Real vulnerabilities we found, the business impact they carried, and how they were fixed. All engagements anonymized — client names withheld to protect confidentiality.
Manual, exploit-driven testing that finds the bugs your last pentest missed — delivered fast, and priced so you can do it often. See the depth, the proof, and the client attestation.
Read why teams switch →During manual testing of object references, our researchers found that swapping a resource ID in an API request allowed authenticated users to read and modify resources belonging to other customer accounts — invisible to automated scanners because every response returned 200 OK.
An unsanitized Work Order title, rendered by a server-side PDF engine, forced the backend to make attacker-controlled outbound requests.
Internal service access, cloud metadata reach, and export DoS for all users.
Output encoding + disabled remote fetches + egress allow-listing. Rated Critical (CVSS ~9.0).
A missing server-side authorization check on the removeUser mutation let an Admin delete the highest-privileged Owner account.
Organization takeover and lock-out of legitimate administrators.
Role-hierarchy authorization enforced server-side; deny by default. Rated Critical (CVSS up to 9.6).
Swapping two user-controlled IDs let any authenticated user write into — and read back — another user’s AI assistant conversation.
Cross-user message injection plus disclosure of the victim’s existing messages.
Object-level ownership checks enforced across the reference chain. Rated High (CVSS ~7.6).
SQL injection and stored XSS in customer-facing flows, reachable pre-authentication.
Potential customer data leakage and session hijacking.
Parameterized queries and output encoding applied; posture measurably improved.
Lower-privileged users could perform admin actions via direct API calls.
Complete role-hierarchy bypass.
Server-side RBAC validation added; confirmed fixed on retest.
A public storage bucket and over-permissive IAM role chained into admin-level account access.
Full cloud-account compromise path.
Bucket policies locked down and IAM roles right-sized; escalation path eliminated.
Session tokens and PII stored unencrypted on-device, recoverable from a lost or rooted phone.
Account takeover from physical device access.
Keychain/Keystore storage + certificate pinning adopted; validated on retest.
A business-logic flaw allowed restricted actions on workflows before they were published.
Unauthorized access to unpublished workflows and pre-release functionality.
Access control enforced at the API level; validated on retest.
Launched a bug bounty program from scratch — scoping, researcher onboarding, and full triage.
No internal capacity to handle researcher reports and duplicates.
100+ valid vulnerabilities reported within the first 3 months.
All engagement details anonymized to protect client confidentiality. References available on request under NDA.
Find them before attackers do — expert pentesting, Chazer AI, and live portal reporting.