Our Work

CASE
studies.

Real engagements, anonymized with client permission. Each case shows the vulnerabilities found, attack paths built, and business risk mitigated.

05
Filter:
01
Fintech · Web App + API VAPT
Authentication Bypass Exposing 40,000 User Financial Records
Web AppAPIAuth BypassIDOR
The Challenge

A fintech startup preparing for Series A needed a security audit for investor due diligence. Their internal team had reviewed the codebase and found nothing. They came to us for a second opinion.

Critical Findings
CRITICALJWT auth bypass via algorithm confusion (RS256 → HS256) — any user account accessible by signing tokens with the public key
CRITICALIDOR in transaction endpoint — incrementing user_id exposed full financial records of all 40,000 users
HIGHMass assignment — injecting role=admin in JSON body elevated any account to admin
HIGHSQL injection in legacy search endpoint bypassing WAF
MEDIUMNo rate limiting on OTP endpoint — brute-force bypass of two-factor authentication
Outcome
17
Vulns Found
4
Critical
100%
Remediated
12 days
To Certificate

CyberSecPlus found critical vulnerabilities our in-house team had completely missed. Their report was exactly what our investors needed — thorough, clear, and with a remediation plan we could actually execute.

CTO · FinVault Technologies
02
Healthcare · Cloud Security Audit
AWS Misconfiguration Giving Public Read Access to Patient Data S3 Bucket
CloudAWSIAMS3
The Challenge

A digital health platform serving 200,000 patients needed ISO 27001 certification and a cloud security audit. They had migrated to AWS 18 months prior with no formal security review.

Critical Findings
CRITICALS3 bucket with patient health records (PHI) configured with public-read ACL — accessible by anyone with the bucket URL
CRITICALIAM role with AdministratorAccess on public EC2 — full AWS account takeover via SSRF on metadata service
HIGHDB credentials hardcoded in Lambda env vars, visible in CloudWatch logs to all IAM users
HIGHNo VPC flow logs or CloudTrail in 3 regions — complete blind spot for attacker activity
Outcome
23
Misconfigs Found
2
PHI Exposure
ISO 27001
Achieved
3 weeks
Remediation

We had no idea our patient data was publicly accessible. CyberSecPlus found it, helped us remediate it, and guided us to ISO 27001 certification. An invaluable engagement.

Head of Engineering · NexaHealth
03
E-Commerce · Red Team Operation
Full Domain Compromise From Spear Phishing in 4 Hours
Red TeamPhishingADLateral Movement
The Challenge

A large e-commerce retailer had invested in endpoint protection and a next-gen firewall. Their CISO believed the company was "reasonably secure." No warning given to the security or IT team.

Attack Chain
STEP 1OSINT on finance manager. Spear phishing impersonating payroll software → credentials captured in 22 minutes
STEP 2VPN access via SSO credentials — MFA not enforced on legacy VPN
STEP 3BloodHound mapped path to Domain Admin via Kerberoastable service account with weak password
STEP 4Domain Admin achieved. Full access to customer DB, payment records, internal comms
RESULT50,000 records simulated-exfiltrated. Time from phish to DA: 4h 17min. Zero alerts triggered.
Outcome
4h 17m
Time to DA
0
Alerts Triggered
MFA
Enforced After
EDR+SIEM
Deployed After

We thought we were secure. CyberSecPlus got full domain admin in under 5 hours and we had no idea. We've completely rebuilt our detection strategy because of this.

CISO · CloudRift Platforms
04
SaaS · API Security Assessment
BOLA Vulnerability Leaking Competitor Order Data via GraphQL
APIBOLAGraphQL
The Challenge

A B2B SaaS platform with multiple enterprise clients on shared multi-tenant infrastructure needed third-party security assessment before a major contract signing.

Key Findings
CRITICALBOLA on GraphQL order query — any authenticated user could query any order_id across all tenants, leaking competitor pricing
CRITICALUndocumented /api/v1/admin/export accessible with standard JWT — returned full database CSV of all tenants
HIGHGraphQL introspection enabled in production exposing internal admin mutations
HIGHJWT tokens with no expiry — stolen tokens remain valid indefinitely
Outcome
11
API Vulns
2
Cross-Tenant
Contract
Signed After
5 days
Assessment

Our API was leaking competitor order data. CyberSecPlus caught it before our enterprise client's security team did. That saved the contract and our reputation.

Founder · PayPilot
05
Banking · Network + Web App VAPT
PCI-DSS Scope Validation Uncovers Lateral Movement Path to Cardholder Data
NetworkPCI-DSSSegmentation
The Challenge

A regional bank preparing for PCI-DSS Level 1 audit believed network segmentation between their cardholder data environment (CDE) and corporate network was airtight. We were asked to validate that belief.

Key Findings
CRITICALLegacy print server had bidirectional firewall rule to CDE — any compromised workstation could pivot to cardholder systems
CRITICALShared Domain Admin service account across CDE and non-CDE — compromising any system gave full CDE access
HIGHUnpatched PrintNightmare (CVE-2021-34527) on 3 domain controllers — RCE as SYSTEM from any authenticated position
HIGHWAF bypassed via parameter pollution — SQL injection accessible despite WAF presence
Outcome
28
Vulns Found
PCI-DSS
Compliance Achieved
CDE
Properly Segmented
100%
Remediation

From scoping to PCI-DSS certificate took 3 weeks. CyberSecPlus helped us explain the risk in business terms — exactly what our compliance board needed.

VP Engineering · TechCorp
WORK
Your case study could be next

READY TO
get tested?

Book a free scoping call. We'll assess your environment and propose the right engagement.

Book Free Call →View Services →