Proof of Impact

Case Studies

Real findings from authorized penetration testing engagements. These case studies show how individual weaknesses chain together into critical attack paths - the kind automated scanners never find.

More case studies coming soon. Detailed write-ups from recent HIPAA, SOC 2, and cloud security engagements are being prepared for publication - with client consent and full anonymization where required. Request a sample report →
CRITICAL HIPAA

IDOR on Patient Records — Healthcare SaaS Platform

Industry: Healthcare SaaS  ·  Scope: Web Application + API  ·  Duration: 5 days active testing

A telehealth platform handling protected health information (ePHI) engaged us for a HIPAA §164.308(a)(8) technical evaluation ahead of a payer contract that required a compliance audit. Their scanner had found zero critical issues two months prior.

What We Found

The patient record API used sequential integer IDs with no object-level authorization check. Authenticated users could access any patient record by incrementing the patient_id parameter — regardless of whether that patient was assigned to their account.

We validated access to 847 test records across 3 user accounts without triggering any rate limiting, alerting, or access denial. A real attacker with one valid account could enumerate the entire patient database.

HIPAA Impact

Unauthenticated access to ePHI constitutes a reportable breach under HIPAA. OCR investigations for similar violations have resulted in settlements ranging from $100K to $1.9M. The payer audit would have failed immediately on CC6.1.

Attack Chain

Login as low-privilege user → enumerate patient IDs via API endpoint GET /api/v2/patients/{id} → access full name, DOB, diagnosis codes, and insurance information for any patient → no rate limiting, no alerting triggered.

Remediation

Implement server-side authorization check on every patient record request: verify the requesting user has an active care relationship with the requested patient_id before returning data. Add request logging and alerting on cross-account access patterns. Retest confirmed fix in 3 days.

CVSS: 9.1 Critical OWASP: API1:2023 – BOLA Retest: Passed
CLOUD PCI DSS

AWS Privilege Escalation to Account Admin — Fintech Payments Platform

Industry: Fintech / Payments  ·  Scope: AWS Cloud + Internal API  ·  Duration: 6 days active testing

A payment processing startup preparing for PCI DSS certification engaged us for a cloud penetration test. Their AWS environment had been running for 18 months. No prior external security assessment had been conducted.

What We Found

A developer IAM user had iam:PassRole and lambda:CreateFunction permissions. We used this to create a Lambda function, pass it a role with admin-level permissions, and execute code with full AWS account access — from a role that should only have had read access to a single S3 bucket.

The escalation from low-privilege developer to account admin took under 8 minutes and left no meaningful CloudTrail evidence visible to their existing alerting rules.

PCI DSS Impact

PCI DSS Requirement 7.2 requires access to cardholder data environments to follow least-privilege. An attacker with developer account credentials could have accessed the cardholder data store with admin privileges. QSA review would have failed on Requirements 7 and 11.

Attack Chain

Compromised developer credentials (simulated) → lambda:CreateFunction + iam:PassRole → deploy Lambda with admin-attached role → invoke function → full account access including cardholder data S3 bucket and RDS instance.

Remediation

Remove iam:PassRole from developer roles. Implement IAM permission boundaries on all non-admin users. Enable CloudTrail alerting for lambda:CreateFunction and iam:AttachRolePolicy events. Retest confirmed no escalation path remained.

CVSS: 9.6 Critical MITRE: T1078 – Valid Accounts Retest: Passed
AI CRITICAL

AI Safety Bypass and Cross-User Data Leakage — Production LLM Platform

Industry: AI Platform  ·  Scope: LLM Application + API  ·  Duration: 4 days active testing

An enterprise AI platform integrating a third-party LLM API engaged us to test their system before a Series A due diligence security review. They believed their prompt hardening was sufficient. It wasn't.

What We Found

Using indirect prompt injection through a document upload feature, we caused the model to exfiltrate the system prompt to the attacker. The system prompt contained internal API keys, customer database schema, and instructions that revealed the platform's internal architecture.

Separately, we found that conversation context from one user's session persisted into another user's session under specific race conditions — allowing one user to read another user's previous conversation history including submitted documents.

Business Impact

System prompt exfiltration exposed internal API keys that had production database access. The session persistence bug allowed cross-user data leakage affecting enterprise customers' confidential documents. Both would have been material findings in any SOC 2 audit.

Attack Chain

Upload document with embedded instruction → instruction injected into LLM context → model exfiltrates system prompt to attacker-controlled output field → extract API keys → use keys to access production database.

Remediation

Remove secrets from system prompts. Implement output filtering for prompt exfiltration patterns. Fix session isolation at the application layer before LLM context construction. Retest confirmed both attack vectors were closed.

OWASP LLM: LLM01 – Prompt Injection Retest: Passed

How Our Case Studies Are Built

Authorized Scope

All findings are derived from explicitly authorized penetration testing engagements with defined scope and rules of engagement.

Attack-Path Focused

We prioritize real-world attack chains rather than isolated vulnerabilities or automated scanner output. Every finding is manually verified.

Actionable Outcomes

Each case study highlights root causes, impact, and remediation guidance relevant to engineering teams.

Ready to Find Your Vulnerabilities?

Every organization has attack paths they don't know about. Let us find yours before an attacker does.


Get a Free Consultation Download Sample Report