Marketplace Architecture Audit

Note: This is placeholder content. The full case study is pending client sign-off for publication.

The problem

A two-sided marketplace was preparing for a Series A raise. The lead investor's technical advisor had flagged concerns about data isolation between buyer and seller accounts and the absence of audit logging. The founding CTO needed a credible third-party assessment to address those concerns before the next partner meeting.

They gave us three weeks and full read access to the codebase, infrastructure, and AWS account.

Our approach

We ran a structured audit across four dimensions: application security (OWASP Top 10), data architecture, infrastructure posture, and engineering practices. We used a combination of static analysis, manual code review, and live infrastructure inspection.

We did not write any production code during the audit — our only deliverable was a written report.

The outcome

We surfaced 14 findings across three severity tiers. Three were rated high severity: an IDOR vulnerability in the seller API, missing row-level security on a shared DynamoDB table, and CloudTrail disabled in two regions.

All three were remediated by the client's engineering team within 10 days of receiving the report, guided by our remediation roadmap.

• Zero critical or high findings remaining at the time of the Series A close
• The audit report was shared directly with the investor's technical advisor
• Client raised their Series A three weeks after remediation was complete

"The audit was the most valuable three weeks of engineering spend we made that year."

— CTO, Marketplace client (name withheld)