Preparando a próxima tela com calma e sem perder o contexto.
Preparando a próxima tela com calma e sem perder o contexto.
Founder
I review production SaaS with the judgment of someone looking for real impact: where login, billing, data, and permissions can become lost revenue, exposure, or a blocked B2B sale. No jargon: evidence, priority, and fixes a founder can act on.
// Who signs
I’m Gabriel L. Ferreira, founder and lead pentester at RET Tecnologia. I spend my days looking at production SaaS the way an attacker would: hunting for where login, billing, permissions, and data can turn into loss, exposure, or a blocked B2B sale. RET exists because building products with AI got fast — and reviewing what was built fell behind. I don’t come from security marketing; I come from breaking things with authorization and explaining, in plain language, what it costs. Every report carries my name because that’s how I trust my own work.
I don’t ship a scary list of alerts. I ship what breaks, why it matters in money or data, and what to fix first. If it can’t be reproduced, it isn’t a finding.
Nothing is tested without signed scope, an agreed window, and a clear boundary of what won’t be touched. Serious security starts with rules of engagement, not surprises.
The report is for a decision. I write for the business owner and the developer at once: no useless jargon, impact explained in terms of revenue, access, and trust.
When I find something in research, I report it with minimal evidence and follow the fix. Public proof only with authorization from whoever was fixed.
Roots
I started in offensive security and research, reporting real flaws with minimal evidence and accountability. That’s where it became clear the problem is rarely an exotic exploit — it’s loose access control, a poorly drawn boundary, and a payment flow that trusts the client.
Focus
Vibe coding made the MVP appear in days. But login, per-customer isolation, checkout, and permissions are still the part nobody reviews before selling. RET was born to close exactly that gap, with a human eye where automated tooling can’t reach.
Method
I organized my way of hardening products into what I call Cascavel internally: a forensic hardening method that treats the application as a surface to be armored in layers — containment, isolation, and verification — instead of a generic checklist. It’s the backbone of every review and of how RET’s own site is built.
Ladder
Instead of selling pentest to everyone, I built a ladder: Promptbook for the first paid review, AuditMySaaS to watch what changes, Risk Review for the human read that decides, and Manual Pentest to prove what breaks. Each rung escalates only when risk asks for it.
Proof
On Find My SaaS I reported three real flaws — an S3 upload, an inflatable metric with 564 simulated clicks, and an invalid social login on a sensitive route — with a public fix and acknowledgment from Mano Deyvin. It’s the external proof the method works off the slide.
The name isn’t decoration. Cascavel (the pit viper) is the idea of a defense that warns before it bites: layers that contain, isolate, and verify, so a flaw in one spot doesn’t become total access. I apply it both to reviewing a client’s SaaS and to hardening this very site.
In practice, it means distrusting external context, requiring server-side ownership checks, isolating data per customer, and never letting "works in the demo" be mistaken for "holds real customers".
I don’t promise total security — no one serious does. I promise to show what breaks, with evidence, priority, and a fix your team can actually apply. If your SaaS already has people paying, customer data, or a B2B proposal on the table, this is the moment to leave "it should be safe" behind.
If you want to see the work up close, the code and public research live on GitHub. To talk about scope, the path is the Pentest page.
If you’ve read this far, you probably already feel the product grew faster than its review. That discomfort is exactly what I help turn into clear priority, with evidence instead of guesswork.
Where to find me

Eu sou Gabriel L. Ferreira. Eu reviso SaaS como pentester sênior e como alguém que entende produto em produção: procuro o ponto em que login, cobrança, dados ou acesso podem virar perda de dinheiro, exposição ou bloqueio em venda B2B.
Gabriel L. Ferreira
Fundador e pentester líder