Case studies

Engagements, redacted for our customers. Metrics first.

Full write-ups available under NDA during the sales process. The summaries below are what we're comfortable publishing.

Featured engagement

Fintech · Payments

Identified a multi-tenant isolation flaw and three payment-rail abuse paths before their SOC 2 Type II window closed. Retainer continued as continuous pentesting.

Series-C payments platform · Asia-Pacific

14: Findings delivered
6 wks: Kickoff to remediation
0: Regressions post-fix
100%: Auditor acceptance

Context

The customer processes ~$4B annually across UPI, card, and wire rails. A SOC 2 Type II audit was five weeks out. Their in-house security team was two engineers, both embedded in the payments product.

Engagement shape

A single-sprint PTaaS engagement with live findings, daily Slack syncs, and grey-box access to three critical services. Scope: the merchant API, the webhook signing service, and the reconciliation job runner.

What we found

A cross-tenant invoice read via a predictable object reference (BOLA). Two separate webhook-replay flaws. A reconciliation double-process that let the same SKU chargeback twice. None of the three were visible to SAST or scanners — they were business-logic chains.

Outcome

14 findings opened. 0 regressed after fix. SOC 2 evidence package accepted by the auditor with zero follow-ups on the tested scope. Customer converted to a continuous retainer on week six.

PTaaSSOC 2Multi-tenantPayment rail

More engagements

Healthcare · EHR SaaS

Red teamed a HIPAA-regulated EHR platform across external, phishing, and cloud tenancy objectives.

Assume-breach engagement against a 200-clinic EHR. Objective: crown-jewel PHI read. We reached it via two independent paths — one through phishing-to-OAuth-consent, one through an S3 bucket misconfiguration chained with an IAM role trust flaw. Purple team workshop closed 12 detection gaps the SOC had marked as 'covered'.

4/5: Objectives achieved
12: Detection gaps closed
62%: MTTD reduction post-purple

Red teamHIPAAPurple team

AI · Agent platform

LLM red team uncovered prompt-injection + tool-use escalation on an agentic coding product.

The product was an agentic IDE assistant with shell-exec tool-use. We found eight novel exploit chains: three via indirect prompt injection in shared repo docs, two via agent-to-agent trust abuse in multi-agent mode, and three via RAG context poisoning. The customer now ships the eval suite we built in CI.

8: Novel exploit chains
3: CVE-class findings
100%: Reproducible in CI eval

AI/LLMAgent securityCI eval

SaaS · Developer tooling

Continuous pentesting retainer for a fast-shipping devtools company closing a large F500 deal.

The enterprise-security questionnaire from a Fortune 500 buyer was the forcing function. We stood up the retainer in ten days, delivered a signed report the buyer accepted as-is, and have retested every merge to main since. Deal closed in 45 days.

10d: Kickoff to report
45d: F500 deal closed
1: Retainer continuous

PTaaSSaaSEnterprise sales unblock

Cloud · Multi-tenant SaaS

Cloud security review exposed a privilege-escalation path across 14 AWS accounts.

The customer had assumed least-privilege via dozens of role-chained cross-account trusts. We mapped the full graph with cloudfox and Principal Mapper, found a single service-linked role that could hop from a non-prod account into a prod data-plane role via a forgotten trust policy, and shipped a policy-as-code baseline that now catches regressions at PR time.

14: AWS accounts mapped
1: Cross-account priv-esc path
100%: Policy-as-code coverage

CloudAWSPolicy-as-code

Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

hello@pentstark.com

Talk to an expertBook a demo

● Responses in < 1 business day