Security isn't a feature.
It's our foundation.
Tjaž Kovač built Ricochet Group with a cybersecurity expert's mindset — we don't just talk about security, we practice it daily. We pentest our own systems regularly, publish our results internally, and offer the same offensive security expertise to enterprises that trust us with their most sensitive workloads.
0 breaches
5+ years
24/7
Incident Response
99.99%
System Uptime
Six pillars. Zero shortcuts.
Every layer of our stack is designed with the assumption that every other layer can fail. Defense in depth — not security theater.
End-to-End Encryption
All data in transit is secured with TLS 1.3. Data at rest uses AES-256. Keys are rotated automatically and never stored alongside data.
Zero-Trust Architecture
Every request is authenticated, authorized, and validated — no implicit trust, no open perimeters. Micro-segmentation enforced at every layer.
Continuous Monitoring
24/7 SIEM with anomaly detection, threat intelligence feeds, and automated alerting. Every event is logged, indexed, and searchable.
Auth & Access Control
MFA enforced everywhere, RBAC with granular permissions, SSO via SAML 2.0 and OAuth 2.0. Privileged access requires hardware keys.
Compliance & Certifications
SOC 2 Type II, ISO 27001, GDPR, and HIPAA-compatible controls. Annual third-party audits with published results. Nothing to hide.
EU Data Residency
All customer data is stored exclusively in Germany and the Netherlands. Data never leaves the EU. You choose your region at signup.
We break things. On purpose.
Tjaž has been picking apart systems since before he could drive. Today that expertise is available to companies serious about understanding their real attack surface.
Real adversarial testing — not automated scanner output dressed up in a PDF. Our engagements are led by Tjaž personally for smaller clients and by our vetted security team for enterprise engagements.
Web Application Pentest
Full OWASP Top 10 coverage, business logic testing, session management, injection flaws, and authentication bypass. We find what scanners miss.
API Security Audit
REST, GraphQL, and gRPC endpoint enumeration, authorization testing, mass assignment, BOLA/BFLA, and rate-limiting gaps.
Infrastructure Pentest
Network segmentation, firewall rule review, internal/external recon, lateral movement, cloud config audits (AWS, GCP, Azure).
Social Engineering
Phishing simulations, vishing, pretexting, and physical access attempts. Real adversarial behavior — not awareness theater.
Request a Penetration Test
We'll scope your engagement, assess complexity, and send a quote within 48 hours. Every engagement is led by a senior security engineer — no interns, no automated scans.
Found a vulnerability?
We operate a responsible disclosure program. If you find something, tell us before going public — we'll work with you to fix it quickly and credit you appropriately.
Responsible Disclosure Policy
- Give us 90 days to fix the issue before public disclosure
- Don't access or modify data that isn't yours
- Don't exploit DoS / DDoS vectors
- Don't use social engineering against Ricochet employees
- Act in good faith — we will too
Bug Bounty Rewards
We respond to all reports within 48 hours. Valid reports are triaged within 5 business days. Rewards are paid via bank transfer, crypto, or gift card — your choice.
Submit Vulnerability Report
All submissions are encrypted and treated as confidential.
Certified. Audited. Transparent.
Our certifications aren't marketing badges. They're the result of annual third-party audits with zero material findings.
SOC 2 Type II
Certified
ISO 27001
Certified
GDPR
Compliant
CCPA
Compliant
HIPAA
Compatible
Audit reports available under NDA upon request. Contact us
Talk to our security team.
For security inquiries, incident reports, or partnership discussions around our pentest services — reach us directly. We respond to all security-related emails within 48 hours, guaranteed.
security@ricochet.group2E8D 6A3F 1B9C 8D5E 3A7C
Use our PGP key to encrypt sensitive vulnerability reports before emailing.