~/greplock$ We help teams harden how they build software — especially CI/CD, dependency risk, and secrets hygiene. In parallel we’re building AI-powered cybersecurity for SMBs: intelligent detection and risk insight without enterprise headcount. New firm. Honest scope. Product still in development — no vapor metrics.
GrepLock is a cybersecurity consultancy focused on how modern software is built: pipelines, identity for machines, third-party code, and operational hygiene when things go wrong. We’re also building AI-powered cybersecurity for SMBs — still early — so smaller teams get sharper detection and risk insight without a 24/7 SOC.
Threat-model your build pipeline: runner trust, OIDC and deploy keys, artifact integrity, and what happens when a dependency or maintainer account is compromised. Practical controls, not checklist theater.
Scoped credentials, rotation, blast-radius reduction, and forensic hygiene after exposure — including how stolen tokens (for example GitHub PATs) get abused and how to shut that down fast.
Focused reviews for startups and small teams: where data lives, who can reach production, and what an attacker would touch first. Deliverables you can act on this sprint.
In development: AI-assisted threat detection and risk analysis sized for small and mid-sized businesses — same instincts we bring to consulting (supply chain, identity, exposure), packaged so you’re not cobbling alerts from five vendors. Details stay light until there’s something worth shipping; join the list if you want updates.
Short intake: what you ship, where secrets live, how CI/CD promotes to production, and what “worst day” looks like for your team.
Evidence-led review of SCM settings, workflows, dependency ingestion, and IAM-shaped holes — scoped to your stack, not a generic audit template.
Concrete changes: branch protections, token scopes, OIDC where it fits, pinning strategy, logging — prioritized so you can ship fixes in order.
Written outcomes, replay steps for incidents, and optional follow-ups as you adopt controls or as the product surface matures.
We’re not selling shelf-ware or invented tiers. Tell us what you need; we’ll propose a scope and timeline. Product pricing doesn’t exist yet — sign up for updates if that’s your angle.
GrepLock was born out of frustration — and a hard lesson. A GitHub access token was stolen during a supply-chain attack and used to cause real damage. The kind of breach that makes abstract “shift left” advice feel useless until you’ve revoked keys at 2 a.m. and traced workflow abuse.
We’re not here to shame anyone who’s been burned by dependencies or CI trust boundaries; we’ve lived it. The consultancy helps teams compress mean-time-to-fix for exactly these failure modes: pipelines, packages, and machine identity. The product — AI-powered cybersecurity for SMBs — comes from the same scratches: automation where it earns trust, transparency everywhere else.
Today: small shop, no inflated customer logos, no borrowed credibility. If we’re the wrong fit, we’ll say so.
“Assume breach” isn’t a slogan — it’s what happens when a maintainer account, a runner, or a token becomes the path of least resistance.
— framing we use with clients
Who you’ll work with
Consulting inquiries, partnership ideas, or product waitlist — use the form or email directly. We’re new; we answer thoughtfully, not instantly.
Tell us what you’re trying to fix. For product updates only, say so in the last field — no nurture drip promises.