Documented Cases

What Hides in Production
Environments

Senior penetration testers with Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), and Certified Information Systems Security Professional (CISSP) credentials ran every engagement on this page. The team manually identified each exposure, built full attack narratives, mapped business impact, and stayed through remediation.

Who Runs Every Engagement

The same senior penetration tester who scopes your engagement runs it through final debrief, start to finish.

How We Deliver

AI accelerates assessment and analysis. The senior practitioner running the engagement validates every result and makes every call.

What You Receive

Every engagement delivers three reports: the Risk Impact Brief for your board, the Technical Pentest Report for your security team, and an Attestation Letter at closeout.

-Case files

Documented Vulnerabilities From Recent Engagements

These cases shaped remediation priorities, changed board conversations, and in several cases closed exposures that organizations had missed for months.

Note: Client details anonymized.

CASE 0xA7Critical

Healthcare / Azure

Patient records exposed to the public internet for 18 months.

A single misconfigured Azure storage container sat open throughout 18 months of monthly automated scans. Our penetration testing team identified it manually in the first week of the engagement.

Cloud storageMisconfigurationPHI exposure

Found in week one, by hand CVSS 9.8

CASE 0xC2Critical

Financial services / AD

Help desk login to domain admin in four steps.

A chain of misconfigured group policies and an unconstrained delegation. No security alert fired at any point along the path. The route was invisible to existing monitoring.

Active DirectoryPrivilege escalationLateral movement

Full attack path documented CVSS 9.1

CASE 0xF9High

SaaS platform / API

Every customer record reachable by changing one number.

A broken object-level authorization flaw in a REST API. The platform had passed a SOC 2 audit three months prior. No access log anomaly indicated the data was being accessed incorrectly.

BOLA / IDORAPI authorizationData exposure

Reproduced and proven CVSS 8.6

CASE 0xD4High

Technology / AWS

IAM role chaining from a developer account to full S3 read access across the organization.

Over-permissioned cross-account trust relationship between a CI/CD pipeline role and production accounts. Not flagged by any automated IAM review tool during the prior three quarters.

IAMCross-accountAWS

Remediated and retested CVSS 8.1

CASE 0xE1High

Enterprise / AI platform

Prompt injection allowing arbitrary tool invocation via a customer-facing AI assistant.

An agent connected to internal knowledge bases and productivity tools accepted crafted inputs that redirected tool calls outside their intended scope. No automated testing covered this surface.

Prompt injectionAI agentTool abuse

Novel technique documented CVSS 7.9

CASE 0xB8Medium

Healthcare / Salesforce

Salesforce sharing model exposing records across business units due to incorrect role hierarchy configuration.

Records owned by one business unit were accessible to users in another through a gap in the org-wide default and sharing rule configuration. Sat undetected through two annual compliance cycles.

SalesforceAccess controlData exposure

Platform advisory applied CVSS 6.4

-Why Manual Testing Matters

Manual Testing Found Every Critical Exposure on This Page

90%

of engagements since 2023 surfaced a critical risk existing tooling missed

18mo

longest critical exposure undetected in a production environment

4

steps shortest path from help desk credentials to domain administrator

Scanners find known problems. Attackers create new ones.

A scanner confirms whether a known vulnerability exists. Reaching your most critical systems requires chaining vulnerabilities together the way an attacker would. That thinking comes from senior practitioners who have mapped the same patterns across hundreds of real environments.

Every engagement runs manual first. AI accelerates reconnaissance and initial analysis. Senior penetration testers chain the attack path, document every result, and deliver two reports: a board-ready Risk Impact Brief and a Technical Pentest Report your security team acts on directly.

OSCP certified GPEN certified CISSP certified CREST Certified Testers (CRT/CCT)

-Severity Rating

Every Risk Rated Against Your Specific Environment

Every risk carries a CVSS v3.1 score, adjusted with environmental metrics for your specific environment. Business impact sits alongside technical severity so your security team and leadership align on remediation priorities based on real organizational risk.

Medium

Score 4.0 to 6.9

A real risk that requires attention within a defined timeframe. Often involves configuration hardening, access control improvements, or process changes. Left unaddressed, medium vulnerabilities frequently become the entry points that enable higher severity attacks down the line.

High

Score 7.0 to 8.9

A clear path to exploitation exists, with significant business impact. Documentation covers the full attack chain, business risk context, and a specific remediation path so your security team can act within the current sprint cycle.

Critical

Score 9.0 to 10.0

An attacker can exploit this vulnerability immediately with direct impact on your business operations, data, or reputation. Documentation covers full proof of concept evidence and the blast radius, with a board-ready impact summary so your leadership understands the exposure before the next business cycle.

-What You Receive

Every Engagement Closes with a Complete Report Package

Every engagement delivers three reports. The Risk Impact Brief gives your leadership the business context to make decisions. The Technical Pentest Report gives your security team the details to start remediation. The Attestation Letter gives your auditors and customers proof the test was completed. All three ship at the close of every engagement.

Risk Impact Brief Executive Level

Executive summary

Risk posture

Critical

3

High

7

Medium

12

Business impact

For the board and leadership

Risk Impact Brief

We design this report for the board. The penetration testing team documents every result with business exposure, organizational impact, and clear remediation priorities so leadership can make informed decisions immediately.

Business impact assessment per critical exposure

Organizational risk posture at a glance

Remediation priorities ranked by business risk

Audit-ready evidence mapped to compliance frameworks

Pentest Report Practitioner Level

Finding detail

CRITICAL

Steps to reproduce

Remediation path

References

CVE-2023- CWE-639

For engineering and security teams

Technical Findings Report

Every vulnerability comes with full technical detail, reproduction steps, and proof of concept evidence. The penetration testing team adds a specific remediation path for each one so the security team can act the same day the report lands.

Full attack narrative per documented case

Reproduction steps with proof of concept

CVSS scored against your environment

Remediation tied to your stack

How We Build Every Case

The Methodology Behind Every Case File

Senior penetration testers form a hypothesis about how an attacker would move through your environment before running a single test. These six steps show how every case moves from that initial hypothesis to a documented, proven, and closed risk.

01

Attack Hypothesis

The senior penetration tester starts by asking how an attacker would approach your environment. AI accelerates this phase by surfacing patterns across large environments quickly. The practitioner then forms a specific, testable hypothesis before touching anything.

02

Manual Validation

Every hypothesis runs through manual testing against your live environment. The penetration testing team examines each behavior for real, proven exploitability. The senior practitioner running the engagement makes every call.

03

Impact Demonstration

Proving impact comes before documenting anything. Our penetration testing team builds working proof of concept evidence the security team can reproduce and leadership can understand.

04

Severity Assessment

Every vulnerability scores against your specific environment using CVSS environmental metrics. Business impact sits alongside technical severity so remediation priorities reflect real organizational risk.

05

Remediation Guidance

A specific remediation path ties to your environment and stack. The penetration testing team addresses the exact conditions that made the vulnerability exploitable.

06

Retest and Closure

Once your team completes remediation, the penetration testing team retests every vulnerability to confirm the fix holds. The engagement closes with an attestation letter confirming every in-scope vulnerability was retested and verified as remediated or formally risk accepted.

Stay Sharp