[cases_index]REAL ENGAGEMENTS · ANONYMIZED

Before it became a headline, it became a fix.

All cases below were anonymized under NDA. Numbers, sector and vector are real — client name is not.

200+

engagements delivered

4,500+

exploitable flaws reported

R$ 180M+

potential impact avoided

sector

Fintech · Open Finance

vector

API misconfig + IDOR

fix

72h

case/01

Full access to production via unauthenticated internal API

Admin endpoint exposed by API gateway misconfig. Combined with IDOR in transfer routes, allowed pivot to any account. Identified on day 2 of the engagement.

impact avoided:R$ 48M in potential movement blocked

sector

Healthtech · SaaS

vector

Cloud misconfig

fix

24h

case/02

Exposure of 1.2M health records via staging S3 bucket

Staging bucket replicated production data without encryption or access control. Fixed before external ISO audit.

impact avoided:GDPR fine avoided · non-reportable incident

sector

Industry · OT

vector

Segmentation + legacy credentials

fix

2 weeks

case/03

Lateral movement from IT to industrial plant via legacy VPN

Red Team engagement starting from phishing. Pivot from engineering station to OT network via VPN with default credentials. Fixed with segmentation + jump host + MFA.

impact avoided:Prevented line stoppage estimated in 8 days

sector

E-commerce · B2C

vector

XSS + session without rotation

fix

96h

case/04

Exploit chain: XSS → admin account takeover → balance

Reflected XSS on search page combined with permissive cookie policy allowed admin session theft. Identified in standard pentest.

impact avoided:Fraud blocked, estimated R$ 2.3M/month