CASE STUDY

Certified.
Still Exposed.

These companies invested in SOC 2, ISO 27001, and GDPR compliance. They passed their audits. But when we examined their publicly accessible attack surface — client bundles, public APIs, and open endpoints — we found critical exposures in every single one.

17
companies tested
6
held SOC 2 or ISO 27001
100%
had critical or high vulnerabilities
12+
average findings per company

Company names are anonymized. All findings are from publicly accessible information — client-side bundles, public API endpoints, and open configurations. No systems were breached.

GraphQL + React

3D Design Tool (Enterprise)

Security Grade
D
Certifications Held
SOC 2ISO 27001GDPRCCPA
What We Found
GraphQL introspection open — 115 types, full schema exposed without auth
allUsers query — entire user database enumerable by anyone
No rate limiting on any API endpoint
WebGL + Custom Engine

3D Design Platform

Security Grade
B-
Certifications Held
SOC 2 Type ISOC 2 Type IIISO 27001GDPR
What We Found
81 shader source files exposed — proprietary rendering IP leaked
Full database schema (16 tables) discoverable via API
Stripe pricing configuration fully exposed in client bundle
Next.js + AI Pipeline

AI Music Platform

Security Grade
B-
Certifications Held
SOC 2ISO 27001GDPRHIPAAPCIFedRAMP
What We Found
67 internal API endpoints mapped — 15 privilege escalation paths found
8 internal AI model codenames and configurations leaked via session API
50+ feature flags with unreleased product roadmap exposed
Next.js + AI

Developer Platform (Major Provider)

Security Grade
B+
Certifications Held
SOC 2 Type IIISO 27001
What We Found
42K-char AI system prompt fully extracted via prompt injection
17 internal tools + 30+ skills — complete AI architecture exposed
Internal model configurations and partner infrastructure URLs revealed
Vue 3 + AWS Cognito

Customer Messaging Platform

Security Grade
B+
Certifications Held
ISO 27001:2022GDPR
What We Found
JWT stored in localStorage — extractable via any XSS vulnerability
PII (personal data) stored in plaintext in Mixpanel analytics cookies
MFA disabled by default — no enforcement for admin accounts
WASM + Custom Runtime

Animation Engine (Growing Enterprise)

Security Grade
B-
Certifications Held
SOC 2ISO 27001GDPRHIPAAFedRAMP
What We Found
3,616 source files recoverable from production source maps
Internal AI integration code (7 files) with Claude API patterns exposed
51 undocumented API endpoints accessible without authentication

Your audit passed. But did your security?

Compliance certifications verify that processes exist. We verify that attackers can't get in. There's a difference.

Get Your Real Security Score