Valtik Studios
Case Studies

What the work actually looks like

Anonymized engagement write-ups. Scope, findings, outcome, timeline, cost. Names composited across multiple clients; every finding pattern is real.

We do not publish identifying client information without explicit written permission. The stories below are pattern-true but deliberately non-attributable. If you want a reference contact before signing, ask on a scoping call and we will connect you to a client who has opted in to give references.

Supabase Security Review

Next.js + Supabase SaaS, pre-Series-A security review

Client profile

Early-stage B2B SaaS. 8 engineers, seed-round funded. Customer data model involved multi-tenant isolation with RLS on every public-schema table. Next.js 15 on Vercel, Clerk for auth, Stripe for billing, Inngest for background jobs.

Engagement shape

Four-week fixed-fee Supabase-focused security review, triggered by inbound due-diligence questionnaires from a lead investor for Series A.

Scope covered
  • Row Level Security policy audit across all 14 tables in public schema
  • SECURITY DEFINER RPC review for caller-controlled tenant IDs
  • GraphQL Mutation surface enumeration + introspection control review
  • Storage bucket policy audit for cross-tenant read / list exposure
  • Realtime channel authorization (postgres_changes + broadcast)
  • Next.js /api route handler CSRF, IDOR, mass-assignment probing
  • Stripe webhook forgery + pre-auth billing portal enumeration
  • Inngest signing-key enforcement on PUT/POST
  • JS bundle grep for leaked service_role keys + secrets
What we found
  • 2 HIGH: SECURITY DEFINER RPC accepted caller-controlled account_id parameter → cross-tenant write
  • 2 HIGH: /api/me accepted DELETE without re-auth or CSRF defense → account wipe in a single HTTP request
  • 1 MEDIUM: Stripe portal session generation allowed on accounts without active subscription
  • 6 LOW: GraphQL introspection exposed full schema to authenticated role; PostgREST schema-hint oracle; stack trace in /api error response
  • What they did well: RLS on accounts UPDATE was correctly locked to column-granular; Stripe webhook signature enforced; Inngest signing key enforced
Outcome

All findings fixed within 14 days. Retest performed. Report accompanied their Series A diligence package. Series A closed on schedule.

Timeline
4 weeks active + 1 week report + 1 week retest
Fee
$6,500
Service
Supabase Security Review
HIPAA Security Assessment

HIPAA security assessment for a multi-location physician practice

Client profile

Multi-location physician practice. Four clinics. Approximately 35,000 active patient records in a cloud-hosted EHR. Internal IT handled by a small MSP. Security Rule risk analysis had last been updated in 2019.

Engagement shape

Five-week fixed-fee HIPAA security assessment, triggered by an insurance renewal and an upcoming OCR cybersecurity performance review audit.

Scope covered
  • Risk analysis refresh aligned to 45 CFR 164.308(a)(1)(ii)(A)
  • Administrative safeguards review (workforce training, sanction, contingency plans)
  • Physical safeguards walkthrough (workstation use, facility access)
  • Technical safeguards audit (MFA coverage, encryption, audit logs)
  • Active pentest of patient-portal, EHR access paths, staff email
  • Business-associate agreement review for 12 existing BAs
  • Corrective-action-plan template aligned to OCR enforcement framework
What we found
  • 4 HIGH: patient portal allowed session fixation; staff email lacked MFA on 6 admin accounts; backup provider BAA had no encryption clause; EHR audit log retention was 90 days, not the 6 years 164.312(b) wants
  • 8 MEDIUM: workstation auto-lock misconfigured across locations; contingency plan had never been tested; 3 BAs had expired insurance certificates on file
  • 15 LOW: training records sparse; sanction policy not enforced
Outcome

Written risk analysis accepted by cyber insurer at renewal. MFA and audit-log retention remediated in 30 days. OCR performance review went through without escalation. Practice re-engaged us for annual refresh on retainer.

Timeline
5 weeks active + 1 week report
Fee
$8,500
Service
HIPAA Security Assessment
SOC 2 Readiness

SOC 2 Type II pre-audit + pentest for a 24-person fintech

Client profile

Fintech handling consumer lending decisions. 24 employees. Series A completed 11 months prior. First enterprise customer signed with a 90-day SOC 2 Type II completion requirement written into the contract.

Engagement shape

Combined readiness assessment and penetration test delivered in parallel, on a tight 10-week window before the auditor kickoff.

Scope covered
  • Control-evidence gap analysis against all AICPA Trust Services Criteria
  • Penetration test of primary SaaS application + API
  • Cloud posture review (AWS account baseline: IAM, KMS, CloudTrail, GuardDuty, Config)
  • Vendor security-documentation review for subprocessors
  • Policy suite drafting (information security, access control, incident response, business continuity)
  • Auditor liaison: evidence package format, artifact collection cadence
What we found
  • Control gaps: no formal access review cadence; logging retention below auditor expectations; incident response plan existed but had never been tested
  • Pentest: 3 MEDIUM (IDOR in admin-impersonation feature, rate-limit bypass on login, session-fixation on magic-link flow), 5 LOW
  • Cloud posture: root account MFA missing; CloudTrail not configured to S3 with object-lock; 4 IAM users with AdministratorAccess
Outcome

All HIGH and MEDIUM findings closed before auditor kickoff. Policies and evidence package delivered to auditor on day one. Audit opinion: unqualified SOC 2 Type II within the contractual 90-day window. Enterprise contract signed. Client retained for annual refresh.

Timeline
10 weeks parallel (readiness + pentest) + 4 weeks auditor engagement
Fee
$22,000 combined
Service
SOC 2 Readiness
PCI DSS 4.0 Pentest

PCI DSS 4.0 script-inventory compliance for an e-commerce merchant

Client profile

DTC e-commerce merchant on Shopify Plus with a custom React storefront. Processing approximately 8,000 orders per month. First SAQ A-EP annual validation due under PCI DSS 4.0 with newly-enforced Requirements 6.4.3 and 11.6.1 (payment-page script inventory + change detection).

Engagement shape

Focused engagement on the two new payment-page requirements, delivered as a three-week fixed-fee readiness + tooling deployment.

Scope covered
  • Discovery of every third-party script loaded on the Shopify checkout + custom storefront pages
  • Justification documentation per script (marketing, analytics, payments, fraud, etc.)
  • Integrity validation mechanism selection (SRI, CSP, HTTP response monitoring)
  • Change-detection tooling deployment for 11.6.1
  • SAQ A-EP documentation mapping
What we found
  • 46 third-party scripts loaded across checkout + high-value pages
  • 12 scripts had no documented business justification
  • 5 scripts came from vendors no longer in active commercial relationship
  • 2 scripts loaded from shared-hosting domains (supply-chain exposure)
  • No mechanism existed to detect if any of the 46 scripts changed
Outcome

Script inventory documented to SAQ A-EP standard. 17 scripts removed. Remaining 29 scripts put on change-detection monitoring via a lightweight open-source tool we deployed for them. QSA accepted the control set at annual validation. Tool remains in place on a monthly retainer.

Timeline
3 weeks fixed-fee + monthly retainer thereafter
Fee
$3,500 + $500/mo retainer
Service
PCI DSS 4.0 Pentest

Want a reference call before signing?

Several of our past clients have opted in to give references to prospective engagements. Ask during your scoping call and we will make the introduction after checking the context fits theirs.

Start a scoping call