Case Studies

Challenge: The client had passed two previous vendor assessments with clean reports. They engaged ZynoSec for a second opinion before their SOC 2 audit.

Finding: We discovered a chained vulnerability: an IDOR in the API allowed accessing other tenants data export endpoints, which contained an SSRF vulnerability that could be leveraged to access internal cloud metadata.

Impact: Complete tenant isolation bypass affecting all customers on the platform.

Outcome: Fixed within 72 hours. The client passed their SOC 2 audit the following month.

Challenge: Internal AD pentest of a 5,000-seat domain. The client believed their AD was hardened after implementing tiered admin.

Finding: Kerberoastable service account with weak password led to silver ticket. DACL misconfiguration on a GPO allowed pushing a scheduled task. ADCS ESC1 gave us a Domain Admin certificate.

Impact: Full domain compromise from unprivileged user in under 4 hours.

Outcome: 23 findings remediated. Client implemented ADCS hardening and DACL auditing.

Challenge: Pre-launch security assessment of a customer-facing LLM-powered assistant with access to a proprietary RAG knowledge base.

Finding: Indirect prompt injection via crafted documents allowed overriding the system prompt. We extracted the full system prompt and exfiltrated RAG knowledge base data.

Impact: Proprietary business data accessible to any user. System prompt containing internal API keys was extractable.

Outcome: Client implemented input/output filtering, prompt hardening, and removed credentials from system prompt before launch.