Candidate-record exposure
A directory-level file listing made sensitive candidate information potentially reachable without authorization.
Case Study / Continuous VAPT program
A developer assessment and hiring platform used by enterprises worldwide holds two things attackers want: sensitive candidate data and proprietary assessment content. Rather than annual point-in-time tests, the client committed to a continuous VAPT program — now running for three years.
Developer assessment platform · US
A directory-level file listing made sensitive candidate information potentially reachable without authorization.
Several transaction endpoints operated without anti-forgery safeguards, permitting state-changing requests a victim never intended.
User inputs allowed arbitrary markup on key application pages — the classic path to session and content compromise.
Core functionality lacked request-volume controls, exposing it to automated abuse and enumeration.
Session-token validation and role mappings were misaligned, producing inconsistent privileges an attacker could exploit.
Recurring testing synchronized with development milestones — new features get assessed when they ship, not a year later.
Automated scanning for breadth, targeted manual testing for depth, and realistic internal/external attack simulations.
Regular risk-triage reviews translate technical findings into business-impact scores the client prioritizes against.
Threat-modeling and secure-coding sessions run alongside testing — the same testers, teaching from the same findings.
Client identity is confidential by agreement. Findings are published with the client’s engagement anonymized; we never publish metrics we didn’t measure.
A 30-minute call with the engineers who will do the testing — not a sales gate.