A practical second opinion
for security‑sensitive embedded firmware
Firmware
Risk Check
Hi, I’m Mike Tolkachev. I spend most of my time reviewing and building firmware that handles secrets, authentication, and updates under real-world constraints.The Firmware Risk Check is my way of giving teams a peer-level second opinion when they want to be more certain that no critical security assumptions or attack surfaces are being overlooked.
THE REALITY
Why teams ask for
a second pair of eyes
Most firmware problems do not come from lack of skill.
They come from pressure:
tight schedules
growing codebases
mixed legacy and new code
changing requirements
In that environment, the most serious firmware risks rarely live in cryptography itself — they emerge at boundaries between components and assumptions made months apart.
Many teams also use AI-assisted tools to move faster — for exploration, refactoring, or filling gaps. That speed is useful, but it can allow risky assumptions to pass through without focused review.
The question is usually not:“Is this perfect?”But:
“Is there anything here that should worry us before we move forward?”
WHAT THIS CHECK ACTUALLY DOES
What the Firmware
Risk Check provides
The Firmware Risk Check is a focused risk-triage review meant to reduce blind spots that naturally appear under delivery pressure.
This is not an exhaustive audit, penetration testing, certification or compliance sign-off. It’s an early-stage check, intended to surface architectural and implementation risks before they become embedded in the system.
It helps teams:
spot obvious and non‑obvious red flags
understand why they matter in real systems
see where attention and effort matter most
It functions as a technical gut check—helping teams decide what deserves deeper work before time and budget are committed.
ABOUT ME
Who is behind the review
I work on security-sensitive embedded firmware in real products — systems that handle secrets, authentication, trusted boot, and firmware updates. This includes hardware wallets, Ledger applications, encrypted storage, and secure communication devices.
Earlier in my career, I was the technical lead responsible for end-to-end development of cryptographic systems for encrypted radios. Those systems had to stand up to external security audits, including FIPS 140-2 CMVP and regional standards.
Working under that level of scrutiny shaped how I evaluate attack surfaces, key lifecycles, update mechanisms, and failure modes — especially in constrained embedded systems.
This is the perspective the Firmware Risk Check is built on.
HOW IT WORKS
When a focused review makes sense
The Firmware Risk Review is appropriate when security logic spans multiple firmware components or trust boundaries — especially when those parts evolved over time or across teams.
This becomes particularly relevant when devices are close to shipping or already deployed.
Where relevant, firmware risks are evaluated in the context of hardware trust boundaries and update chains.
To keep it effective, it starts with a short application:
1. Context
You describe your system and specific concerns.
2. Confirm
We confirm whether a focused review is the right fit.
3. Scope
Scope and pricing are defined before any work begins.
Firmware Risk Consultation
$450
live session
A focused live design check of key assumptions or one selected firmware path.
One 90-minute live technical session
Brief context shared in advance
Written risk summary after the session
Best for fast feedback on a specific concern
Deliverables:
✓ Written risk summary
✓ Key design assumptions noted
✓ Actionable follow-up notes
Firmware Risk Review
from $2,800
application required
For systems where security logic spans multiple components or trust boundaries.
Asynchronous review
NDA available if needed
Scope & price agreed after application
Typical delivery: 5+ business days
Deliverables:
✓ Written structured risk review
✓ Prioritized findings with context
✓ Notes on design assumptions
Mike Tolkachev
© 2026 Mike Tolkachev. All rights reserved.
Technical consulting in embedded systems and firmware security.
Services provided by NEXEMBED (Brazil, CNPJ 58.569.626/0001-01)
Firmware Risk Review
Apply for Firmware
Risk Review
This helps make sure the review is a good fit before we move forward.
Mike Tolkachev
© 2026 Mike Tolkachev. All rights reserved.
Technical consulting in embedded systems and firmware security.
Services provided by NEXEMBED (Brazil, CNPJ 58.569.626/0001-01)
Last updated: 2026
Terms, Refunds & Privacy
1. Service Provider
NEXEMBED is the trade name of NEXEMBED SOLUÇÕES EM SOFTWARE E ELETRÔNICA LTDA, Brazil (CNPJ 58.569.626/0001-01), referred to as “Company”, “we”, “us”, “Service Provider”. Registered address: SCN Q1 Bl. A, Sala 1102 (Parte), 14F, Ed. Corporate Number One, Asa Norte, Brasília-DF, 70711900, Brazil. This website and the services described are operated by Mikhail Tolkachev, acting on behalf of the company.
2. Definitions
“Client” / “you” means the person or entity purchasing the Services.
“Services” means time-based consultation calls and/or asynchronous technical reviews as described in a written scope agreed by email or other written communication.
“Deliverables” means the written reports, summaries, findings, or notes specifically created for the Client under the agreed scope.
“Client Materials” means any documentation, source code, binaries, firmware images, logs, hardware access, credentials, or other information the Client provides.
3. Terms of Service
Services are provided as professional technical reviews and consultations, including:
Time-based consultation calls, and
Asynchronous technical reviews based on materials provided by the client.
Asynchronous reviews may include written analysis, structured feedback, and prioritized findings, as agreed in advance.
Services consist of technical analysis, discussion, and professional opinion based on the information available at the time of review. They do not constitute legal, financial, or investment advice. We do not guarantee any specific outcomes, certification results, vulnerability findings, commercial success, or security posture improvements. The client remains solely responsible for decisions and actions taken based on the services.
