Today the Security Alliance (SEAL) announced that its Certification program is moving from pilot into live engagements.
SEAL Certification Goes Live: Composable Security in the First Accreditation Cohort
Composable Security is in the first accreditation cohort, alongside Trail of Bits, OpenZeppelin, Cyfrin, ChainSecurity, Quantstamp, Zellic, and a handful of others. Here is why this matters, and why we think the standard will be widely adopted fast.
What SEAL just shipped
SEAL is the nonprofit ISAC for crypto. They run SEAL 911, SEAL Intel, and the open-source SEAL Frameworks, with backing from a16z, Paradigm, Ethereum Foundation, Dragonfly, and Vitalik Buterin. SEAL Certification is their newest initiative: an open-source certification program that evaluates a protocol’s operational practices across six domains:
- Multisig Ops
- Treasury Ops
- Incident Response
- DNS & Registrar
- DevOps & Infrastructure
- Identity & Accounts
Certification is a single pass/fail decision across the full agreed scope. Protocols that meet the bar receive a formal on-chain attestation, publicly and cryptographically verifiable. The framework itself is open and free: frameworks.securityalliance.org/certs/overview.
Why it will be adopted fast
Most major crypto incidents this cycle were not smart contract bugs. They were operational. Compromised signers, mismanaged multisigs, DNS takeovers, leaked credentials, missing incident response playbooks. A code audit will not catch any of that, because the code is not the issue. SEAL Certification is built specifically for that gap.
The six domains map almost one-to-one onto the incident classes that have actually been hurting protocols this cycle. Once a credible standard exists, users, investors, and institutions will start asking for it. The teams that move first will have the cleanest signal.
Why we are doing this
We are in the first accreditation cohort, which means our first SEAL Certification engagement is supervised by SEAL end-to-end. Once we have demonstrated we can assess independently to the standard, we are fully accredited. We are open about that timeline: it is how SEAL guarantees consistency across firms in the program.
Two things make Composable Security a natural fit for SEAL’s operational standard.
We created SCSVS. The Smart Contract Security Verification Standard is the open standard the industry uses to evaluate smart contract code. We wrote it because we wanted a shared “what good looks like” across the smart contract layer. We see SEAL Certification as the operational counterpart to SCSVS. The two standards together cover almost the full attack surface of a modern protocol.
Our security work has always gone beyond the code. Both founders spent years doing traditional Web2 and infrastructure security audits before founding Composable in 2022. That background, combined with how we have run audits ever since, is exactly what SEAL Certification evaluates.
A few examples from the public record:
- Lido Oracle V5: a Python service for validator reporting and operator logic.
- Evojam custom blockchain review: a full custom-chain implementation.
- ChickenDAO: a Telegram-bot security consultation. React frontend plus JavaScript bot, a security review of a Web2 product touching crypto.
- Flexy (formerly Gasbot): cross-chain gas-relayer architecture, where the off-chain relayer is the actual attack surface.
We have always treated bridges, oracles, custom infrastructure, and the operational layer around smart contracts as first-class work. SEAL Certification formalizes that.
What an engagement looks like
The SEAL-defined process is:
- Scoping: we align with you on which controls apply and what infrastructure is in scope.
- Evidence collection: you gather documentation and evidence that your practices meet the framework controls.
- Assessment: we review evidence against the open-source criteria.
- Remediation: if there are gaps, we give you concrete recommendations and you implement fixes.
- Certification: when you meet the standard, you receive the on-chain attestation.
Engagement runs a few weeks from scoping to certification. Pass/fail is binary across the full agreed scope, so most teams find gaps the first time through and close them before they pass. That remediation work is usually the highest leverage security spend of the year, separate from the badge itself.
Talk to us
The fastest path is the official SEAL route. Sign up for the SEAL Certification waitlist and list Composable Security as the firm you want to go through this with: securityalliance.typeform.com/CertsWaitlist. SEAL will route the engagement to us directly.
If you would rather talk to us first, email info@composable-security.com, DM us on Telegram at @drdr_zz or @wh01s7, or message your usual contact on our team. We will help you scope the engagement and walk you through the SEAL waitlist submission.
If you want to read the standard before any of this, it is fully open: frameworks.securityalliance.org/certs/overview.
Read the full SEAL announcement here:
https://radar.securityalliance.org/seal-certifications-auditor-accreditations-protocol-assessments
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
