Kairos Lab · Methodology

How we audit

5 phases, no shortcuts. Every finding is manually confirmed and reproduced with a working PoC before it lands in your report. Zero false positives shipped.

The 5-phase process

Day 0–1

Scoping & Reconnaissance

Define the attack surface. Collect all in-scope assets: domains, API endpoints, contract addresses, JS bundles, deployment configs. Passive recon via DNS enumeration, CSP header analysis, robots.txt, source map extraction. No active probing yet.

DNS enum Bundle analysis CSP audit Source map extraction robots.txt Contract ABI mapping

Day 1–2

Automated Scanning

Run the full Kairos Scanner v1 (44 modules, tiers S/A/B/C/D) + Nuclei templates + Semgrep rules + Slither/Aderyn for contracts. Output: raw finding list with ~60–80% false positive rate. This output is NOT the report — it's the starting point for manual review.

Kairos Scanner v1 (44 modules) Nuclei Semgrep Slither Aderyn Mythril ffuf

Day 2–4

Manual Exploitation

Every scanner alert is manually verified. False positives are discarded. Real vulnerabilities are escalated: reproduce the full exploit chain, document impact, capture evidence (HTTP traces, transaction hashes, decoded calldata). Each finding gets a CVSS 3.1 score and a concrete remediation with code examples.

PoC reproduction CVSS 3.1 scoring mitmproxy traces Foundry fork simulation Exploit chain documentation

Day 4–5

Report Generation

Structured report with executive summary (score ring, severity distribution, category breakdown), full finding cards (description, CVSS, PoC, fix), exploit log, extracted data table, infrastructure map, and audit trail with timestamps. Anonymized for public release if requested.

Executive summary Finding cards Exploit log Audit trail Remediation guide KPPE on-chain anchoring

Post-delivery

Remediation Verification

After client applies fixes: one complimentary re-test cycle per Critical or High finding. Confirm the vulnerability is resolved, not just patched around. Update report status from OPEN to FIXED. Optional: on-chain proof anchoring via KPPE for audit integrity verification.

Re-test cycle (Critical/High) Status update (OPEN → FIXED) KPPE anchoring (optional) Public report version

Standards & frameworks

OWASP Top 10

Web application security risks — injection, broken auth, SSRF, etc.

OWASP ASVS L2

Application Security Verification Standard — 200+ requirements at Level 2

PTES

Penetration Testing Execution Standard — structured methodology

NIST CSF

Cybersecurity Framework — risk-based security posture

SWC Registry

Smart Contract Weakness Classification — EVM-specific vulnerabilities

CVSS 3.1

Common Vulnerability Scoring System — severity quantification

Report structure

OverviewScore ring · severity distribution · category breakdown · critical/high count

FindingsFull finding cards — ID, CVSS, description, PoC, remediation with code

Exploit LogStep-by-step attack chains — vector, payload, HTTP response, impact

Extracted DataWhat was recovered during the engagement (redacted for public versions)

InfrastructureDiscovered components, versions, hosting, blockchain network, APIs

RemediationPrioritized fix list — Critical first, with effort estimate per finding

Audit TrailTimestamped log of every action taken during the engagement

Audit Engine

// Internal · Proprietary · V4

OMEGA Engine — Kairos Lab Security Research

OMEGA is the proprietary audit engine running every Kairos Lab engagement. Built internally for full-attack security analysis — it operates simultaneously at three levels: specification-level gap analysis, source code review, and exploit-chain construction. Aggression mode is always 🔴 Full Attack. No passive scan only, no partial coverage.

OMEGA V4 was first deployed to audit the Kairos ERC specifications (ERC-8227, 8228, 8229, 8231) before their publication — stress-testing them at the same level we apply to client code. The same engine, the same aggression, runs on every engagement.

🔴 Full Attack Specification · Code · Exploit V4 ERC-8227/8228/8229/8231 audited Zero false positives shipped