Real-world security scenarios
Illustrative scenarios based on typical security problems we encounter. Client names are anonymized to protect our clients.
Webshop with vulnerable checkout
The challenge
A growing webshop processes hundreds of payments daily. The owner suspects problems with checkout security but doesn't know where to start. A customer payment data breach would be catastrophic for trust and GDPR compliance.
Our approach
We conducted a web application pentest focused on the checkout flow, payment integrations and customer accounts. We tested for business logic flaws, price manipulation, insecure direct object references and CSRF attacks.
Findings
- ›Price manipulation possible via parameter tampering
- ›Insufficient validation of coupon codes
- ›Session tokens not properly invalidated after logout
- ›Customer orders of other users visible via IDOR
Result
After an intensive re-test, all critical and high vulnerabilities were resolved. The webshop is now compliant with PCI DSS guidelines and the owner confidently launched a new marketing campaign.
SMB with weak password policy
The challenge
An accounting firm with 25 employees has never actively thought about cybersecurity. After an incident at a colleague firm, they decide to take action before it's too late.
Our approach
We conducted an internal network assessment combined with a phishing simulation and password audit. We also tested the Microsoft 365 environment and remote access security.
Findings
- ›73% of employees clicked on the phishing simulation
- ›Multiple accounts used variations of 'CompanyName2023'
- ›No MFA active on critical systems
- ›Two former employees still had active accounts
Result
MFA was activated on all systems, a password manager introduced and all employees received awareness training. In a re-test 3 months later, only 8% clicked on phishing.
SaaS platform with API leak
The challenge
A SaaS company is launching a new platform with a RESTful API. They want to ensure the API is secure before public launch. A leak would cost their reputation and enterprise clients.
Our approach
Full API security test including authentication flows, rate limiting, data exposure analysis and privilege escalation tests. We systematically tested all endpoints.
Findings
- ›API returned sensitive user data in error messages
- ›No rate limiting on authentication endpoints (brute force possible)
- ›JWT tokens could be manipulated via weak signing key
- ›Admin endpoints not adequately protected via RBAC
Result
All critical findings were resolved before launch. The platform launched without security incidents and the CTO reported increased trust with enterprise clients.
Company susceptible to phishing
The challenge
A financial advisory company receives increasingly suspicious emails. They want to know how well their employees are protected and if their email infrastructure is correctly configured.
Our approach
Multi-phase phishing campaign with different scenarios: CEO fraud, IT helpdesk impersonation and fake invoices. Combined with an email security audit (SPF, DKIM, DMARC).
Findings
- ›DMARC not configured — domain could be spoofed
- ›62% of employees opened the phishing email
- ›28% entered credentials on the fake login page
- ›No procedure for reporting suspicious emails
Result
DMARC, SPF and DKIM were correctly configured. Awareness training for all employees. Re-test showed only 6% clicked on phishing — a 90% reduction.
Cloud environment with incorrect permissions
The challenge
A scale-up has its entire infrastructure in AWS but has never had a security review. During an internal audit, they suspect publicly accessible S3 buckets.
Our approach
Full AWS cloud security review based on CIS Benchmark. Analysis of IAM roles, S3 bucket policies, security groups, CloudTrail and GuardDuty configuration.
Findings
- ›3 S3 buckets publicly accessible with customer data
- ›Multiple IAM users with overly broad permissions
- ›CloudTrail logging not active in all regions
- ›Secrets hardcoded in Lambda functions
Result
All public buckets were secured. IAM permissions sandboxed to least privilege. Secrets Manager implemented. CloudTrail active in all regions. Data breach risk completely eliminated.