Case studies

Engagements, anonymized

Real projects, real outcomes. Names and specifics are scrubbed. The findings and methodology are not.

Pentest Web + API 3 weeks

Fintech startup preparing for ISO 27001

Context

Mid-size fintech preparing for ISO 27001 certification. Previous vendor pentest came back with scanner output and a glossy PDF. Auditor flagged the report as insufficient.

Scope

Customer-facing web app, internal admin dashboard, REST API handling payment flows. Authenticated + unauthenticated perspectives.

Findings

  • 2 critical — authentication bypass via case-sensitivity + broken access control on admin endpoints
  • 3 high — IDOR exposing payment metadata, stored XSS in internal dashboard, SSRF in attachment upload
  • 3 medium + several info-level — missing rate limits, verbose error disclosure, predictable session tokens

Outcome

All critical + high findings fixed within 2 weeks. Retest confirmed remediation. Client passed ISO 27001 audit on first attempt. Dev team now runs an internal recurring security review based on the methodology I walked them through.

Pentest API + multi-tenant 2 weeks

B2B SaaS pre-launch API review

Context

B2B SaaS with multi-tenant architecture about to ship a public API. The team wanted a hardening pass focused on tenant isolation before onboarding enterprise customers.

Scope

REST API (~80 endpoints), OAuth 2.0 token flows, two tenant accounts created for cross-tenant testing.

Findings

  • 1 critical — cross-tenant data read via predictable object IDs (classic IDOR)
  • 2 high — OAuth scope escalation through a token-refresh race condition; admin action log filterable by other tenants' users
  • 4 medium — missing authorization on 3 lesser-used endpoints, weak UUID generator for invite tokens

Outcome

Critical + highs fixed pre-launch. Added authorization middleware with automated cross-tenant tests to CI. Public API shipped on schedule; no tenant-isolation incidents in the 8 months since.

LLM red team GenAI assistant 1 week

Customer-facing GenAI assistant red team

Context

SaaS platform shipping an LLM-powered assistant to customers. Grounded on internal RAG with access to account data. Concern: prompt injection, system-prompt leak, cross-account data exposure.

Scope

Assistant UI + backend tool calls + RAG retrieval. Two customer accounts created for cross-account testing.

Findings

  • System prompt fully extractable via indirect prompt injection through user-uploaded documents
  • Tool call abuse — assistant could be coerced to call an internal admin function never meant to be user-exposed
  • Cross-account data leak — RAG retrieved chunks from a different customer's context when a specific multi-step prompt was used
  • Output filter bypass via encoding tricks (base64, homoglyphs)

Outcome

Launch delayed 2 weeks to fix the cross-account leak. Input sanitization and output filters rewritten. Tool-call allowlist tightened. Team now runs an internal LLM red-team checklist before every feature release.

CVE research WordPress plugin Public disclosure

CVE-2025-3769 — IDOR in a WordPress plugin with 100K installs

Context

Independent vulnerability research against widely-deployed WordPress plugins. Target: LatePoint, a booking plugin with 100,000+ active installs.

Approach

Source code audit. Traced the plugin's custom ACL system to an AJAX handler that rendered booking details without checking ownership of the booking ID.

Findings

  • IDOR (CWE-639) allowing any registered customer to read any booking in the database: name, email, appointment time, service
  • Same pattern missing in two sibling functions in the same file

Outcome

Coordinated disclosure through Wordfence. Patch shipped in 5.1.93, 4 weeks from report to public CVE. Full writeup on the blog.

Read the writeup → CVE entry →

Want something like this for your team?

Every engagement is scoped to your stack and your questions. Let's talk.

Book free scoping call →