Northwind Pay

Series A fintech · pre-SOC 2 Type II

Cybersecurity / FintechCybersecuritySecurity audit / $4,995 + Remediation

Pre-SOC 2 pentest with a week-by-week remediation calendar, not a 200-page PDF

Surface critical findings ahead of the SOC 2 audit window with a clear remediation plan.

A small fintech needed a penetration test ahead of their SOC 2 Type II audit. The win wasn't the report — it was the remediation playbook that gave the engineering team a clear week-by-week path to a clean audit.

Source code is yoursRefund if late

Findings · Cybersecurity / Fintech

12 open

CRIT

HIGH

MED

LOW

CRITRCE-9883 · CVSS 9.3

✓ patched

HIGHAuth-1076 · CVSS 9.4

✓ patched

MEDXSS-2545 · CVSS 9.5

✓ patched

LOWInfo-9954 · CVSS 9.6

✓ patched

Industry: Cybersecurity / Fintech
Timeline: 2 weeks
Team: 2
Service: Cybersecurity
Project tier: Security audit / $4,995 + Remediation

The Problem

What was broken.

Audit window in 8 weeks. The team had not had an external test before. They wanted a real report — one that would survive an auditor's review — and a remediation plan they could actually finish in time.

Our Approach

How we framed it.

Two-week test against scoped surface (web app, API, AWS account). Findings classified by severity with reproducible PoCs. Remediation playbook organized by week so the engineering team could execute against a calendar, not a backlog.

Capability proof

What this case demonstrates.

This case makes the hidden work visible: strategy, architecture, delivery control, quality evidence, and handoff.

01 / Product judgment

Problem framed before UI

02 / Technical depth

5 stack decisions

Burp Suite Pro, Custom fuzzers (Go), AWS scanners (ScoutSuite, Prowler), Semgrep (SAST), Markdown (report)

03 / Delivery discipline

4 delivery checkpoints

Scoping + rules of engagement / Web + API testing / AWS testing

04 / Handoff quality

5 shipped artifacts

Two-week external + AWS pentest report / Reproducible PoCs for every finding / Week-by-week remediation playbook

Production artifacts

Inspect the work behind the visible result.

Each case exposes the surfaces, systems, evidence, and handoff package that make the shipped product usable after launch.

Experience layer

Buyer or user surface

UXResponsiveA11y

Two-week scoped test (web app, API, AWS account) with reproducible PoCs. Findings organised into a week-by-week remediation playbook; every high/critical re-tested before audit window.

Proof 01

Surface critical findings ahead of the SOC 2 audit window with a clear remediation plan.

Proof 02

Wrote the rules of engagement, scoped surface, agreed on test windows and emergency contacts.

Proof 03

Executive summary suitable for the auditor

Production signals

Observable

Errors, logs, alerts, or dashboards included.

Risk-aware

Security and compliance boundaries named.

Handoff-ready

Owner can keep operating after delivery.

Before / after · product UI mockup

Industry · Cybersecurity / Fintech

nessus://prod-scanner/scan-4821.html

Before

Nessus Scan Report · scan-4821.html

Target: prod.northwindpay.com/24 · Started 2026-04-23 02:00 UTC · 6h 41m

Critical

High

Medium

184

Low

612

Info

1,847

SEVCVEPluginHostPort

10.02024-21412Microsoft SmartScreen Bypass10.4.2.18443

9.82023-46604Apache ActiveMQ RCE10.4.2.2161616

9.12024-3094XZ Utils sshd backdoor10.4.2.4122

8.82023-44487HTTP/2 rapid reset DoS10.4.2.7443

8.12024-1086Linux netfilter use-after-free10.4.2.33—

7.52023-50164Struts2 path traversal10.4.2.188080

7.22024-23897Jenkins arbitrary file read10.4.2.558080

6.52024-21626runc container escape10.4.2.71—

2,702 total findings · export PDF (84MB) · email to ciso@northwindpay

audit.northwindpay.com/findings

After

Northwind Pay · Pre-audit findings

Engagement · 2026-04-23 · scope ✓

Critical

High

Medium

184

Low

612

9.8

Auth bypass via JWT alg=none

POST /v2/sessions · CWE-347

Repro PoC →

Remediation: Pin alg=RS256

9.1

SSRF · gateway → internal redis

/proxy?url= · CWE-918

Repro PoC →

Remediation: Allowlist host

8.7

Stored XSS · profile bio

/u/:id/bio · CWE-79

Repro PoC →

Remediation: DOMPurify v3

SOC 2 Type II readiness · 78% completeRe-test → May 8

Before:Annual Nessus scan dumped a 200-page PDF — most findings ignored, no remediation tracking.

After:Two-week scoped test (web app, API, AWS account) with reproducible PoCs. Findings organised into a week-by-week remediation playbook; every high/critical re-tested before audit window.

How the engagement ran.

4steps · scroll →

01Day 1
Scoping + rules of engagement
Wrote the rules of engagement, scoped surface, agreed on test windows and emergency contacts.
02Day 2-7
Web + API testing
Manual testing with Burp + custom fuzzers; SAST pass with Semgrep.
03Day 8-10
AWS testing
ScoutSuite + Prowler + manual review of IAM, S3, security groups.
04Day 11-14
Report + remediation playbook
Wrote the report and the week-by-week remediation playbook with the team.

1
Day 1
Scoping + rules of engagement
Wrote the rules of engagement, scoped surface, agreed on test windows and emergency contacts.
2
Day 2-7
Web + API testing
Manual testing with Burp + custom fuzzers; SAST pass with Semgrep.
3
Day 8-10
AWS testing
ScoutSuite + Prowler + manual review of IAM, S3, security groups.
4
Day 11-14
Report + remediation playbook
Wrote the report and the week-by-week remediation playbook with the team.

Deliverables

What we shipped.

✓Two-week external + AWS pentest report
✓Reproducible PoCs for every finding
✓Week-by-week remediation playbook
✓Re-test of every high/critical finding
✓Executive summary suitable for the auditor

Outcomes.

engagement targets

Plan: two-week test against web app, API, and AWS account

Plan: findings with reproducible PoCs and clear severity

Plan: remediation playbook organized by week, not by category

Plan: re-test of every high/critical finding before audit window

Plan: auditor-ready report with executive summary

Honest challenges

What we got wrong (or almost wrong).

The pretty version of any case study skips this part. We don't.

01
Some findings required customer-data access; coordinated tightly to avoid touching anything we shouldn't.
02
AWS IAM had drift from the documented policy; flagged it explicitly with a one-page IAM hygiene plan.

In our own words

The win wasn't the report — it was the playbook. Organising remediation by week, not by category, gave the engineering team a calendar instead of a backlog and turned an 8-week scramble into a planned sprint.

From the Hayaiti team

Engineering · design · security

Technical blueprint

How the work holds together.

Buyers should see that the visual layer is backed by architecture, quality gates, and operational ownership.

Experience

Interfaces, flows, states, accessibility.

Application

Custom fuzzers (Go)

Data

Schema design, storage, data movement, retention.

Operations

AWS scanners (ScoutSuite, Prowler)

Security

Burp Suite Pro

AWS scanners (ScoutSuite, Prowler)

Semgrep (SAST)

Stack used

5 technologies

Burp Suite ProCustom fuzzers (Go)AWS scanners (ScoutSuite, Prowler)Semgrep (SAST)Markdown (report)

Other cases like this.

Healthcare

Helix Health

HIPAA-ready intake portal

Replace clipboard intake with a 7-minute, accessible, HIPAA-ready web flow.

GovTech

City of Greendale

Municipal procurement portal

Replace a paper-and-fax vendor onboarding flow with a proper portal.

Cybersecurity / Bug Bounty

Three public programs

HackerOne disclosure suite

Found, triaged, and disclosed a small set of vulnerabilities against public bug-bounty programs.

Want a case study like this?

Want this level of production quality on your project?

Send a short brief and we'll reply with scope, timeline, price direction, and the first technical recommendation.

Get a build plan See pricing

Source code is yoursPay 50/50Pause anytime25% refund if lateNDA on day 1

Pre-SOC 2 pentest with a week-by-week remediation calendar, not a 200-page PDF

Surface critical findings ahead of the SOC 2 audit window with a clear remediation plan.

Source code is yoursRefund if late