The work that scanners can't do. Business logic flaws, authentication gaps, the edge cases nobody thought to specify. Twenty years of specification-led testing applied to the security of your systems.
Most security testing is automated surface scanning. It catches the obvious: known CVEs, missing headers, default credentials. It misses the things that actually matter: the flaws in business logic, the assumptions baked into API flows, the edge cases that exist because nobody specified what should happen when a user does something unexpected.
Those vulnerabilities don't have signatures. They can't be pattern-matched. Finding them requires understanding how a system was meant to work, then thinking clearly about how it doesn't.
The most dangerous problems in software aren't code bugs. They're specification gaps, things nobody thought to define. A payment rule that seems robust until you ask what happens at midnight. An API endpoint that checks permissions on one path but not another. A rate limit that applies to individual requests but not batched ones.
These gaps are where attackers live. Not in the code that was written, but in the behaviour that was never specified. Testclub's entire discipline is built on finding what's missing. We've been doing it for twenty years in functional testing and specification, and it's exactly the same skill applied to security.
Everything is vague to a degree you do not realise till you have tried to make it precise.
AI systems are probabilistic. There is no architectural path to guaranteed correct outputs, and in agentic workflows errors compound across steps. Vendor benchmarks don't tell you how a model will fail in your environment, against your data, on your tasks.
Before deploying AI in a regulated or critical process, you need to know its failure rate empirically. Not a score on a leaderboard. A quantified, characterised assessment of how the system actually performs against your acceptance criteria, tested at scale in conditions that match production.
This is black-box testing applied to non-deterministic systems. Define inputs, define what correct looks like, run it, record pass/fail, characterise the failure patterns. The methodology is the same discipline Testclub has applied for twenty years. The target is new.
A consultancy built on twenty years across trading platforms, fintech, insurance, health, energy, and government, always focused on the boundary between specification and implementation, and on the gaps that live there.
Background in specifying and testing complex financial systems. Current focus: API and business logic security for organisations that understand their real risk isn't in the scan report.
Testclub operates as a senior collective. No junior staff, no learning on the job, no padding. Associates are engaged when the work requires them, and only people whose results we've seen first-hand.
Testclub's approach was flexible and amenable to our needs and they ensured that every effort was put in to make the project a success. There are many turn-key testing services out there, however Testclub's ethos and knowledge applied a personal touch that really made the difference. Totally recommend Testclub and would use them again.
No decks, no pitches. Just a conversation about your system.