The Challenge
Platform handled grades, parent contact info, and student PII for 180k users across 400 schools. A school district's procurement team required a pentest before contract renewal.
The Solution
Full authenticated pentest across student, teacher, and admin roles. Found IDOR chained with predictable session tokens that enabled full account takeover without credentials. Wrote detailed reproducer, worked with their team through patch, re-tested.
The Results
Critical account takeover chain patched in 11 days. Contract renewed. No student data compromised. Full report delivered to district security team.
180k
Accounts at risk
11
Days to patch critical chain
✓
Contract renewal
Could your app use the same treatment?
Start with a free audit. Three findings, ranked, no pitch attached.