Real engagements. Real findings. Real results.

Challenge

A fast-growing FinTech SaaS was preparing for a Series A round. The platform handled sensitive financial data across multiple tenants and the investor due diligence process required evidence of a recent penetration test.

What We Did

NeedSec performed a full web application penetration test covering authentication flows, API endpoints, business logic, and data access. Testing focused on tenant isolation and cross-account data exposure.

Result

NeedSec identified critical IDOR vulnerabilities allowing one tenant to access another's financial records, plus three high-severity authentication flaws. All findings were remediated before the due diligence window closed.

Challenge

A healthcare technology company building a patient-facing portal needed an API security review before go-live. The platform integrated with multiple clinical systems and handled sensitive health records.

What We Did

NeedSec assessed all REST API endpoints for authorisation gaps, data leakage, and injection vulnerabilities. Testing included role boundary testing between clinician, admin, and patient accounts.

Result

Five unauthenticated endpoints were discovered that returned patient demographic and appointment data without any authorisation check. The findings were fixed before launch, preventing potential GDPR and clinical data exposure.

Challenge

An e-commerce business undergoing rapid AWS infrastructure growth asked NeedSec to review its cloud environment after an internal audit flagged potential misconfigurations. The environment included RDS databases, ECS containers, and Lambda functions.

What We Did

NeedSec performed a full AWS cloud security assessment covering IAM policies, S3 bucket ACLs, VPC configuration, EC2 hardening, secrets management, and logging coverage.

Result

Two publicly accessible S3 buckets were found containing customer order exports. IAM roles had wildcard permissions allowing lateral movement to production databases. All findings were remediated with prioritised guidance.

Challenge

A professional services firm requested an internal network penetration test as part of its annual security review. The environment included a Windows Active Directory domain, file servers, and remote access infrastructure.

What We Did

NeedSec performed a full internal infrastructure test starting from a standard user network position. Testing covered Active Directory enumeration, privilege escalation techniques, lateral movement, and sensitive data exposure.

Result

A Kerberoastable service account with a weak password allowed privilege escalation to domain admin in under four hours. The attack path was fully documented with remediation steps for both the immediate issue and longer-term AD hardening.

Challenge

A manufacturing company was required to hold Cyber Essentials Plus certification to maintain a government supply chain contract. A previous attempt with another body had failed due to unpatched systems and misconfigured endpoint controls.

What We Did

NeedSec, as an IASME-licensed certification body, conducted the full Cyber Essentials Plus technical assessment across all five control areas, recorded the failing controls, confirmed the required action, and carried out the final technical verification.

Result

All failing controls were resolved within three weeks. NeedSec awarded Cyber Essentials Plus certification directly and the organisation maintained its government supply chain contract.

Challenge

A startup had built its MVP using an AI coding tool and Supabase as the backend. The founders wanted a security review before onboarding paying customers, concerned that AI-generated code may have missed security fundamentals.

What We Did

NeedSec reviewed the Supabase configuration, RLS policies, API routes, environment variable handling, and frontend bundle for exposed secrets. Testing covered auth flows, data access boundaries, and injection risk.

Result

Row-level security was disabled on three tables containing user data. An API key with full database access was present in the frontend JavaScript bundle. Both were fixed before customer onboarding began.