Services priced for verified outcomes.

Engagements start with a two-week Pilot Audit ($15,000, fixed scope, one repository or component). Customers who continue can choose a Focused Audit, a Full Verified Audit, a Triage Retainer for incoming AI-generated reports, or per-class Patch Validation. Open-source maintainers run under an approval-based contribution track.

[Service menu]

Services priced for verified outcomes.

Stella sells verification work — not seats, not scans. Most teams start with a fixed-scope Pilot Audit ($15,000, two weeks). Customers who continue can choose a Focused Audit, a Full Verified Audit, a Triage Retainer, or per-class Patch Validation. Open-source maintainers run free under an approval-based contribution track.

Start here

Stella Verified Audit Pilot

Fixed-scope entry audit

$15,000fixed fee · 2 weeks

The starting point for first customers and teams who want to see Stella's deliverable quality on one repository or component before expanding scope.

1 repository or component
Verified findings only
Reproducible PoCs · sanitizer evidence · source-citation validation
CVSS / CWE drafts
Patch guidance + coordinated disclosure support

Start a pilot audit

Focused Audit

Deeper work on a narrow surface

$18K–$25K2–3-week engagement

For teams that want more depth than the pilot but are not ready for a full 4-week audit. Best for one library, firmware component, parser, protocol surface, or robotics / embedded component.

1 focused library, parser, protocol, firmware, or embedded component
Depth beyond the pilot without a full product-area commitment
Reproducible PoCs · sanitizer evidence · source-citation validation
CVSS / CWE drafts and patch guidance
Coordinated disclosure support when findings qualify

Scope a focused audit

Full scope

Full Verified Audit

Full-scope verification of one product area

From $30K4-week engagement

One product area or protocol surface you ship. Best for product-security teams that need a full-scope verification cycle ending in patch validation, embargo coordination, and CVE submission support.

1 product area or protocol surface
Full-scope C/C++ verification
Reproducible PoCs · sanitizer evidence · source-citation validation
Patch validation sprint included
Embargo coordination + CVE submission

Talk to us

Triage Retainer

Verify incoming AI-generated reports

$8K–$20Kper month

PSIRTs and bug-bounty programs drowning in AI-generated submissions. We classify each incoming report as real, duplicate, false positive, or security-relevant, and return the engineering-actionable shortlist.

Verify your incoming AI reports, fuzzer crashes, and external submissions
Classification: real / duplicate / false-positive / sec-relevant
Coordinated reply drafts back to the submitter
Best for PSIRTs and bug-bounty programs
Monthly engagement, scale up/down as volume changes

Talk to us

Patch Validation

Confirm the fix holds — no variants left

$5K–$12Kper vulnerability class

Vendors with embargoed CVEs or compliance pressure who need an independent check that the patch actually fixes the root cause and that no variant remains in adjacent code paths.

We validate your patch fixes the root cause
Variant analysis across the affected component
Per-class deep dive, retainer available
Useful for vendors with embargoed CVEs or compliance pressure
Delivered alongside the original disclosure timeline

Talk to us

Open Source

Our contribution to critical OSS security

Freeapproval-based

Maintainers of significant open-source C/C++ infrastructure projects. Not the primary offering — this is how Stella gives back to the upstream ecosystem we depend on.

1 codebase, approved per project
Coordinated disclosure handled by Stella
CVE submission and vendor coordination
"Powered by Lilith" credit in advisories
Limited capacity — review takes ~1 week

Apply for OSS access

Early-stage and first-time customer scopes can start smaller. We are happy to scope a narrow component before expanding into a full product-area audit.

[Why this works]

Four reasons specialists buy from Stella.

Stella combines specialist memory-corruption craft with a verification-first delivery model — the gap that has opened as frontier LLMs commoditize discovery but not validation. These four moats are why infrastructure vendors choose us over horizontal scanners or generic AI services.

[ 01 ]

Verification, not just discovery

Frontier models, fuzzers, and static analyzers now generate more candidate vulnerabilities than maintainers can triage. Lilith reproduces every candidate on isolated GCP VMs with AddressSanitizer / UBSan / MSan before a finding leaves the pipeline. You pay for verified findings you can patch, not triage queues.

[ 02 ]

Specialist coverage of critical infrastructure

Memory-corruption in cryptographic libraries, VPN daemons, DNS servers, routers, SIP gateways, and embedded TCP/IP stacks is too narrow for horizontal SaaS players (Snyk, Semgrep, Wiz) and too valuable for vendors to leave unaudited. Roughly five firms in the world do this work seriously; Stella is the youngest, with the deepest LLM-augmented verification harness in production.

