
0 critical findings in a 4-day pen test
Penetration Testing · Non-profit Tech · Pre-launch
Days before going live, donation platform GiftShift asked us to attack it. Four days of grey box pen testing confirmed the foundation was sound and showed exactly where to harden it.
GiftShift is a donation platform built to help charities reach younger donors. Users pick the causes they care about, adjust their giving month to month, and trust the platform with their payment details. One breach of donor data or one tampered money transfer would damage GiftShift and every charity on it.
GiftShift approached spriteCloud at the end of their development phase, with the launch event approaching. The question was direct: can client data be reached, and can the donation flow be touched, by someone outside?
As a startup, GiftShift had built the platform on microservices, outsourcing custom work to move fast. That choice cuts both ways for security. Each service is isolated and can be patched independently, which limits the blast radius. But every service talks over APIs, which widens the attack surface and multiplies the places a misconfiguration can hide.
None of that setup had been security tested, and a growing volume of clients and transactions makes a platform like this a more interesting target over time.
Scoping sessions with the GiftShift team mapped the platform's setup and its highest-risk paths. That shaped a four-day, hands-on grey box penetration test of the public-facing assets, focused on four areas.
The donation flow came first: the path money takes had to be unreachable from outside. Then authentication, confirming that no account could be used to reach someone else's personal or payment data, a direct GDPR requirement. Then the contact forms, the most exposed inputs on the platform and the classic entry point for injection attacks. And finally the broadest question of all: what can be reached from the public-facing assets? We worked through the application's behaviour and tried every route we could find toward backend information we had no right to see.
The test produced four medium findings and one informational finding. No critical or high-priority issues. For a platform built from scratch under startup time pressure, that is a solid result, and it confirmed the foundation was sound.
The findings themselves stay confidential. In the follow-up call we walked GiftShift through each one, the risk it posed, and the fix.
GiftShift picked up all findings and hardened the platform before scaling further. The launch went ahead with the donation flow, authentication and public-facing assets verified by people whose job is to break them.
"spriteCloud's research has shown us areas for improvement that we would never have discovered without them. With the professional help of spriteCloud, we have made our platform even more secure and guaranteed the safety of our donors and charities."
Jordy Dekker, CTO, GiftShift
As a true partner, spriteCloud has immersed itself in GiftShift and our platform in a short time, has been very flexible, has thought along with us, has given us valuable insights, and has ultimately helped us very well to further develop our platform.

CEO, GiftShift
Every team has a regression problem. Let’s fix yours in 8 weeks.
Start the conversationSee more case studies