What an engagement looks like, end to end.

The problem

Annual SOC 2 Type II audit window opened in eight weeks. The auditor's control list expected a current penetration test report against the production environment. The prior year's report was stale and the previous vendor had moved off the work.

What we found

A cross-tenant authorization gap in the core ledger API: a low-privileged role on one tenant could enumerate transaction metadata across other tenants by guessing the resource path. Two medium-severity findings on session handling and a verbose error path that leaked internal identifiers. No critical findings in the cloud account.

Outcome

Report delivered with SOC 2 trust-criteria mapping in week three. Engineering closed the cross-tenant issue inside one sprint; the retest the following week confirmed the fix. The auditor accepted the report at field-work kickoff with no evidence asks. SOC 2 control closed on first pass.

The problem

A six-figure ARR prospect's procurement team flagged the security review as a gating step. Their questionnaire required a current third-party penetration test report and a remediation timeline for any unresolved high-severity findings. The team had no current report on file.

What we found

PII over-exposure on an admin endpoint that returned full patient records when only the displayed fields were intended for the role. Session-fixation weakness on the login flow that survived role transitions. A logging-pipeline misconfiguration that wrote PHI to an unencrypted application log during error states.

Outcome

Engagement scoped and delivered inside three weeks. Engineering remediated the high-severity findings within the first week of the report; the retest validated the fixes ahead of the prospect's security review. The report — with HIPAA safeguard mapping included — was shared with the prospect under NDA and accepted without rework. The deal moved to contract the same month.

The problem

A lead investor's Series A diligence packet included a security questionnaire that asked for the date of the team's most recent third-party penetration test and the cadence going forward. The team had never run a formal pentest. The diligence call was three weeks away.

What we found

An authentication bypass on an internal admin panel that was unintentionally reachable over a development subdomain. A handful of medium-severity issues in the public app: unscoped JSON Web Tokens that did not bind to a specific audience, and an insufficient rate limit on a password-reset endpoint. No findings in the cloud account configuration.

Outcome

Scoping call to delivered report in two and a half weeks. Critical finding was contained on the day it surfaced — the development subdomain was removed from public DNS within hours, and an interim mitigation was deployed before the report shipped. The team handed the lead investor a current report and a remediation timeline at diligence. The round closed on schedule; pentest cadence is now annual with a follow-up after every major release.