Stopped a chargeback ring before launch

A DTC brand was three days from launch with a clever cart-tampering vector hiding inside their Shopify storefront customisation. Our manual review caught it.

Challenge

Burp Suite's automated scanner returned clean. The brand had spent five figures on a third-party security review that gave them a green light. But a senior on our team noticed a discount-code parameter was being signed client-side.

Approach

We built a proof-of-concept exploit that allowed an attacker to apply arbitrary discount percentages, including 100%. We delivered the PoC privately, pulled in their engineers in the order chat, and walked them through a server-side fix.

Outcome

Fix shipped 48h before launch. Re-test confirmed closure.

More case studies

From audit to A+ rating in fourteen days

A regulated payments platform needed SOC 2 evidence in two weeks. We delivered the audit, remediation plan, and re-test certificate with three days to spare.

PHI exposure closed quietly, in seven days

A telehealth startup discovered an authenticated endpoint was leaking patient identifiers through a sidebar widget. We confirmed scope, ran a full audit, and shipped fix code in seven days.