CASE FILES.

The engagement landed mid-Series-B diligence. The platform — a multi-tenant analytics product for retail brands — had passed a CRO vendor scan three months earlier and the investor lead-counsel was asking why a deeper audit was not already in the data room.

Day one: asset confirmation. Day three: we re-scoped after the tenant isolation boundary turned out to live in a microservice the original asset list did not include. Day six: first critical IDOR — cross-tenant data exposure via a partner-API endpoint. Day eight: stored-XSS chain into the admin surface, demonstrated against a sandboxed admin user with full chain-of-custody capture.

Both critical findings closed before retest. Insurer requirements signed off in week four. The data room got the closure statement, not the report. The deal closed.

A mid-market payment aggregator engaged Trinetra on a quarterly cadence after their prior vendor produced an 80-page deliverable that landed badly in SEBI review. We re-architected the program around the actual review process: which sections regulators read first, what evidence formats they accept, where the previous report had stalled.

Eleven quarters in, the program covers infrastructure drift, pre-release audits, vendor stack reviews, and IR tabletop exercises. Reports map line-by-line to SEBI VAPT format. The compliance officer reviews finalised deliverables before submission; we have not had a single revision request escalated upstream.

When the firm renewed cyber insurance last cycle, the underwriter accepted the most recent Trinetra closure statement in lieu of additional documentation. That alone offset two quarters of program fee.

A D2C beauty brand reached out after a customer complaint chain on Instagram traced back to a phishing site running on a typosquatted domain. The brief was simple: figure out the surface area.

Inventory came back at 38 lookalike registrations in 90 days — homoglyphs, TLD variants, brand-plus-suffix patterns. Twelve were serving active phishing kits; seventeen were holding for later use; nine were unrelated cybersquatting. We fingerprinted the kit family, mapped the registrars, and built a counsel-ready artifact pack with WHOIS captures, timestamped page renders, and registrar abuse-channel templates.

Their in-house counsel ran 31 takedowns off our pack with no further investigation needed from our side. The remaining seven were monitored; six expired without re-registration.

A logistics SaaS noticed elevated login failures across their B2B portal — a credential-stuffing campaign against partner accounts that had not yet broken through. They had two weeks before peak shipping season and an identity boundary built three years earlier for a different threat model.

Trinetra ran a hardening review across the identity stack — MFA enforcement gaps, session token rotation, password reset velocity, and the third-party SSO integration that turned out to be the actual weak point. Five high findings; all remediable in their existing sprint capacity.

Identity boundary rewritten in six weeks. Retest closed all five highs. Peak season ran without incident; partner login failures dropped by an order of magnitude.

A healthtech platform retained Trinetra after a former employee was suspected of exfiltrating patient cohort data over a multi-month window prior to departure. Counsel needed a timeline that could survive cross-examination.

We pulled identity provider logs, cloud audit trails, application access logs, and endpoint telemetry. Cross-referenced against HR records, project assignments, and travel logs to anchor activity windows. Nine months of activity reconstructed — including the three instances where access was clearly within scope and the four where it was not.

Chain-of-custody artifacts handed to litigation team. The case did not go to court; the settlement was reached on the back of the timeline alone.

A public-infrastructure-adjacent vendor commissioned a two-week assumed-breach engagement. The premise: a phishing-led initial foothold on a standard employee endpoint. The objective: see how far we could get without setting off alerts.

Day four: domain user → privileged service account via Kerberoasting against a poorly-configured service principal. Day seven: data-tier access via a misconfigured internal proxy. Day twelve: data exfiltration simulated to a controlled endpoint without any of the existing detection rules firing.

Full ATT&CK mapping handed over with the closure brief — 30 new detection rules written by their SOC inside the next sprint. The next red-team round, three months later, terminated at lateral movement.