Real engagements, told straight.
Curated case studies from Macksofy’s pentest, red team, DFIR and cloud-security work across India and the UAE. Every client is anonymised; every finding, timeline and metric is taken from the real engagement record.
Filter by sector, engagement or region.
Each card opens a long-form study — challenge, approach, findings, outcome and quantified metrics.
Chained BOLA + JWT alg=none in a listed fintech — full PII access surfaced and remediated before the next regulator filing
A BSE-listed digital lending platform asked Macksofy for a full-scope pentest ahead of a SEBI CSCRF audit. Within four days the team chained an authorization-bypass with a forged JWT to reach every customer's KYC and balance — fixed pre-filing.
Account-takeover at scale found in a GCC telecom's pre-launch app — fixed before public release
Two weeks before public launch, a Gulf-based mobile carrier asked Macksofy to pentest their refreshed customer app. We surfaced an API-key-in-shared-prefs flaw chained with an insecure deeplink that allowed silent account takeover for any customer who clicked a single SMS link.
Domain Admin in 4h 12m, undetected — a goal-based red team against a tier-1 listed Indian bank
The CISO asked one question: 'Can someone reach Domain Admin without our SOC raising a single ticket?' Nine weeks later we showed how — phishing, EDR bypass, lateral movement and DA in 4 hours and 12 minutes, with the SOC's only ticket auto-closed as a false positive.
LockBit variant contained in 11 hours — manufacturer back to 80% production within 72h of first encrypted file
A 1,400-employee manufacturer in Pune called Macksofy at 02:14 IST after a LockBit variant began encrypting file shares. Forensic team on-site by 06:30. Containment achieved at hour 11. Eighty per cent of production systems back online within 72 hours from clean backups.
Wildcard IAM on a single Lambda role gave admin-equivalent reach — closed pre-Series-C diligence
A Series-B B2B SaaS team in Bangalore needed an AWS audit before a Series-C technical-diligence call. Within day three Macksofy showed how a Lambda execution role with a wildcard IAM policy could be escalated to admin-equivalent — fixed inside a week with IaC guardrails added.
NoPac chained with Kerberoasting reached Domain Admin in 4 hours inside a BFSI MNC's internal AD
A multinational BFSI's Indian arm asked Macksofy for an assumed-breach internal pentest of its AD + Citrix estate. From a single low-privilege user, the team chained NoPac (CVE-2021-42278) with a Kerberoastable service account to reach Domain Admin in four hours.
We don’t name names.
Every case study on this page is anonymised by design. Sector, region, scale and engagement are accurate; the client identity is not. If you'd like a reference call with a named client in your sector, we'll arrange one privately under NDA.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements