The engagement
A regional mobile money operator. 2.3 million registered users. They had not run an external security assessment in 18 months. A competitor had recently disclosed a breach. Their CISO called on a Friday.
We started Monday.
What we found
The most critical findings in priority order:
Unauthenticated API endpoints. Three internal API endpoints that should have required service-to-service authentication were accessible without any credentials. Two were read-only. One was not.
Transaction replay vulnerability. The payment confirmation flow did not implement idempotency keys. An authenticated attacker could replay a confirmed transaction and trigger a duplicate disbursement.
Plaintext secrets in environment variables. Production credentials for the SMS gateway and the banking integration partner were stored as plaintext in environment configuration files committed to a private — but not adequately access-controlled — repository.
What we fixed in 14 days
Day 1–3: Patched the unauthenticated endpoints, rotated all compromised credentials, removed secrets from version control and migrated to a secrets manager.
Day 4–7: Implemented idempotency across the payment flow. This required changes to three services and a database schema migration.
Day 8–12: Deployed WAF rules, added rate limiting to authentication endpoints, implemented anomaly detection on transaction volume.
Day 13–14: Retested all findings. Wrote the board summary.
What the client now owns
A remediated system, a documented threat model, and a 6-month red-team retainer. They run quarterly penetration tests now. The CISO no longer gets called on Fridays about this.