(929) 590-5818 [email protected]
en
en

Case Fraudline: Scheduled Pentest of a Whistleblowing Platform

Client:
Fraudline — a company specializing in ethical governance, corporate responsibility, and security solutions
Industry:
RegTech (Regulatory Technology)
Focus:
Protection of confidential information within a whistleblowing platform
Main challenge:
Conducting a security testing of the web platform and reviewing secure development practices as part of an annual audit
Market:
International segment
Services provided:
automated gray-box pentest, audit of secure coding practices, additional manual review of business logic
Key Takeaways
  • Identified 6 technical vulnerabilities: 5 low-risk and 1 informational
  • Performed additional manual testing of business logic
  • Used a custom Burp Suite extension for session handling
  • Conducted an automated gray-box pentest with user + admin roles
  • Prepared a technical report with recommendations and scheduled a retest
    • 6
    vulnerabilities identified
    2
    weeks — duration of the testing
    Burp Suite
    customized to fit project specifics
    Case Fraudline: Scheduled Pentest of a Whistleblowing Platform
    May 30, 2025
    Is a pentest necessary if the system runs smoothly? Absolutely. A scheduled security testing for Fraudline revealed vulnerabilities in business logic and protection settings. Since the client regularly tests the platform, potential risks were identified in advance.

    Fraudline is a mid-sized international company delivering solutions for ethical governance, compliance, and corporate security. Its products support whistleblowing processes in line with EU requirements.

    Operating in regulated industries, the company adheres to standards such as GDPR, ISO 27001, ISO 37001, and EU Directive 2019/1937, making web platform security a top priority.

    Objectives and challenges
    Fraudline approached Datami to conduct a scheduled automated pentest of their web application. The primary goal was to assess the security level of the platform, which processes confidential whistleblowing reports, and to identify vulnerabilities that could pose risks to regulatory compliance or reputation.
    • Conduct an automated gray-box pentest of the web application
    • Review the approach to secure code development
    • Deliver a detailed report with security improvement recommendations
    icon
    Penetration testing
    Gray-box testing with admin and user accounts
    icon
    Secure code audit
    Review of policies, processes, and automated code checks
    icon
    Reporting and recommendations
    Report on identified issues and remediation recommendations
    Datami methodology: Security testing for Fraudline
    Our approach

    For Fraudline, we conducted an automated gray-box penetration test. We used OWASP ZAP and Nessus, and to bypass non-standard authentication via HTTP headers, we developed and applied a custom Burp Suite extension.

    Following the automated testing, the Datami team had additional time available — so we went beyond the contractual scope and provided extra value to the client. We performed manual analysis of business logic, focusing on areas such as password changes and file uploads.

    Gray-box
    Gray-box
    Testing was conducted with admin and user roles, without access to the source code.
     
    Key project stages and solutions

    During the project, Datami performed automated security testing of the web platform and engineered a custom approach to handle non-standard client-side session management. In parallel, we conducted a review of secure development practices.

    Additionally, after completing the automated scan, we performed manual business logic testing, focusing on password change functionality and file upload mechanisms.

    • Preparation
      Analysis of initial data and access levels (user/admin), selection of testing tools, planning of test scenarios, creation of a custom extension for session handling in Burp Suite
    • Security testing
      Automated pentest, analysis of secure development and function logic (password change form, file uploads)
       
    • Analysis and reporting
      Structured report listing 6 vulnerabilities (low and informational severity), risk descriptions, and practical remediation recommendations
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations
    Fewer critical risks — more confidence
    Results and recommendations

    During the security testing of the Fraudline web platform, the Datami team identified 6 technical issues (5 low-severity vulnerabilities and 1 informational), primarily related to authorization logic and file upload functionality.

    Based on the findings, we compiled a detailed report and provided Fraudline with actionable recommendations to enhance digital security:

    1. Improve the password change mechanism (require current password input)
    2. Implement file type filtering for uploads
    3. Adjust the Content Security Policy
    4. Strengthen privileged role controls

    Once the recommendations are implemented, a reduction in data leakage risk is expected. A retest is planned to confirm the effectiveness of the improvements.

    Our certificates
    Key project outcomes

    As a result of the collaboration with Datami, Fraudline received a structured security report and a clear improvement plan.

    The project goals were achieved on time — within 2 weeks, including additional work such as manual business logic analysis.

    This case demonstrates that companies focused on ethical compliance and information security require regular security testing to maintain compliance with industry standards.

    Direction
    Before the project
    After implementation
    Security status
    Limited secure development review, logic-related risks
    6 vulnerabilities identified, recommendations provided
    Critical vulnerabilities
    Not detected before testing
    None found, but logic gaps in mechanisms were resolved
    Account compromise
    Risk for privileged roles
    Risk minimized through function restrictions
    Security compliance
    Partial alignment with expectations
    Increased transparency and functional security
    Timeline
    Estimated: 2 weeks
    Completed in 2 weeks (including additional manual logic analysis)
    More success stories with Datami
    Browse other project case studies
    P2P Platform Case Study: Comprehensive Security and GDPR Compliance Audit

    P2P Platform Case Study: Comprehensive Security and GDPR Compliance Audit

    • Identified 10 vulnerabilities, including 3 critical ones
    • Improved GDPR compliance and avoided potential financial losses of up to $300,000
    Services:
    Penetration testing, smart contract audit, code security review, testing for SQLi, XSS, and RCE vulnerabilities, OSINT analysis, and cloud infrastructure security assessment
    May 27, 2025
    Case Study Grindset Software: Payment System Pentest for PCI DSS Compliance

    Case Study Grindset Software: Payment System Pentest for PCI DSS Compliance

    • Conducted a black-box penetration test of critical payment system components
    • Discovered 15 vulnerabilities; 5 critical issues were resolved within 48 hours
    Services:
    Black-box penetration testing of the payment system, including assessment of web applications, servers, databases, and communication channels
    May 11, 2025
    Case Study: DAVITOO UKRAINE – LMS Security Testing Before HIPAA Certification

    Case Study: DAVITOO UKRAINE – LMS Security Testing Before HIPAA Certification

    • Completed a full security audit and gray-box penetration test of LMS Collaborator
    • Identified 15 vulnerabilities, including 5 critical issues, resolved within 24 hours
    Services:
    Gray-box penetration testing and security audit of the web platform, containerized environments, and network interactions
    May 11, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Top 10 Cyberattacks That Brought Global Corporations to a Halt Datami Newsroom
    Datami Newsroom

    Top 10 Cyberattacks That Brought Global Corporations to a Halt

    Cyberattacks today pose a serious threat not only to individual users but also to global corporations. Criminals use increasingly sophisticated methods, causing companies billions in losses and disrupting the operation of critical systems.

    Jun 17, 2025 3 min
    Datami at the Barcelona Cybersecurity Congress 2025: New Horizons in Cybersecurity Datami Newsroom
    Datami Newsroom

    Datami at the Barcelona Cybersecurity Congress 2025: New Horizons in Cybersecurity

    Datami took part in the Barcelona Cybersecurity Congress 2025, one of Europe’s key events dedicated to cybersecurity innovations and technologies.

    Jun 3, 2025
    Why Your Smartphone Is at Risk: 5 Common Myths About Mobile Security Datami Newsroom
    Datami Newsroom

    Why Your Smartphone Is at Risk: 5 Common Myths About Mobile Security

    Most of us take careful care of our smartphones, protecting them from scratches, drops, or other physical damage. But when it comes to digital security, many people ignore potential threats. Cybercriminals eagerly take advantage of this negligence...

    Jun 3, 2025 5 min
    Show all articles
    Order a free consulidation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy