Five service lines · one engineering discipline

Secure it. Watch it.
Build on it. Ship it.

Most shops do one of these. GMTek does the whole arc — hardening businesses against real attackers, watching them around the clock, and building the AI systems and websites that run on top. Start anywhere; the lanes connect.

// LIVE lockdown · phase 6 of 8 · custom REST guard deployed
Book a Discovery Call Explore the lanes →

Langley, WA  ·  Incident response  ·  Local-first  ·  Licensed & Insured LLC

GMTekAI
How We Work

Start anywhere.
The lanes connect.

Plenty of businesses come to us mid-emergency — fake orders piling up, an admin account that isn't theirs, a checkout that just stopped taking cards. Others come to build: a phone line that never goes to voicemail, a website that actually generates leads, a private AI system the data can't leave. Either entry point is fine. What's different is that the same hands that find the problem also fix it, watch it after, and build on top — so the work compounds instead of getting handed off and dropped.

01 · Secure
Lock it down
Evict whoever's inside, harden the site, fix the checkout, close the DNS & email gaps. Forensic-grade, plain-English.
02 · Watch
Keep it locked
Vilkas stays on watch so a one-time lockdown keeps staying locked down — sub-2-second detection, you on the alert channel.
03 · Build
Run on top
AI receptionists, automation, websites with real SEO, custom apps — wired into intake so leads land in a system, not a void.
04 · Ship
Make it yours
Bespoke AI systems and local-first deployments built around how your team actually works — control, privacy, predictable cost.
01 · Secure
SVC-01 Engagement · One-time

Security &
Incident Response.

When something's already wrong — fake orders, an unfamiliar admin, a card-testing wave — we walk in, find it, evict it, and harden what's left. When nothing's wrong yet, we close the doors before someone finds them open. Either way the deliverable is forensic-grade work explained in plain English you can actually act on.

🔒
WordPress lockdown

Multi-phase hardening — custom REST-API and XML-RPC hardening plugins, 2FA, brute-force throttling, full audit logging, and least-privilege user cleanup. Built and validated phase by phase, not a one-click plugin and a prayer.

🚨
Live breach eviction

Track-and-evict incident response on a live attacker. In real engagements we've walked in on an active intruder, terminated the session, blocked 36 hostile IPs, and killed a card-testing wave at the checkout — then captured the forensic trail behind it.

💳
PCI DSS v4.0 remediation

Checkout-layer remediation under merchant-of-record enforcement, including a custom checkout scrubber shipped across 14 storefronts. The work that gets a payment gateway turned back on — and keeps the processor off the operator's back.

🛡️
Cloudflare perimeter

Migration onto Cloudflare with a Pro WAF and managed rule sets in front of the origin. The edge does the heavy lifting — most hostile traffic never reaches the application at all.

📧
DNS & email-auth hygiene

SPF, DMARC, and DKIM aligned so the domain can't be spoofed; CAA records pinning who may issue certs; HSTS so browsers refuse to downgrade. The quiet layer most sites never get right.

📋
Plain-English deliverables

Every engagement closes with a written summary an owner can read — what happened, what we changed, what to watch for. Forensic detail when you need it, no jargon wall when you don't.

Scoped as a one-time engagement at founder-tier ranges, priced to the size of the surface — a single site, a checkout fire, or a full portfolio. Bigger portfolios scale per-install. We'll quote it straight and find a number that works. Most lockdowns roll into a Vilkas retainer →

02 · Watch
SVC-02 Retainer · Always-on

Managed Monitoring.
Vilkas on watch.

Hardening a site is a moment in time — attackers come back. Vilkas is GMTek's own sentinel platform and the always-on layer that turns a one-time lockdown into an ongoing relationship. Sub-2-second detection, automatic tier-1 blocking, file-integrity monitoring, and account-watch on the surfaces that matter, all reporting to a channel you and we both see.

🐺

The retainer that keeps
the work done.

Canary tripwires, host file-integrity, account-watch, source-IP attribution, GreyNoise pre-filtering, reputation-kill, and tier-1 auto-block — running on your perimeter and pinging your phone the instant something hostile lands. Destructive actions run shadow-mode-first, so Vilkas earns trust before it acts. This is the recurring layer that keeps a lockdown staying locked down, with us on call when a tripwire fires for real.

<2s MTTD 7 sentinels Shadow-first safe actions $200–750+ / mo per zone
Meet Vilkas →
03 · Build
SVC-03 Custom build + retainer

AI Receptionists
& Automation.

The lead that goes to voicemail is the lead that calls your competitor. We build AI voice receptionists that pick up every time, route the details into your systems, and never have an off day — plus the workflow automation and custom apps that take the busywork off your team. Built on the same hardened, HMAC-verified plumbing we'd trust ourselves.

📞
AI voice receptionists

Vapi-based AI receptionists that answer, qualify, and capture every lead. Live in the field today — a receptionist named "Sarah" handling calls for a roofing & gutter client, and a pair, "Ruby + Rudy," fielding the phones for a specialty auto shop.

🔗
Hardened lead routing

Calls and messages route through Cloudflare Workers into Telegram and Google Sheets, secured with HMAC signature verification so nobody can forge a lead into your pipeline. The intake plumbing is built like the security work — because it is security work.

⚙️
Workflow automation

n8n workflows that glue the tools you already use — CRM, calendar, intake forms, messaging — into one flow. The repetitive handoffs that eat a team's day, automated and observable.

🧩
Custom AI-enabled apps

Bespoke business apps when off-the-shelf won't fit — for example, a custom intake-and-triage app sitting over WooCommerce, a payment gateway, and a shop-management system, built around how that business actually takes work in.

📅
CRM & calendar glue

Booking, intake, follow-up, and CRM updates wired together so a captured lead becomes a booked job without anyone re-typing it. Less swivel-chair, fewer dropped balls.

🔔
You stay in the loop

Every captured lead and key event lands where you'll actually see it — phone, Telegram, the channel you live in. No new dashboard to remember to check.

Priced as a custom build plus a monthly retainer — the build stands up the receptionist, workflows, and app; the retainer covers the AI usage, hosting, tuning, and on-call changes as your business shifts. Scoped to what you're automating; we'll quote it straight.

04 · Build
SVC-04 Fixed-scope engagement

Web facelifts,
upgrades & local SEO.

A website should be fast, look like nobody else's, and actually put leads into your intake — not a forgotten spreadsheet. Whether it's a full facelift of a tired site or a fresh build, we work in static and Cloudflare Worker sites with real client photos (never stock), each with a distinct visual identity, then do the local-SEO groundwork that gets a service business found in the map pack and the search results that matter. The fastest way to see what we do is to look — these are concept redesigns we built to show range.

DiRTFish rally school — redesign conceptConcept Demo DiRTFish Rally SchoolMotorsport · Redesign conceptView live demo → Proformance Racing — redesign conceptConcept Demo Proformance RacingMotorsport · Redesign conceptView live demo → Hein Marine — redesign conceptConcept Demo Hein MarineMarine · Redesign conceptView live demo → Pacific GP — redesign conceptConcept Demo Pacific GPConstruction · Redesign conceptView live demo →

↑ Concept redesigns hosted on our own infrastructure to demonstrate range — see the full set on the Work page →

Fast, distinct sites

Static / Cloudflare Worker builds that load instantly and use your real photos — every site gets its own visual identity, not a recolored template. The page is the first impression; we make it count.

📍
Local SEO foundation

JSON-LD structured data — LocalBusiness, Service, and FAQ schema — so search engines understand exactly what you do and where. Google Business Profile setup and Search Console standup so you show up and can see it working.

🚀
Core Web Vitals

Performance tuned to Google's Core Web Vitals and per-page Open Graph images so the site is fast for visitors, favored by search, and looks sharp every time someone shares a link.

🎯
Wired into intake

Forms and calls feed straight into the receptionist and automation layer — a lead from the site becomes a tracked, followed-up lead, not a row in a spreadsheet nobody opens.

🔍
Search Console & schema QA

Search Console set up and the structured data validated, so new pages get indexed in hours and you can prove the SEO work is landing instead of hoping.

🖼️
Real photos, distinct identity

We shoot or source genuine client imagery — never Unsplash filler — and build a look that fits the business. Customers can tell the difference, and so can you.

Sold as fixed-scope engagements so you know the number up front. Web and Local SEO pair naturally — and they bundle well with a receptionist build, since a site that generates leads needs something on the other end to catch them.

05 · Ship
SVC-05 Bespoke · Local-first

Custom AI Systems
& Local-First Deployments.

For regulated, IP-sensitive, and privacy-critical work, the right answer often isn't a cloud subscription — it's a system built around how your team actually works, running on hardware you control, where the data can't leave the building. We design those systems, deploy the models locally, and put guardrails on any cloud egress that remains.

🧰
Built around your workflow

Bespoke systems designed for how your team actually operates — not a generic tool you bend your process around. The software fits the work, not the other way around.

🔒
Local / private LLMs

On-prem model deployments (Ollama and friends) for control, privacy, and predictable cost — no per-token meter compounding, no client data leaving your network for inference.

🛡️
Cloud-egress safety

Where cloud is used at all on regulated data, every call runs through a master-switch, content redaction, and an audit log — so nothing leaves without being gated, scrubbed, and recorded.

🧪
Model vetting before prod

Candidate models are benchmarked against the incumbent on fabrication-resistance — not just aggregate scores — before they're trusted in production. We don't ship a model that makes things up.

🔧 Local-AI productization. Building a local-AI appliance to sell — not just run internally? GMTek can make it legally and operationally safe to ship: OSS license audit across the dependency tree, a clean third-party notices file, and fabrication-resistance benchmarking on the bundled models. It's the same productization gate we run on our own products before they go out the door — proven by shipping them. See the products we ship →

Scoped per system — a discovery phase to map the workflow and constraints, then a build, then optional ongoing support. Local-first deployments typically pair a hardware/setup engagement with a flat retainer for patches, model-roster reviews, and on-call.

Start Here

Got hacked, getting fake orders,
or building something new?

Tell us what's wrong, what you want watched, or what you'd build if it existed. Emergency IR, a hardening engagement, an AI system, a website, or a product — we'll point you to the right lane.

Typical response: same business day  ·  Emergencies prioritized  ·  No generic pitch

GMTekAI
Online — Whidbey Island