CASE STUDIES · REAL RESULTS
What we found.What we fixed.
Real engagements with real clients. All cases were authorized for publication. Sensitive technical details were anonymized as agreed with each client.
BYD do Brasil Ltda.
AUTOMOTIVE INDUSTRY · MOBILITY TECHNOLOGY
CHALLENGE
The Challenge
With the introduction of luxury and high-performance models in the Brazilian market — characterized by massive connectivity and advanced ADAS/Autopilot systems — a critical need arose to validate the integrity of embedded systems. The central objective was to mitigate the risk of Remote Vehicle Hijacking in Software-Defined Vehicles, preventing malicious command injection that could seize control of telemetry, steering or braking, both at rest and in motion.
SOLUTION
The Solution
Vulnerability Analysis and Threat Hunting focused on the vehicle's electronic architecture and its external communication vectors.
Attack surface mapping focused on telematics entry points (4G/5G, Wi-Fi, Bluetooth) and physical interfaces serving as gateways to the vehicle's internal network, the CAN Bus.
Security technical debt identification through detection of weaknesses inherited from legacy automotive architectures, exposing unencrypted communication protocols and weak authentication mechanisms between ECUs.
Simulation of known exploits and common attack vectors against Infotainment (IVI) systems that could enable lateral movement to critical control systems.
RESULT
Results & Impact
Threat intelligence report critical for fleet protection and driver safety.
Precise identification of vulnerabilities that would allow remote code execution — from unauthorized unlocking to autopilot interference.
Foundation for redefining security policies, driving the need for network segmentation (automotive VLANs) and digital signatures between ECUs.
Early detection of flaws that prevented potential public safety incidents and mass recalls, protecting brand integrity in the premium segment.
Montreal Informática
IT / TECHNOLOGY SERVICES
CHALLENGE
The Challenge
After significant updates and new module implementations, the client needed a robust validation of their web application's security posture to identify and remediate misconfigurations before public exposure. The primary risk was the existence of undetected vulnerabilities that could lead to asset enumeration, session hijacking, or sensitive data leakage.
SOLUTION
The Solution
Passive and thorough pentest focused on Security Posture Assessment and Application Hardening.
Full port and service scan followed by detailed manual enumeration to map the application's attack surface.
Inspection of HTTP security headers, critical for defending web applications against common attacks.
Fingerprinting checks to identify MySQL database dumps and unnecessary exposed PHP endpoints.
RESULT
Results & Impact
Relatively robust security posture confirmed, with critical Security Header implementation flaws identified and remediated.
Immediate implementation of HTTP Strict-Transport-Security (HSTS) to enforce HTTPS and mitigate Sniffing and Man-in-the-Middle attacks.
Implementation of X-Content-Type-Options and Content Security Policy (CSP) to prevent XSS and incorrect MIME type exposure.
360° view of the application's exposure points, raising the site's default security level.
MRV&Co
CONSTRUCTION · REAL ESTATE
CHALLENGE
The Challenge
The company needed to validate the protection of a critical database containing PII and buyer credentials from a high-end real estate development. The scope was defined as a Black Box Pentest — no prior knowledge of the infrastructure — designed not only to identify software flaws, but to stress-test the internal security team's response capacity. The goal was to simulate a real threat actor attempting to compromise high-privilege accounts and exfiltrate sensitive data.
SOLUTION
The Solution
Adversary Simulation focused on authentication vectors and data integrity.
Detection of dump files and debug artifacts inadvertently left in the login page web root, exposing directory structure and internal logic.
Brute Force attacks, Man-in-the-Middle for in-transit credential interception, and RaaS (Ransomware as a Service) simulation — demonstrating how a ransomware kill chain would execute given the identified vulnerabilities.
Post-mortem audit to instruct security personnel, focusing on Incident Response and correcting insecure development practices.
RESULT
Results & Impact
Intervention that transformed the company's defensive posture, closing doors to devastating attacks.
Immediate removal of dump files and patching of code vulnerabilities enabling Remote Code Execution (RCE).
Implementation of Rate Limiting and session encryption improvements to mitigate Brute Force and MitM vectors.
Internal team trained to identify Indicators of Compromise earlier, drastically reducing detection and response time to real intrusion attempts.
Want results like these at your company?
Book a 30-minute scoping call. No sales theater. We'll tell you which engagement makes sense for your context.