AuthLabs is a research-led practice working at the intersection of email authentication, identity protocols, and phishing-resistant infrastructure. We help organizations close the gap between what their security looks like on paper and how it behaves under adversarial conditions.
; authlabs.org. dmarc record v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@authlabs.org; ; we run what we recommend.
End-to-end review and remediation of sender authentication across SPF, DKIM, DMARC, BIMI, and MTA-STS. We diagnose deliverability failures, design tightening roadmaps from monitoring to enforcement, and operate as second-opinion on production rollouts where the cost of a wrong move is measured in lost mail.
Design and review of federated identity systems: OAuth 2.0, OIDC, SAML, WebAuthn. We assess token lifecycles, trust boundaries, and the edges most architectures get wrong: replay, scope creep, audience confusion, and silent privilege escalation across federations.
Beyond awareness training. We model the attack surface as adversaries see it — display-name spoofing, lookalike domains, MFA fatigue, OAuth consent grants — and engineer the countermeasures that actually move the needle: hardware-backed credentials, conditional access, and protocol-level controls.
Independent review of cryptographic protocols and implementations: key management lifecycles, signing infrastructures, certificate authorities, and the migration to post-quantum primitives. We read the specs, then we read the code.
Structured OSINT and closed-source intelligence on your own attack surface: leaked credentials, stealer-log mentions, dark-web chatter, brand impersonation, executive exposure. We deliver findings with sources, dates, and severity — not raw dumps. Self-service preview available below.
A problem in security that does not fit a brochure category? That is most of the interesting work. We accept a small number of bespoke engagements per year — research, adversarial review, second-opinion consulting, expert-witness work — under NDA.
Enter your own domain or a corporate email you control. We surface a sample of what is already circulating about it — credential leaks, stealer-log traces, dark-web mentions — drawn from our continuously updated intelligence corpus.
Three findings free. The full assessment — including plaintext credentials where recoverable, source URLs, timestamps, and remediation guidance per finding — is available under a paid engagement.
Every engagement starts with a written authorization defining scope, assets, and the legal basis under GDPR. No scope creep, no off-record lookups.
Structured OSINT across surface web, code repositories, paste sites, social platforms, and historical archives. Automation where it scales, hand work where it matters.
Breach corpora, stealer-log markets, Telegram channels, and forum monitoring. Sourced through long-standing access — not scraped from third-party aggregators.
Findings are deduplicated, cross-referenced, and rated by severity. Every claim in the final report is tied to a verifiable source with timestamp.
A structured report with executive summary, technical detail, and per-finding remediation guidance. Where helpful, we assist directly with takedowns and rotation.
Most security failures are not exotic. They are the predictable consequence of small configuration choices left unattended for years — a permissive SPF, a loose DMARC policy, an OAuth scope that nobody reviews, a forgotten subdomain.
Our practice is built around the conviction that the unglamorous layer is where the real adversaries live. We measure before we advise. We test in adversarial conditions, not in slide decks. And we publish what we learn.
We work with engineering teams, not around them. Our deliverables are reproducible experiments, runnable test suites, and configurations a sysadmin can read at 3 a.m.
We are deliberately small. No partner programs, no resale of vendor stacks, no kickbacks from the products we name. Our advice is uncontaminated by what we sell, because we don't sell anything except our attention.
We do not run a checklist business. We pick narrow domains where we can be among the most rigorous in Europe, and we leave the rest to firms that prefer scope to substance.
Every recommendation we issue is grounded in something we can demonstrate — a passing test, a failed bounce, a parsed report, a captured handshake. If we cannot show it, we do not claim it.
Our own production infrastructure is configured under the same strict policies we advise: enforced DMARC, hardware-backed credentials, monitored TLS posture. We eat our own cooking before we serve it.
We do not publish client lists, name-drop logos, or trade in case studies that should not exist. Discretion is part of the deliverable.
If your authentication posture
has a problem you cannot name —
that is the conversation we have.