Drupal security audit and hardening, by senior engineers.
A two week audit of your Drupal site against OWASP Top 10, Drupal-specific risks, and the latest CVEs.
Written report with prioritized fixes, and we ship the fixes if you want.
$ drush sa-list --status=enabled
Scanning 142 modules for known CVEs...
CVE-2024-XXXX detected: Twig sandbox bypass
CVE-2024-YYYY detected: SA-CONTRIB pending
Permission audit: 47 issues
Risk score: 6.4 / 10 (Medium-High)
What the audit covers
A real audit, not a Mod Security scan. By engineers who know Drupal internals.
Drupal core + contrib CVE inventory
Every installed module checked against the Drupal Security Advisory feed. Pending unpublished SAs flagged. Versions pinned to known-safe.
Permission and role audit
Every Drupal permission grant reviewed. Excessive privilege, anonymous-accessible admin paths, and missing role boundaries flagged.
Custom code review
Manual review of every custom module for SQL injection, XSS, CSRF, access bypass, file upload vulnerabilities, and Twig sandbox abuse.
Seckit + WAF baseline
Seckit module configured for HSTS, CSP, X-Frame-Options. WAF rules tuned per site. Cloudflare or ModSecurity baseline checked.
Database hardening
Database user privileges, credential rotation, settings.php exposure, public files directory traversal, all checked.
Written remediation plan
A prioritized list of every issue, severity-ranked, with fix recommendations. Suitable for board-level review or compliance sign-off.
Two weeks. One audit. Real findings.
Fixed-price from $4,500 for a standard Drupal site audit. Quoted in writing after a 20 minute scoping call.
Start the audit