(929) 590-5818 [email protected]
en
en

Case Fraudline: Scheduled Pentest of a Whistleblowing Platform

Client:
Fraudline — a company specializing in ethical governance, corporate responsibility, and security solutions
Industry:
RegTech (Regulatory Technology)
Focus:
Protection of confidential information within a whistleblowing platform
Main challenge:
Conducting a security testing of the web platform and reviewing secure development practices as part of an annual audit
Market:
International segment
Services provided:
automated gray-box pentest, audit of secure coding practices, additional manual review of business logic
Key Takeaways
  • Identified 6 technical vulnerabilities: 5 low-risk and 1 informational
  • Performed additional manual testing of business logic
  • Used a custom Burp Suite extension for session handling
  • Conducted an automated gray-box pentest with user + admin roles
  • Prepared a technical report with recommendations and scheduled a retest
    • 6
    vulnerabilities identified
    2
    weeks — duration of the testing
    Burp Suite
    customized to fit project specifics
    Case Fraudline: Scheduled Pentest of a Whistleblowing Platform
    May 16, 2025
    Is a pentest necessary if the system runs smoothly? Absolutely. A scheduled security testing for Fraudline revealed vulnerabilities in business logic and protection settings. Since the client regularly tests the platform, potential risks were identified in advance.

    Fraudline is a mid-sized international company delivering solutions for ethical governance, compliance, and corporate security. Its products support whistleblowing processes in line with EU requirements.

    Operating in regulated industries, the company adheres to standards such as GDPR, ISO 27001, ISO 37001, and EU Directive 2019/1937, making web platform security a top priority.

    Objectives and challenges
    Fraudline approached Datami to conduct a scheduled automated pentest of their web application. The primary goal was to assess the security level of the platform, which processes confidential whistleblowing reports, and to identify vulnerabilities that could pose risks to regulatory compliance or reputation.
    • Conduct an automated gray-box pentest of the web application
    • Review the approach to secure code development
    • Deliver a detailed report with security improvement recommendations
    icon
    Penetration testing
    Gray-box testing with admin and user accounts
    icon
    Secure code audit
    Review of policies, processes, and automated code checks
    icon
    Reporting and recommendations
    Report on identified issues and remediation recommendations
    Datami methodology: Security testing for Fraudline
    Our approach

    For Fraudline, we conducted an automated gray-box penetration test. We used OWASP ZAP and Nessus, and to bypass non-standard authentication via HTTP headers, we developed and applied a custom Burp Suite extension.

    Following the automated testing, the Datami team had additional time available — so we went beyond the contractual scope and provided extra value to the client. We performed manual analysis of business logic, focusing on areas such as password changes and file uploads.

    Gray-box
    Gray-box
    Testing was conducted with admin and user roles, without access to the source code.
     
    Key project stages and solutions

    During the project, Datami performed automated security testing of the web platform and engineered a custom approach to handle non-standard client-side session management. In parallel, we conducted a review of secure development practices.

    Additionally, after completing the automated scan, we performed manual business logic testing, focusing on password change functionality and file upload mechanisms.

    • Preparation
      Analysis of initial data and access levels (user/admin), selection of testing tools, planning of test scenarios, creation of a custom extension for session handling in Burp Suite
    • Security testing
      Automated pentest, analysis of secure development and function logic (password change form, file uploads)
       
    • Analysis and reporting
      Structured report listing 6 vulnerabilities (low and informational severity), risk descriptions, and practical remediation recommendations
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations
    Fewer critical risks — more confidence
    Results and recommendations

    During the security testing of the Fraudline web platform, the Datami team identified 6 technical issues (5 low-severity vulnerabilities and 1 informational), primarily related to authorization logic and file upload functionality.

    Based on the findings, we compiled a detailed report and provided Fraudline with actionable recommendations to enhance digital security:

    1. Improve the password change mechanism (require current password input)
    2. Implement file type filtering for uploads
    3. Adjust the Content Security Policy
    4. Strengthen privileged role controls

    Once the recommendations are implemented, a reduction in data leakage risk is expected. A retest is planned to confirm the effectiveness of the improvements.

    Our certificates
    Key project outcomes

    As a result of the collaboration with Datami, Fraudline received a structured security report and a clear improvement plan.

    The project goals were achieved on time — within 2 weeks, including additional work such as manual business logic analysis.

    This case demonstrates that companies focused on ethical compliance and information security require regular security testing to maintain compliance with industry standards.

    Direction
    Before the project
    After implementation
    Security status
    Limited secure development review, logic-related risks
    6 vulnerabilities identified, recommendations provided
    Critical vulnerabilities
    Not detected before testing
    None found, but logic gaps in mechanisms were resolved
    Account compromise
    Risk for privileged roles
    Risk minimized through function restrictions
    Security compliance
    Partial alignment with expectations
    Increased transparency and functional security
    Timeline
    Estimated: 2 weeks
    Completed in 2 weeks (including additional manual logic analysis)
    More success stories with Datami
    Browse other project case studies
    Pentest and Protection of Platform from DDoS

    Pentest and Protection of Platform from DDoS

    • Discovered 30 vulnerabilities in two web applications
    • Implemented DataGuard and Cloudflare for DDoS protection
    Services:
    Black-box web app pentesting, implementation of Dataguard
    Jul 8, 2025
    P2P Platform Case Study: Comprehensive Security and GDPR Compliance Audit

    P2P Platform Case Study: Comprehensive Security and GDPR Compliance Audit

    • Identified 10 vulnerabilities, including 3 critical ones
    • Improved GDPR compliance and avoided potential financial losses of up to $300,000
    Services:
    Penetration testing, smart contract audit, code security review, testing for SQLi, XSS, and RCE vulnerabilities, OSINT analysis, and cloud infrastructure security assessment
    Jun 27, 2025
    Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

    Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

    • Conducted black-box pentest of two web resources and infrastructure components
    • Identified 19 vulnerabilities: 1 critical, 8 medium, 7 low, and 3 informational
    Services:
    Black-box pentest of two web resources with different domain zones (UA and UK), and assessment of related infrastructure components
    Jun 6, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    First Penetration Test: 7 Unexpected Takeaways for Clients Datami Newsroom
    Datami Newsroom

    First Penetration Test: 7 Unexpected Takeaways for Clients

    Many companies postpone penetration testing due to various fears and misconceptions. However, once they decide to conduct their first test, they receive unexpected results.

    Jul 11, 2025 3 min
    The Enemy Within: Top 5 Insider Cyber Threats for Companies in 2025 Datami Newsroom
    Datami Newsroom

    The Enemy Within: Top 5 Insider Cyber Threats for Companies in 2025

    Company leaders often greatly underestimate insider cyber threats - yet it is employee actions, even unintentional ones, that can lead to catastrophic consequences.

    Jul 8, 2025 3 min
    Top 5 Companies That Refused to Pay Hackers a Ransom Datami Newsroom
    Datami Newsroom

    Top 5 Companies That Refused to Pay Hackers a Ransom

    In May 2025, hackers breached Coinbase, stole data, and demanded a ransom. But the crypto exchange turned to law enforcement for help. This is just one example of how companies are standing up to cyber extortion.

    Jul 4, 2025 3 min
    Show all articles
    Order a free consultation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy