Do findings line up with NCA ECC 2-3 endpoint controls?

Yes. Each issue cites the ECC 2-3 sub-control. NCA reviewers trace from binary behaviour to control wording without effort.

Will SAMA endpoint reviewers accept the report?

Yes. Findings format to SAMA endpoint-protection language. Bank desktop-fleet auditors sign off without re-templating.

How is reverse engineering handled under PDPL?

Binaries and memory dumps sit on KSA-region storage. Any personal data found in memory is flagged against the PDPL Article that fits.

Do you cover hardware-token and smartcard flows?

Yes. PKI cards used by Saudi banks and government are tested for cert pinning, PIN handling, and middleware abuse.

Thick client application pentesting.Past the network. Into the binary.

Manual thick client application penetration testing across Windows, macOS, Linux native apps plus .NET, Java, and Electron desktop. Tested by hand for DLL-search-order hijacking, named-pipe and XPC ACL abuse, hardcoded keys lifted out of process memory, custom-protocol replay over cleartext, and writable installer paths that escalate to NT AUTHORITY\SYSTEM. Every finding ships with a working proof-of-exploit, code-level fix guidance, and a free re-test.

See the methodology

$Four desktop binary tiles, Windows PE,.NET, Mach-O, ELF, each annotated with one named bug class, traces converging on a reverse-engineering proof-of-exploit card lifting a DLL-hijack chain to NT AUTHORITY\SYSTEM.$

Native binaries

Windows PE ·.NET · Java desktop · macOS Mach-O · Linux ELF · Electron / Tauri / CEF, every desktop runtime your team ships.

Evidence

Reverse-engineered proof-of-exploit and code-level fix guidance on every finding, Ghidra, Frida, x64dbg artefacts attached.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why a web pentest can't see this

Web testing stops at HTTP. The risk lives past the boundary.

Your web pentest reaches authentication, session, and the API. The same binary running on a workstation also reaches process memory, named pipes, the registry, the DLL search path, and the kernel. SecureLayer7 operators load your binary into Ghidra and Frida and report the chain that starts where the HTTP scope ends, DLL hijack to SYSTEM, hardcoded key in.data, IPC ACL bypass to a privileged service. Every finding is reproducible, code-level fixable, and re-tested before sign-off.

IN SCOPE.

What lands in a thick-client engagement.

BINARY

Reverse + tamper

.NET, Java, native. Decompile, patch checks, anti-debug, packer bypass, runtime hooks.

STORAGE

Local data + config

Registry, AppData, plist, SQLite caches. Credentials, tokens, license keys at rest.

IPC

Between-process surface

Named pipes, COM, DCOM, gRPC. Privilege escalation through a parser the OS trusts.

NETWORK

Past the proxy

Custom protocols, cert pinning bypass, TLS downgrade, message tampering on the wire.

What we test —

Six desktop runtimes. One engagement.

Each runtime gets a manual reverse-engineering pass against its real attack surface — binary on disk, process in memory, IPC channels, and the backend it pairs with. Intensity tunes per scope.

Windows native (PE / COFF)

DLL search-order hijacking, COM hijacking, Authenticode bypass, named-pipe and RPC ACL abuse, service / scheduled-task permission writes, registry hijacks, AppLocker / WDAC bypass, signed-installer write-paths to NT AUTHORITY\SYSTEM.

.NET assemblies

dnSpy / ILSpy round-trip, hardcoded keys and connection strings in /resources, BinaryFormatter and ObjectStateFormatter deserialization gadgets, Json.NET TypeNameHandling abuse, reflection bypass, Strong-Name forgery, ClickOnce manifest tampering.

Java desktop (JAR / JavaFX)

JD-GUI / CFR decompile, signed-JAR replacement, classpath shadowing, Spring / Beanshell injection, JMX management exposure, Java RMI deserialization, native-library (JNI) hijack, hardcoded JDBC credentials in /META-INF.

macOS native (Mach-O)

DYLD_INSERT_LIBRARIES, weak-dylib hijack, codesign and hardened-runtime bypass, XPC service ACL abuse, TCC / privacy-prompt evasion, Keychain ACL misuse, sandbox escape via privileged helpers (SMJobBless, installerd).

Linux native (ELF)

LD_PRELOAD on SUID binaries, RPATH / RUNPATH abuse, .got and .plt write paths, systemd unit override, capability misuse, world-writable shared libraries, D-Bus policy bypass, namespace and cgroup escape.

Electron / Tauri / CEF

ASAR unpack, nodeIntegration leak across renderer-to-main IPC, contextIsolation bypass, custom-protocol handler abuse, autoUpdate signature bypass, Chromium-extension prototype pollution into Node, hardcoded tokens lifted from app.asar.

THICK-CLIENT METHODOLOGY.

Eight phases. Binary to backend protocol.

