We’re developing an open-source security certification program built specifically for crypto projects, covering the operational gaps that code audits miss. We’re starting with 5 modular certifications (incident response, multisig ops, treasury ops, workspace security, DNS security) and want your input on our proposed criteria before we begin issuing formal certifications in 2026.

Current Status:

  • 15+ organizations are testing our frameworks in pilot programs.
  • We’re working with accreditation partners to establish the formal certification process.
  • All assessment materials are freely available for self-evaluation today.
  • You can now review and contribute to the proposed criteria.

Over the past few years, we’ve watched the industry mature in remarkable ways. Code audits have become standard practice. Bug bounty programs are table stakes. Smart contract security tools have evolved into production necessities.

Yet, for every headline-grabbing exploit that stems from a missed edge case or novel attack vector, there are just as many incidents that could have been prevented with better operational security practices. The bridge that was drained because of compromised admin keys. The protocol that lost funds due to a phishing attack on a core contributor. The DAO that couldn’t respond effectively when an incident occurred because they’d never actually tested their emergency procedures.

While we (as a community) have gotten much better at securing code, today’s Web3 protocols are more than just smart contracts and we need to catch up.

Traditional security frameworks like SOC 2 and ISO 27001 are still valuable and many Web3 organizations will eventually need them. But they weren’t designed for crypto’s operational realities including protocols with $100M TVL run by small, distributed teams, or even solo developers. We want to provide a practical starting point tailored to crypto’s unique challenges, while building toward those traditional frameworks.

Our Newest Initiative: SEAL Certifications

We’re developing SEAL Certifications to give projects a structured path toward verifiable security maturity.

Here’s our proposed approach:

  • Open source and community-driven. Formal certification services will be provided by accredited implementation and audit firms who will set their own pricing. However, access to all SEAL frameworks and assessment checklists will remain free and open source.
  • Crypto-native by design. Instead of trying to retrofit traditional frameworks onto Web3 operations, SEAL Certifications starts with the actual threats and operational patterns we see in this ecosystem. Multisig governance procedures. Access control for treasury operations. Incident response for on-chain protocols. These aren’t afterthoughts but core to the framework.
  • Modular and progressive. Rather than requiring organizations to boil the ocean, SEAL Certifications breaks down into focused, domain-specific certifications. We’ve designed this to avoid death-by-a-thousand-cuts with endless requirements. Want to demonstrate that you have robust incident response procedures? Start with the incident response certification. Need to show sophisticated treasury security practices? There’s a dedicated certification for that too. Organizations can build up their certification profile progressively, addressing their highest-priority areas first without getting overwhelmed by everything at once.
  • Publicly and Cryptographically Verifiable. Certifications are issued as on-chain attestations through Ethereum Attestation Service (EAS), creating an immutable record of your security posture that anyone can check. No more hoping that people will take your word for it.

Proposed Certification Domains

We’re starting with certifications covering the most critical operational areas. We’re seeking community feedback on whether our criteria for each one are comprehensive, practical, and address the right priorities:

  • Incident Response covers incident detection, response procedures, team coordination, and emergency operations. Building on our existing SEAL 911 methodologies, organizations can demonstrate they have robust incident response procedures, monitoring capabilities, and tested playbooks.
  • Multisig Ops addresses multisig governance, signer security, transaction verification, and emergency procedures. This certification ensures your multisig operations follow best practices that prevent the most common mistakes.
  • Treasury Ops focuses on treasury architecture, transaction security, DeFi risk management, and operational controls. Protocols can demonstrate they manage treasury operations with appropriate security controls and risk management procedures.
  • Workspace Security covers device security, account management, credential handling, and employee lifecycle management. This addresses the human element – ensuring your team’s day-to-day operations don’t become your weakest link.
  • DNS Registrar addresses domain management, DNS security configurations, and registrar account protection. This certification covers domain inventory and classification, access controls with MFA requirements, technical security controls including DNSSEC and email authentication (SPF, DKIM, DMARC), continuous monitoring for unauthorized DNS changes, and incident response procedures for domain hijacking scenarios. 

Pilot Program Validation

We’re not building this in a vacuum. We’re currently running pilot programs to validate our frameworks against real operational challenges and ensure that the certification process provides genuine value rather than just paperwork. More than 15 organizations are currently participating in these pilots, including: 

  • a16z Crypto
  • Commit Boost
  • Dragonfly
  • Ethena
  • EthZilla
  • Filecoin Foundation
  • Lido
  • Nexus Mutual
  • Nomic Foundation
  • Pendle
  • Pier Two
  • Scroll
  • Synthetix
  • The Ether Machine
  • Uniswap Foundation
  • ZKsync

What we’re hearing from early participants is encouraging. There’s genuine demand for structured approaches to operational security that go beyond ad-hoc measures. Organizations want to demonstrate their security maturity to users, partners, and investors, but they need frameworks that actually make sense for how Web3 protocols operate.

More importantly, we’re seeing concrete market validation. Institutional investors are specifically asking about operational security standards during due diligence, while insurance carriers are beginning to offer preferential rates for protocols that can show comprehensive risk management.