4. Scope, Delivery & Changes
For asynchronous reviews, scope, price, and delivery timeframe are agreed in writing before work begins. Once work has started, changes to scope may require a revised agreement, timeline, or fee.
Delivery timelines are estimates and depend on timely access to required Client Materials, including documentation and technical context.
The Client is responsible for ensuring that:
it has the rights and authorization to provide the Client Materials and request the Services;
any access provided (devices, firmware, systems, accounts) is lawful and permitted by the relevant owners;
requesting and receiving the Services complies with applicable export control and sanctions laws.
5. Intellectual Property
All Deliverables specifically created for the client as part of a consultation or review — including written summaries, findings, and follow-up notes — become the client’s intellectual property upon full payment.
The Service Provider retains ownership of pre-existing materials, methodologies, tools, templates, and general know-how used to produce the deliverables.
The Client grants the Service Provider a limited, non-exclusive license to use provided materials solely for the purpose of delivering the agreed services.
The Service Provider may use anonymized, non-confidential examples from work performed as case studies or portfolio pieces, unless otherwise agreed in writing or explicitly objected to by the Client.
6. Payment Terms
Payment is due in full in advance for all Services, including both asynchronous reviews and consultation calls, as agreed during the scoping phase.
Accepted payment methods include PayPal and bank transfer, subject to availability.
Currency: All prices are quoted in USD.
7. Refunds & Cancellations
Consultation calls may be cancelled and refunded if cancelled at least 24 hours before the scheduled start time. Once a session has started or has been completed, fees are non-refundable. Missed sessions or no-shows are not refundable.
Asynchronous reviews are non-refundable once the Service Provider has confirmed in writing that analysis has begun, as they involve reserved time and analysis effort.
Refunds, if eligible, will be processed via the original payment method within 10 business days.
8. Privacy
Information collected
When you use the contact form on this website, you may voluntarily provide personal information such as your name, email address, and project details. This information is collected only for the purpose of responding to your inquiry.
For service delivery, Client may provide additional technical information and project materials as required.
How information is used
Information is used solely to:
respond to messages and requests
communicate regarding potential collaboration or services
deliver the agreed consultation or review services
Personal information is not sold and is not shared with third parties for marketing purposes.
Data storage
Information may be stored securely in email, document, or messaging systems used for professional business communication. No automated profiling, tracking, or behavioral analysis is performed.
Third-party services
Scheduling, communication, and payment may be handled by third-party service providers.
These providers process data only as necessary to deliver the requested service.
Cookies
This website does not use tracking cookies or analytics tools.
Your rights
You may request access to, correction of, or deletion of your personal data at any time by contacting us directly.
Legal basis for processing
Legal basis for processing: Legitimate business interest and contract execution (LGPD Articles 7 and 10).
Data retention: Personal data is retained only for as long as necessary to fulfill the stated purposes or comply with legal obligations, typically up to 5 years for tax compliance.
International transfers: Client data may be processed by third-party services located outside Brazil. We ensure adequate protection measures are in place.
LGPD Rights: Under Brazilian data protection law, you have the right to access, correct, delete, port, and object to processing of your personal data. For clients in other jurisdictions, equivalent data protection rights apply under applicable law.
As a small business processor, we have not designated a separate Data Protection Officer. Privacy inquiries should be directed to [email protected]
9. Confidentiality
We will keep the client’s non-public information confidential and use it only to provide the Services. This does not apply to information that is already public, developed independently by us, or required to be disclosed by law or a court order (in which case we will notify the client when legally allowed).
Where required, a non-disclosure agreement (NDA) can be executed prior to the start of work.
10. Disclaimer of Warranties
The Services and Deliverables are provided on an “as is” and “as available” basis. To the maximum extent permitted by law, we disclaim all warranties, express or implied, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
11. Limitation of Liability
To the maximum extent permitted by law, Service Provider and its representatives shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly.
Total liability for any claim arising from services provided shall not exceed the amount paid by the client for the specific service in question.
12. Governing Law & Disputes
These terms are governed by the laws of Brazil. Any disputes shall be resolved through good-faith negotiation first. If unresolved, disputes shall be subject to the jurisdiction of the courts of Brasília, Federal District, Brazil.
For international clients, parties may agree to alternative dispute resolution or arbitration as mutually acceptable.
13. Force Majeure
Neither party shall be liable for failure or delay in performing obligations due to circumstances beyond reasonable control, including but not limited to natural disasters, war, terrorism, epidemics, government actions, infrastructure failures, or the unavailability of essential personnel due to serious illness, injury, or medical incapacity.
In such cases, performance timelines may be extended by a reasonable period. If the inability to perform continues beyond a reasonable time, either party may terminate the affected services, and the Client will be entitled to a pro-rata refund for undelivered portions of the Services.
14. Contact
For questions regarding these terms or data handling, contact:
[email protected]
Mike Tolkachev
© 2026 Mike Tolkachev. All rights reserved.
Technical consulting in embedded systems and firmware security.
Services provided by NEXEMBED (Brazil, CNPJ 58.569.626/0001-01)
Sent!
Thanks for reaching out!
I’ll review your application and get back to you soon.
Mike Tolkachev
© 2026 Mike Tolkachev. All rights reserved.
Technical consulting in embedded systems and firmware security.
Services provided by NEXEMBED (Brazil, CNPJ 58.569.626/0001-01)