Skip to content

Case Studies

Real engagements,
real findings

Every engagement is confidential, so the case studies below are anonymized to sector and engagement type. The work, the findings, and the outcomes are real.

12,000+

Employees phishing-tested

6

Engagements profiled

Critical

Fixed mid-engagement

100%

Include a free retest

Social Engineering & Phishing

Testing the human layer

Phishing, voice phishing, and multi-channel campaigns run the way a real adversary would, measuring susceptibility, credential exposure, and how well detection and reporting hold up.

Healthcare · Diagnostic Imaging

Organization-Wide Phishing Simulation

High risk

Challenge. A national diagnostic imaging provider needed to measure real-world phishing exposure across its entire workforce and confirm whether awareness and reporting controls held up at scale.

What we found

  • Over half the workforce was phish-prone; roughly a third clicked the link and a quarter entered credentials on the simulated capture page.
  • Most interaction happened within the first hours of delivery, so a real attack could have succeeded before anyone reacted.
  • Phishing-report rates were too low to meaningfully offset the exposure.

Outcome

Quantified credential-compromise risk across the whole organization and delivered a prioritized program of role-targeted awareness training, recurring simulations, and a faster, simpler reporting workflow.

11,800+

Employees targeted

53%

Phish-prone

24%

Entered credentials

Insurance

Email + Voice Social Engineering

Challenge. A specialty insurance carrier wanted to test employee resilience against a coordinated, multi-channel social-engineering attack, not email alone.

What we found

  • A targeted credential-phishing email impersonating the company SSO password-reset flow led 19 employees to submit their credentials.
  • A follow-on voice-phishing (vishing) campaign impersonating the IT help desk reinforced the email pretext; a subset of staff complied fully, including an executive assistant.
  • The email-plus-phone chain showed a credible path from initial lure to account takeover.

Outcome

Gave the security team a realistic multi-channel picture of susceptibility and a roadmap for help-desk identity-verification procedures and targeted training for high-exposure roles.

200

Email targets

19

Credential entries

2-channel

Attack simulated

Education · Higher Ed

Credential-Harvesting Phishing

Challenge. A private university needed to know whether a realistic, well-crafted campaign could bypass its email defenses and harvest staff single-sign-on credentials.

What we found

  • Using a seasonal pretext, an SSO look-alike domain, and abuse of a legitimate mail-platform send feature, the campaign reached inboxes and captured SSO credentials.
  • Roughly a quarter clicked and a fifth surrendered credentials, including several senior and executive staff.
  • Captured passwords followed weak, guessable patterns (season-and-year, organization name), compounding the risk.

Outcome

Demonstrated a credible path to SSO account takeover and drove improvements to email authentication (SPF/DKIM/DMARC), look-alike domain monitoring, password policy, and targeted training.

100+

Staff targeted

20%

Credentials captured

Exec

Accounts affected

Application Penetration Testing

Testing the applications

Manual-first testing of web applications and payment platforms, the authorization gaps, injection flaws, and business-logic weaknesses that automated scanning routinely misses.

HR & Payroll SaaS

Web Application Penetration Test

High risk

Challenge. A payroll and HR SaaS platform handling sensitive employee and financial data needed a deep, manual test of its web application, beyond what automated scanning could reach.

What we found

  • Critical: a file-inclusion flaw that let sensitive files be read from the server through the application.
  • High: stored cross-site scripting capable of session theft, insecure direct object references, and a vertical authorization bypass that let an administrator create or delete organization owners.
  • Session-handling weaknesses in the application’s token model rounded out the high-severity findings.

Outcome

Delivered a remediation plan sequenced by real business impact, critical and high findings first, with a complimentary retest to verify every fix.

28

Findings

1

Critical

5

High

Fintech · Marketplace & Payments

Web Application Penetration Test

High risk

Challenge. A fintech marketplace and payments platform needed assurance that its customer-facing application and payment flows could not be compromised.

What we found

  • Critical: a remote code execution vulnerability in the application’s web framework that could yield full server compromise, and was escalated urgently to the development team mid-engagement.
  • High: a server-side request forgery flaw reachable from the same framework, and a login flow with no rate limiting on either the password or the SMS one-time-code stage, enabling automated credential and OTP guessing.
  • The authentication gaps, combined with account-exposure findings, materially raised the odds of unauthorized access.

Outcome

The critical RCE was reported and remediated during the engagement via an emergency framework upgrade, which also closed the server-side request forgery, and the remaining findings were retested to confirmation.

1

Critical (RCE)

Mid-test

Critical remediated

2

High

Fintech · Digital Payments

Post-Incident Web App Assessment

Medium risk

Challenge. A digital payments provider needed an independent assessment of its back-office web application, including whether exploitable footholds remained in the wake of a security event.

What we found

  • Excessive data exposure: API responses leaked detailed transaction metadata, including precise geolocation, enabling real-world tracking of users.
  • User enumeration through login responses made valid-account guessing easier for an attacker.
  • Outdated TLS configuration weakened the protection of sensitive communications.

Outcome

Surfaced the exposure and hardening gaps, prioritized by how readily an attacker could chain them, and delivered fixes plus a retest to confirm closure.

8

Findings

3

Medium

Post-incident

Engagement

Confidential by default

We never tie specific findings to a named client. Each case study above is published with permission and stripped of any identifying detail. Where it helps your evaluation, we can arrange a confidential reference with a client in your own industry.