SaaS & Platforms

What we test

• Multi-tenant isolation: org/tenant scoping, RLS/filters, cross-tenant IDOR, cache key isolation, object storage prefixing, export/report scoping, background jobs and webhooks executing in the correct tenant.
• RBAC/ABAC: role definitions and custom roles, permission checks on every path, policy bypass (mass assignment, hidden fields), “support/admin” break-glass review.
• Authentication & SSO/SCIM: OIDC/SAML flows, JIT provisioning, role mapping, IdP-initiated risks, fallback/password bypass of SSO, SCIM deprovision drift, session fixation/CSRF.
• APIs & webhooks: BOLA/BFLA, rate limiting and anomaly detection, idempotency keys, pagination/snapshot leaks, webhook signature verification, replay/timestamp windows, outbound SSRF.
• Abuse & resilience: org/user discovery, invite/reset flows, trial/plan abuse, burst scraping, GraphQL depth/complexity limits, feature flag gating of admin actions.
• CI/CD & supply chain: secret hygiene in repos/images/logs, build isolation, provenance/signing (e.g., Sigstore), dependency pinning/SBOM, OIDC to cloud with least privilege, environment drift and artifact exposure.
• Cloud & data: IAM least privilege, KMS, backups/snapshots, data residency and deletion, audit log integrity, network segmentation, egress controls.

Sample test cases

• Cross-tenant read via ?tenantId= tampering or missing row filters
• SSO enabled but local password still active for admins (SSO bypass)
• SCIM deprovisioned user retains API token or session
• BOLA: access another tenant’s resources by guessing IDs/UUIDs
• Webhook replay or signature bypass routes events to the wrong tenant
• GraphQL query without depth/cost limits → high-cost enumeration
• GitHub Actions OIDC mis-scope grants prod cloud access to CI
• Object storage prefix traversal leaks other tenants’ exports

Who we’re best for

B2B SaaS and platforms, marketplaces, devtools, data/AI platforms, and products with enterprise SSO, custom roles, and webhook ecosystems.