Skip to content

Case Study / Continuous VAPT program

A three-year continuous testing partnership

A developer assessment and hiring platform used by enterprises worldwide holds two things attackers want: sensitive candidate data and proprietary assessment content. Rather than annual point-in-time tests, the client committed to a continuous VAPT program — now running for three years.

Developer assessment platform · US

What we found

Candidate-record exposure

A directory-level file listing made sensitive candidate information potentially reachable without authorization.

CSRF on critical transactions

Several transaction endpoints operated without anti-forgery safeguards, permitting state-changing requests a victim never intended.

Markup injection

User inputs allowed arbitrary markup on key application pages — the classic path to session and content compromise.

Missing rate controls

Core functionality lacked request-volume controls, exposing it to automated abuse and enumeration.

Privilege escalation

Session-token validation and role mappings were misaligned, producing inconsistent privileges an attacker could exploit.

How we worked

Quarterly assessment cycles

Recurring testing synchronized with development milestones — new features get assessed when they ship, not a year later.

Hybrid coverage

Automated scanning for breadth, targeted manual testing for depth, and realistic internal/external attack simulations.

Business-impact triage

Regular risk-triage reviews translate technical findings into business-impact scores the client prioritizes against.

Developer enablement

Threat-modeling and secure-coding sessions run alongside testing — the same testers, teaching from the same findings.

What changed

  • A repeatable VAPT framework that scales with platform growth and each release.
  • Continuous visibility into emerging threats, shortening exposure windows.
  • Three years on: the same senior testers, deepening platform context, and findings trending down cycle over cycle.

Client identity is confidential by agreement. Findings are published with the client’s engagement anonymized; we never publish metrics we didn’t measure.

Ready to scope the work?

A 30-minute call with the engineers who will do the testing — not a sales gate.

Book a scoping call