← thrum blog post / labs

What is Thrum Labs?

Thrum Labs is our Enterprise partnership track for protocol teams (L2s, rollups, bridges, infra) that want Thrum to become a release gate for security, not just a scan tool for common attack surfaces.

We deliver (i) continuous assurance and (ii) protocol-specific detectors/invariants maintained on an ongoing basis for any changes on- and off-chain (examples include Fusaka upgrade for on-chain changes, US OFAC's stance on TC for off-chain changes).

(1) Labs includes:

  • continuous assurance: near-unlimited scans used to enforce release gates (build/merge/release checks) as part of the software delivery workflow in regards to the security of the protocol.
  • custom detectors and protocol-specific invariants: rules written and tuned for a specific protocol’s architecture, with ongoing tuning and roadmap alignment.
  • private cloud option: isolated and extensive test suites/execution networks plus enterprise controls (RBAC/SSO, audit logs, retention/export controls).
  • optional 24/7 incident response retainers: guaranteed Thrum team response during incidents and structured post-incident hardening. During off-hours, we off-source to the best engineers for the job.

(2) Labs, contrary to popular belief, can be part of any protocol's success. We typically do the following before introducing Labs as an Enterprise option:

  1. Discovery call: define workflow, threat model, success criteria, and integration surface.
  2. Pilot: fixed supply of scans for your protocol with the intent to discover subtle zero-days missed during conventional audits; serves as a route to prove value.
  3. Bootcamp: if we impressed you during the Pilot, we offer a 5-day paid workflow embedding to integrate into CI/CD and establish gating/triage processes for your organization.
  4. Labs: features ongoing continuous scans, release gates, an optional private cloud, and custom detectors/invariants specific to your teams' tooling, invariants, and external technologies.

The commercial structure is pretty simple:

  • Core usage is credit-based scanning. Enterprise customers may purchase credits via a prepaid commitment.
  • Labs is sold on quarterly retainers including all defined in (1).
  • Bootcamp is defined as a fixed-scope engagement. If the customer signs a continuous credit package within 5 days after Bootcamp completion, the Bootcamp fee is credited toward the Enterprise engagement.

security / research inquiries → vlad@usatii.com