Before
Page Speed38/100
Bounce Rate82%
Conversions0.4%
After
Page Speed98/100
Bounce Rate24%
Conversions+340%
L
Logic Layer Solution
logiclayersolution.uk
before
after
We Build Digital Experiences
That Drive Growth.
150+
Projects
98%
Satisfied
8yr
Experience
All work
Security · 2024

Northwind — pen-test & hardening

Full-scope penetration test and production hardening engagement for a Series B fintech processing $40M/month.

Client
Northwind Labs
Industry
Fintech · Payments
Duration
12 weeks (incl. 90-day retainer)
Year
2024
OWASPWAFSOC 2
sec.northwind / audit-report
Hardening report
All severities closed
Pass
Critical
0
High
0
Med
0
Low
0
FindingStatus
Outdated TLS 1.0 endpoint detected
Fixed
Missing CSP on /admin
Fixed
Stale dependency: lodash 4.17
Patched
MFA recommended for service accts
Enforced
Fig. 01 — Production UI · 2024Northwind Labs
Year
2024
Category
Security · 2024
Stack
OWASPWAFSOC 2
Scope
  • Grey-box web app pen-test
  • Cloud infrastructure review (AWS)
  • WAF + header hardening
  • 90-day remediation retainer
  • Engineering ticket pipeline integration
Start a similar project
The challenge

What they needed to solve.

Northwind was preparing for SOC 2 Type II and needed to close critical gaps before their audit window. The previous pen-test report was 240 pages and had been gathering dust in a Notion archive for 18 months.

Our solution

How we approached it.

A three-phase engagement: grey-box web application pen-test, cloud infrastructure review, and a 90-day remediation retainer. Every finding mapped to a CVSS score, a concrete engineering ticket, and a clear rationale for why it matters this quarter versus next.

Web design

Design decisions.

Palette
#0b0a08
#e0622a
#f59e0b
#10b981
#dc2626
Typography
  • AaSöhne Mono — report body
  • AaSöhne Breit — exec summary
Layout system

Findings ranked by impact × exploitability. Each finding is a single Jira-ready page, not a chapter.

Design highlights
  • Engineering-readable report (≤ 60 pages)
  • Findings exported as Jira tickets via API
  • Re-test included for every critical / high
Before · After

What changed.

sec.northwind / audit-report
Hardening report
All severities closed
Pass
Critical
0
High
0
Med
0
Low
0
FindingStatus
Outdated TLS 1.0 endpoint detected
Fixed
Missing CSP on /admin
Fixed
Stale dependency: lodash 4.17
Patched
MFA recommended for service accts
Enforced
After
sec.northwind / audit-report
Audit findings
0 of 12 remediated
Fail
Critical
3
High
4
Med
3
Low
2
FindingStatus
SQLi in checkout.php?id=
Open
XSS reflected on /search
Open
Open S3 bucket: backups-prod
Open
Weak admin password policy
Open
Before
Drag to compare ←→
Fig. 02 — Drag handle to reveal before / afterNorthwind Labs
sec.northwind / audit-report
Audit findings
0 of 12 remediated
Fail
Critical
3
High
4
Med
3
Low
2
FindingStatus
SQLi in checkout.php?id=
Open
XSS reflected on /search
Open
Open S3 bucket: backups-prod
Open
Weak admin password policy
Open
Before

240-page PDF report, no engineering action plan, no Jira tickets, no re-test included, blocked SOC 2 timeline.

Critical findings open
14
Median time-to-fix
62 days
WAF coverage
Off
SOC 2 readiness
Blocked
sec.northwind / audit-report
Hardening report
All severities closed
Pass
Critical
0
High
0
Med
0
Low
0
FindingStatus
Outdated TLS 1.0 endpoint detected
Fixed
Missing CSP on /admin
Fixed
Stale dependency: lodash 4.17
Patched
MFA recommended for service accts
Enforced
After

Engineering-readable report, Jira tickets, full WAF, re-tests, SOC 2 Type II passed first attempt.

Critical findings open
0
Median time-to-fix
8 days
WAF coverage
Full
SOC 2 readiness
Achieved
Results

What we measured.

0114 critical findings remediated pre-audit
02SOC 2 Type II achieved first attempt
03WAF blocking 2,400+ automated attacks/day
04Median time-to-fix dropped to 8 days
Previous
Vantage Cloud — multi-region cost intelligence
Next
Orion — embedded payments platform