[ 03 ]

Disclosure operations included

Every verified finding ships with disclosure language, vendor security contacts, embargo timeline, and a 1-week patch-validation window. Stella has coordinated with Mozilla, Arm PSIRT, Intel, ISC, PowerDNS, and Red Hat Product Security — the relationships needed to get a CVE through cleanly are part of the engagement, not a separate billable.

[ 04 ]

Public CVE credibility

32 CVEs assigned across wolfSSL, Mozilla NSS, GnuTLS, strongSwan, PowerDNS, Arm mbedTLS, PostgreSQL/PgBouncer, and FRRouting. $75K+ in paid or confirmed bounty awards from Mozilla, Intel, Intigriti, and YesWeHack, plus additional disclosures coordinated through Red Hat. New entrants start from zero credibility — and the gap grows with every CVE Stella publishes.

[Approach]

How a Stella engagement compares.

Traditional specialist audits can be expensive and calendar-heavy. Stella starts with a fixed-scope pilot and delivers verified, reproducible findings on a faster cadence.

Approach

[+]Stella Verified Audit

Manual Boutique Audit

Cost

$15K Pilot; $18K–$25K Focused Audit; Full Verified Audit from $30K

Traditional specialist audits can reach $50K–$150K

Time to Results

2-week pilot · 2–3-week focused audit · 4-week full audit

Often calendar-heavy; multi-month scopes are common

Proof Quality

ASAN / UBSan / MSan-verified PoCs · source-citation validated

Varies by auditor

Analysis Method

AI-augmented verification harness, human-reviewed

Human intuition

Deliverable

CVE-ready report with PoC, patch guidance, disclosure language

PDF report

[+]Stella Verified Audit

Cost: $15K Pilot; $18K–$25K Focused Audit; Full Verified Audit from $30K
Time to Results: 2-week pilot · 2–3-week focused audit · 4-week full audit
Proof Quality: ASAN / UBSan / MSan-verified PoCs · source-citation validated
Analysis Method: AI-augmented verification harness, human-reviewed
Deliverable: CVE-ready report with PoC, patch guidance, disclosure language

Manual Boutique Audit

Cost: Traditional specialist audits can reach $50K–$150K
Time to Results: Often calendar-heavy; multi-month scopes are common
Proof Quality: Varies by auditor
Analysis Method: Human intuition
Deliverable: PDF report

[Frequently asked questions]

Frequently asked questions

Where should we start?: With the two-week Pilot Audit ($15,000, fixed scope, one repository or component). It is designed to prove the deliverable quality before any larger commitment. Customers who continue typically move into a Focused Audit, a Full Verified Audit, a Triage Retainer for incoming AI reports, or per-class Patch Validation.
What languages and targets does Stella cover?: C and C++ infrastructure software — protocol parsers, TLS libraries, VPN daemons, DNS servers, routers, embedded TCP/IP stacks, database infrastructure. Rust is on the roadmap as the verification harness matures; if you have a Rust target you'd like considered, ask us. Targets sitting outside that scope can sometimes be taken on as a custom engagement.
How does Stella avoid the AI-slop problem?: Lilith's verification harness runs every candidate finding on isolated GCP VMs with AddressSanitizer / UBSan / MSan and validates source citations against the actual repository before any human ever sees the report. Findings that fail any gate are dropped, not forwarded. The result is a report set limited to candidates that passed reproduction and citation checks.
Who owns the findings?: You do. On paid engagements, all findings on your codebases are exclusively yours. You decide whether, when, and how to disclose. Stella retains only aggregated, anonymized statistics (finding count, severity distribution) for internal calibration — never tied to your organization or codebase.
How does the Open Source tier work?: Free, approval-based, limited capacity. Stella accepts a small number of significant open-source C/C++ infrastructure projects per quarter and coordinates the disclosure end-to-end. This is how Stella contributes back to the upstream ecosystem — not the primary commercial offering. Apply via the contact form and we will reply within a week.
What about contracts, NDAs, and disclosure scope?: Every engagement begins with a written scope-of-work, an NDA, and a coordinated-disclosure authorization before audit starts. Stella does not test production systems, will not disclose anything without explicit written authorization, and respects vendor-specific embargo timelines (typically 90 days, extendable on request).

[ $ lilith run --target your-codebase ]

Audit your infrastructure with Stella.

Tell us about the codebase you want audited. We respond within 24 hours with scoping questions and an engagement proposal.

Request an audit →