How to Provide Feedback 

For Protocols and Organizations

Start by reviewing our proposed criteria using the open-source checklists. These frameworks are freely available and provide a clear picture of what we’re proposing.

If you’d like to discuss the frameworks with SEAL security experts, we offer free one-hour consultations to walk through the proposed criteria and hear your feedback. Use this form to request a call with our team.

We've also built SEAL Certifications to be a living framework that evolves with the ecosystem. If you see opportunities to improve existing checklists or want to propose new certification domains, we encourage you to contribute. Our contribution guide walks through the process here.

For Security Researchers and Audit Firms

We welcome contributions from security researchers who want to help refine existing frameworks, propose new certification domains, or share lessons from the field. Please use our contribution guide if you want to get involved.

For audit firms and security consultancies, we’re building an accreditation program that will allow qualified firms to issue formal certifications and provide implementation support to protocols starting in 2026. If your firm is interested in becoming an accredited issuer, you can contact us using this form.

Timeline

Now through December 31, 2025: Request for Comments period. We’re seeking community feedback on our proposed certification criteria and working with our pilot organizations to refine the frameworks.

1Q 2026: Begin issuing formal certifications through our network of accredited partners.

The immediate priority is finalizing our auditor accreditation program. We’re establishing rigorous standards for firms that want to issue formal certifications and provide implementation support. This program will create a network of qualified security partners who can help organizations achieve certification while maintaining the quality and rigor that makes SEAL Certifications meaningful.

Beyond the accreditation program, we’re focused on making SEAL Certifications increasingly valuable for the organizations that achieve them. This includes building partnerships with insurance providers who can offer preferential rates for certified protocols, and developing industry-wide benchmarks that let organizations understand how their security posture compares to peers.

Looking further ahead, we’re working on formal mapping between SEAL Certifications and traditional compliance frameworks like SOC 2 and ISO 27001. Our goal is to ensure that work organizations put into achieving SEAL Certifications directly translates to progress toward these traditional standards. Organizations shouldn’t have to choose between crypto-native frameworks and institutional requirements. They should be complementary paths that reinforce each other.

Building Crypto’s Strategic Security Foundation

This new initiative doesn’t exist in isolation. SEAL Certifications is the natural evolution and integration of our core initiatives, creating a reinforcing ecosystem of security capabilities.

SEAL 911 delivers real-world incident response when protocols face active threats. Every emergency response we handle feeds back into our frameworks and certification requirements. The playbooks we’ve developed through hundreds of incidents directly inform our SCF-Incident-Response certification standards. Organizations that achieve incident response certification aren’t just checking boxes but adopting procedures that have been validated under fire.

SEAL Intel creates the threat intelligence feedback loop. Shared threat intelligence helps organizations identify emerging attack patterns and operational vulnerabilities before they become widespread problems. We use this intelligence to update our certification requirements as new threats emerge.

SEAL Frameworks provide the foundational knowledge base. These open-source best practice guides have been battle-tested across protocols and form the technical backbone of our certification standards. When organizations pursue SEAL Certifications, they’re building on proven methodologies rather than starting from scratch.

SEAL Certifications tie it all together by creating verifiable standards and market incentives for adoption. Organizations can demonstrate they’ve implemented SEAL Frameworks, are prepared for SEAL 911-style incident response, and connect to SEAL Intel’s threat intelligence network.

This creates a virtuous cycle. Better frameworks lead to more effective certifications and broader adoption of mature security practices. Each initiative is intentionally designed to make the others more valuable.

This comes at a critical time. With institutional adoption and regulatory clarity emerging globally, the protocols that survive and thrive will be those that can demonstrate enterprise-grade operational security.

We’re seeing a bifurcation in the market. Protocols with demonstrable security standards can reassure users and attract institutional capital. The insurance market for DeFi protocols is finally maturing, but carriers want to see standardized risk assessments. SEAL Certifications creates the framework they need to underwrite policies.

Beyond insurance access, certified protocols offer institutional investors a quantifiable reduction in tail risk exposure and operational failure vectors they actually care about. This translates to streamlined due diligence frameworks, reduced operational risk premiums, and ultimately better risk-adjusted returns that improve capital efficiency metrics.

But beyond the immediate benefits to individual organizations, SEAL Certifications represent something bigger – a shared commitment to raising security standards across the entire ecosystem. When we have common frameworks and benchmarks, we can measure progress and hold ourselves accountable to continuously improve our collective security posture.

The crypto industry has always been defined by its willingness to experiment and iterate. SEAL Certifications applies that same philosophy to operational security. Starting with practical frameworks that address real problems, testing them against actual use cases, and evolving them based on what we learn.

Your feedback will shape the final certification standards. Help us get this right.

Resources: 

Review our proposed certification frameworks: https://frameworks.securityalliance.org/certs/overview 

Join the waitlist for a consultation with SEAL: https://securityalliance.typeform.com/CertsWaitlist

Become an accredited auditor or firm: https://securityalliance.typeform.com/CertsAuditor

Have questions? Contact us at [email protected].

The link has been copied!