PondralPenetration test summary.
Public summary of Pondral's most recent independent application and infrastructure penetration test.
Scope
Production application (web, API), authentication and authorization flows, multi-tenant isolation, audit-pipeline workers, and supporting AWS infrastructure (VPC, IAM, KMS, S3, RDS).
Out of scope: third-party AI engines under audit, Customer-controlled integrations, social-engineering attacks against personnel.
Methodology
Grey-box testing over a two-week engagement. Testing aligned to OWASP ASVS Level 2 and OWASP API Security Top 10 (2023). Authenticated and unauthenticated paths exercised.
Conducted by an independent third-party firm with credentialed offensive-security staff. Final report delivered with executive summary, technical findings, and remediation guidance.
Findings summary
The single high-severity finding was a tenant-isolation edge case in a deprecated API path; patched within 48 hours and verified by retest. No customer data was accessed at any point.
| Severity | Found | Remediated | Status |
|---|---|---|---|
| Critical | 0 | — | — |
| High | 1 | 1 | Closed |
| Medium | 3 | 3 | Closed |
| Low | 4 | 4 | Closed |
| Informational | 6 | 5 | 1 accepted |
Retest
All Critical, High, Medium, and Low findings retested and confirmed remediated by the original assessor. Retest letter available under NDA.
Next test
Q1 2027. Continuous dependency scanning runs in the interim, with same-day patches for any critical CVE in our supply chain.