[ Security research lab ]

We research one question. We ship a tool your team runs and your agents can call.

Every tool we ship runs in CI, in a terminal, and in an agent's toolbelt.

Book a scoping call

[ Built by engineers from ]

Revolut — European neobankMoonPay — Crypto on-rampArgyle — Employment and income dataApify — Web automation platform

[ Practice ]

How we work with teams

We take a handful of engagements a year — one hard question at a time. No retainers, no pooled hours, no reselling headcount as “consulting.” You pay for a finding, not a forecast.

Harness audits

We map the tool surface your agent can reach and the chains a fuzzer will never stumble into.

Prompt injection

We test what your agent does when the email, the doc, or the tool output is attacker-controlled.

Supply chain detonation

We detonate the packages your agent installs in a disposable sandbox and tell you what they tried to steal.

Thumper — a detonation lab for credential theft in suspect packages.

We are independent. We don't sign agreements that give vendors final approval over published findings — coordinated disclosure timing is fine. We do not resell, take referral fees, or hold equity in any vendor we research. Disclosure questions go to security@usestilgar.com.

[ Book a scoping call ]

Tell us what you're trying to find out.

We reply within two business days. We start with a thirty-minute scoping call. No slide deck required.

Or email contact@usestilgar.com. For research updates, send a note with subject subscribe.