WATCH OWL LABS / ABOUTEST. 2024
[ ABOUT ]

Builders who turned to offense.

Watch Owl Labs is an offensive security practice for fintech, healthtech, B2B SaaS, and AI companies. We find the critical vulnerabilities your auditor, your investors, and attackers would find — before they do.

The gap wasn't capability. It was awareness.

Watch Owl Labs started with a pattern its founder kept seeing from the inside. Founder friends, former partners, and customers were shipping fast in regulated spaces — healthcare, fintech, SOC 2-bound B2B SaaS — and sitting on critical vulnerabilities they had no idea were there.

Worse, they had no idea what those vulnerabilities meant. An exposed endpoint isn't just a bug when you handle PHI or payment data — it's a reportable breach, a blown audit, a failed enterprise deal, and real legal liability under HIPAA, PCI DSS, and GDPR. The teams that needed offensive testing the most were the least aware they needed it at all.

The capability to find these issues existed. What didn't was access to it — fast, affordable, and aimed squarely at the regulated startups that couldn't wait six weeks or write a six-figure check to a legacy firm. Watch Owl Labs exists to close that gap: the offensive security a Fortune 500 gets, at startup speed and startup pricing.

OPERATOR / 01FOUNDER
Santiago Carvajal
Founder · Product Engineer

Santiago is a product engineer who spent his career building software for regulated industries — healthcare, fintech, and B2B SaaS under SOC 2. He served as Head of Product at a Y Combinator healthcare company and built technology for both big-tech companies and startups.

He moved into offensive security after repeatedly discovering real vulnerabilities in systems people assumed were safe — and realizing how few teams understood the exposure they were carrying. Since then he's built a track record finding and disclosing vulnerabilities through HackerOne and running security audits for companies, alongside advising startups.

That dual perspective — builder and breaker — is the core of how Watch Owl Labs works. We've sat in the customer's chair, under the same deadlines, shipping the same kind of code. We test accordingly.

What you can count on.

WE'VE SHIPPED IN YOUR SHOES

We come from product engineering in regulated industries — healthcare, fintech, B2B SaaS under SOC 2. We know the pressure of moving fast while an audit, a deal, and a compliance deadline all bear down at once. We test the way someone who has shipped the code would.

FINDINGS, NOT A CHECKLIST

We don't hand you a scanner export and call it a pentest. Every engagement is real, manual exploitation by a senior operator — chained attacks, working HTTP proof, the things automated tools structurally miss.

BUILT FOR THE AUDIT

A finding only matters if your auditor, investor, or enterprise buyer accepts it. Every report is mapped to the controls they check — SOC 2, PCI DSS, HIPAA, OWASP — so it lands on the first read.

Global by default.

Watch Owl Labs operates worldwide. We split time mostly between Colombia, Miami, and San Francisco, and work with US and global companies across time zones. Engagements run remotely, under written authorization and — for anything involving PHI — a signed Business Associate Agreement.

BASED /COLOMBIAMIAMISAN FRANCISCO
[ ENGAGE ]

Let's find what attackers would find.

Book a 30-minute scoping call. Tell us what triggered the search — an audit, a deal, a raise, a launch — and we'll tell you exactly what you need.