We find vulnerabilities in Eastern Washington's infrastructure before the adversaries do. No scare tactics. No fine print. Just a neighbor who genuinely cares.
Spring Creek runs through the Blue Mountains — our backyard. So does our commitment.
We protect the organizations that keep Eastern Washington running — city governments, rural hospitals, utilities, co-ops, schools. We care deeply about this region. That's not marketing — that's why we started.
We scan your attack surface the way adversaries do — using public data, CVE intelligence, and OSINT. We show you exactly what we found and exactly how to close it. Before anyone else does.
The security industry runs on fear. We don't. When we reach out we bring a real finding on your real network, explained in plain language. You decide what to do with it.
From a single finding to ongoing coverage — whatever your organization needs.
We find real CVEs on real infrastructure and notify affected organizations — responsible, documented, no strings attached. Free because it matters.
External recon using Shodan, OSINT, and CVE databases. Know what your organization looks like from outside before someone with bad intent finds out first.
We don't just find the problem — we walk you through fixing it in plain language your IT team and your board can both understand.
Continuous scanning of your external footprint. New CVEs, subdomain discovery, historical endpoint analysis, monthly threat reports.
Adversary TTP analysis, dark web monitoring, CVE tracking. We think like attackers so your team doesn't have to.
Transparency is the foundation of trust.
Our methodology is passive. Spring Creek Cyber conducts vulnerability research using publicly available data sources — Shodan, WHOIS, DNS records, certificate transparency logs, and public CVE databases. We do not probe, access, or interact with systems we are not authorized to test.
We disclose in good faith. When we identify a vulnerability affecting an organization in our region, we notify the affected party directly with a clear description of the finding, its potential impact, and recommended remediation steps. We ask for nothing in return.
We never publish without notice. If we identify a critical vulnerability we will notify the affected organization and allow reasonable time for remediation before any public disclosure. We follow coordinated disclosure principles.
We are not a threat. Our goal is a safer Eastern Washington. If you received a disclosure from us and have questions, reach out at [email protected]
Whether you received a disclosure, want to know your exposure, or just want to connect — we're here.
Send EmailThis work is done because it matters — not because it pays. If you'd like to help keep the lights on or support causes we believe in, here's how.
Vulnerability research, disclosure work, and community monitoring takes real time. If a disclosure helped your organization or you just want to support the mission, a small contribution goes a long way.
Support the work →We need more people in cybersecurity — especially people who are underrepresented today. Girls Who Code is building that pipeline. If you believe in that mission, consider supporting them directly.
Support Girls Who Code →Healthcare organizations are among the most targeted by ransomware — and among those who can least afford it. Supporting Johns Hopkins means supporting the research and care that communities depend on.
Support Johns Hopkins →Spring Creek Cyber does not receive any portion of donations made to Girls Who Code or Johns Hopkins Medicine. These are causes we believe in.