CrowdStrike, SentinelOne, Defender) and cloud posture data. Retainer clients get 1-hour incident response SLA, 24/7.
Vulnerability management:Continuous SCA (Snyk, Mend, Socket), SAST (Semgrep, CodeQL), DAST (ZAP, Burp Pro), container scanning (Trivy, Grype), IaC scanning (Checkov, KICS), and a managed remediation backlog with prioritization based on actual exploitability — not just CVSS theatre.
Security awareness & training:Live training (in-person Toronto/GTA or virtual anywhere), recurring phishing simulations, role-specific training for engineering teams (secure coding, AppSec) and executives (whaling, BEC), and compliance-mapped training for SOC 2 and HIPAA.
Our security technology stack
Our pen-test engagement process
- Scoping & rules of engagement (3-5 days): Define the assets, the test type (black/grey/white box), the rules of engagement, the comms plan, and the reporting deliverables. Sign mutual NDA and authorization letters. No surprises during testing.
- Recon & enumeration (1-2 weeks): Passive reconnaissance, attack-surface mapping, technology fingerprinting, credential leaks check, and target prioritization. The cheaper and earlier we find issues, the cheaper they are to fix.
- Active testing (2-4 weeks): Hands-on-keyboard exploitation against the agreed scope. We document every finding with reproduction steps, business impact, CVSS + actual exploitability rating, and a remediation recommendation.
- Reporting & debrief (1 week): Written report scoped for executives, engineering, and audit. Live walkthrough with your team. Optionally, a post-engagement training session for engineering on the patterns we found.
- Remediation re-test (when ready): Once you've fixed the findings, we re-test to verify and update the report. Remediation re-test is included in every engagement, not a paid add-on.
- Continuous security (retainer, optional): Quarterly pen tests, ongoing vulnerability management, SOC 2 evidence maintenance, monthly red-team exercises, and a permanent security partner. Most clients move into a retainer after the first engagement.
Frequently asked questions
What kinds of penetration tests do you perform?
Black-box, grey-box, and white-box external penetration tests; web application pen tests against the OWASP Top 10; mobile app pen tests for iOS and Android against OWASP MASVS; cloud configuration reviews for AWS, Azure, and GCP; internal network pen tests with Active Directory exploitation; and emerging work in LLM red teaming and AI agent security. Every engagement includes a written report scoped to your stakeholders and a remediation re-test included.
What does LLM red teaming actually test?
Direct prompt injection (ignore-your-instructions style attacks), indirect prompt injection through documents and tool outputs, jailbreak resistance, training-data extraction, model denial-of-service via prompt complexity, RAG poisoning attacks, agent tool-misuse (getting an LLM to call a destructive tool with attacker-controlled inputs), MCP server scope-escalation, and supply-chain attacks via malicious third-party prompts or models. Most production AI products have at least 3-5 of these vectors live.
Can you help us achieve SOC 2, ISO 27001, PCI DSS, or HIPAA compliance?
Yes. We help organizations through the full compliance lifecycle — gap assessment, control implementation, evidence collection, policy and procedure authoring, internal audit prep, and liaison with your external auditor. We have particular depth in SOC 2 Type II for SaaS companies and PCI DSS for e-commerce. Most clients reach SOC 2 Type II audit-ready in 4-6 months with us.
How much does a pen test cost?
A focused web app pen test typically ranges from $12,000 to $30,000 depending on app complexity. Cloud configuration reviews range from $8,000 to $20,000. Internal network pen tests range from $20,000 to $60,000. LLM red team engagements range from $15,000 to $40,000. Retainer pricing for ongoing security partnership starts at $8,000/month with quarterly pen tests and continuous vulnerability management included.
Do you offer 24/7 SOC monitoring?
Yes. We can either run a fully-managed SOC for you (we monitor, triage, and respond) or augment your in-house team. We integrate with your existing SIEM (Splunk, Sentinel, Elastic, Wazuh) or stand up one for you, and tie in EDR feeds and cloud posture data. SLAs typically 15-minute acknowledgment, 1-hour senior engineer at the keyboard for sev-1.
How fast can you respond to an active incident?
Retainer clients have a contractual 1-hour response SLA, 24/7. For non-retainer emergencies we aim to be on a triage call within 4 hours of intake during business hours and within 8 hours outside. Incident response engagements include containment, forensics, eradication, recovery, and a written post-mortem.
Do you do security training for our engineering team?
Yes. We run secure-coding training scoped to your stack (web app security for React/Next.js, AppSec for FastAPI/Django, mobile security for React Native/Flutter, AI security for teams shipping LLMs). Live in-person in Toronto/GTA or virtual anywhere, with hands-on exercises. We also run live phishing simulations and role-specific executive training (whaling, BEC, deepfake).
Don't wait for a breach.
Whether you need a one-off pen test, an LLM red-team engagement, a SOC 2 readiness program, or 24/7 managed security operations, book a free strategy call with our Toronto team.
UnlockLive IT Limited provides state-of-the-art software solutions to clients all over the world. We are a creative force with strategic alliances distributed around the globe
Copyright© UnlockLive .All right reserved 2008 - 2026