Threat-modelled to your runtime, your privilege boundary, and the attacker who can drop a binary on a workstation. Not a checklist we run against every desktop app.

Scope & threat-model

Runtime, signing model, IPC channels, privilege boundary, in-scope hosts and supporting services defined before any binary is touched.

Static reverse engineering

Binary disassembled in Ghidra, IDA, or Hopper. Strings, imports, embedded keys, suspicious calls, signing chain, and high-value functions enumerated.

Dynamic instrumentation

Frida, x64dbg, or lldb attached. Function hooking, runtime keylogging of cleartext secrets, traffic interception under TLS-pinning bypass, GUI-flow control.

IPC & privilege mapping

Named pipes, COM, XPC, D-Bus, RPC, sockets, registry hooks, and on-disk handoff paths exercised against the privilege boundary.

Local privilege escalation

DLL hijacking, ACL misuse on writable folders, service and scheduled-task abuse, weak-dylib search, LD_PRELOAD on SUID. Pushed to NT AUTHORITY\SYSTEM, root, or _securityd.

Network & backend pairing

Custom protocols decoded, server-side auth bypassed when client checks are forged, replay and MITM exercised against the binary's real backend.

Remediation guidance

Code-level fixes, Authenticode and notarization tightening, ACL diffs, secret-storage migration, IPC policy snippets. Written for the team that built the app.

Patch verification

Every finding re-tested after your team ships the fix, at no extra cost. Written confirmation each path is closed.

Insights

Thick-client Resources.

Notes from desktop and Electron reviews: IPC abuse, local-storage drift, and binary-side bugs that web scanners never reach.

Electron

Electron app security risks: Part 2: Real-world RCE chains in Discord and Element

ASAR unpacked, ipcRenderer reach across nodeIntegrationInSubFrames, ELECTRON_RUN_AS_NODE abuse, three production exploit chains pulled out of installed binaries.

Read the writeup

Electron

Electron app security risks: Part 1: nodeIntegration, contextIsolation, and the XSS-to-RCE jump

Where Electron desktop apps actually break, main vs renderer, IPC as a security boundary, walked through CVE-2020-15174 (Notable) and CVE-2021-43908 (VS Code).

Read the writeup

SL7 Lab

Sandyaa: SL7's open-source autonomous source-code auditor

How SL7 Lab automates the reachability check that turns flagged sinks into proven attack paths, released as open source for desktop and server codebases alike.

Read the writeup

Meet our expert

One lead, binary to backend in scope.

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes thick-client engagements against your runtime, signing model, and privilege boundary. She guides the pod from kick-off through final report and re-test.

Scopes Windows, macOS, Linux, and cross-platform desktop engagements against your real privilege model.
Owns kick-off, mid-engagement check-ins, and a live walkthrough of every finding with a working PoC.
Drives remediation review and re-test until every binary-path finding is closed.

SL7 Lab. Published CVE research.

Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope a thick-client pentest? Book 30 minutes with Nivedita to walk through your runtime, scope, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

Trading workstations, treasury desktops, broker terminals.

See FinTech pentest

HealthTech

EHR thick clients, imaging-viewer workstations, lab analyzer software.

See HealthTech pentest

Tech SaaS

Internal admin tools, on-premise SaaS clients, partner-installed applets.

See Tech SaaS pentest

Built for Saudi Arabia engagements

What changes when we deliver here.

Compliance scoping
NCA ECC 2-3 endpoint sub-control citation per finding
Regulatory framework
SAMA endpoint-protection wording in the deliverable
Local engagements
Dammam trading-desk client closed 9 binary findings before SAMA audit
Local pricing
SAR per-binary scoping with VAT 15% itemised
Compliance scoping
PDPL memory-leak personal-data flagging

Thick client questions from KSA security teams.

Do findings line up with NCA ECC 2-3 endpoint controls?
Yes. Each issue cites the ECC 2-3 sub-control. NCA reviewers trace from binary behaviour to control wording without effort.
Will SAMA endpoint reviewers accept the report?
Yes. Findings format to SAMA endpoint-protection language. Bank desktop-fleet auditors sign off without re-templating.
How is reverse engineering handled under PDPL?
Binaries and memory dumps sit on KSA-region storage. Any personal data found in memory is flagged against the PDPL Article that fits.
Do you cover hardware-token and smartcard flows?
Yes. PKI cards used by Saudi banks and government are tested for cert pinning, PIN handling, and middleware abuse.

Delivery in Saudi Arabia

Desktop app testing aligned to NCA ECC 2-3.

Windows and .NET binaries are tested against NCA ECC 2-3 endpoint and SAMA endpoint-protection guidance. SAR-denominated, KSA-region binary handling.

Direct line: +966-11-000-0000
Office: Riyadh, Saudi Arabia

Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.

Sample thick-client pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working proof-of-exploit, code-level fix guidance. Sent on request after a 5-minute scoping call.