Hashorn

Case study · DevTools · Series B

Hardened for SOC 2 with zero critical CVEs at public launch

Four weeks before public launch and a SOC 2 audit, Arcata Cloud needed an outside team to find the gaps before the auditor did. We delivered threat-modeling, full IaC audit, secrets migration, and 26 prioritized fixes, landing all high and critical issues before the launch date.

Case studyDevTools · Series B

Arcata Cloud

0 critical CVEs · SOC 2 first-pass

Client

Arcata Cloud

Engagement

Security audit + pre-launch hardening

Duration

4 weeks total (2 audit + 2 hardening)

Team

2 senior security engineers, 1 cloud specialist

ServicesSecurity EngineeringCloud & DevOps Security

Outcomes at a glance

Critical CVEs at launch

0

Findings resolved before launch

100% high & critical

SOC 2 first-attempt pass

Zero observations

Sprint timeline

How the engagement unfolded

  1. Wk 1

    Threat-modelling workshop

    Full STRIDE pass on every key asset (user sessions, payment webhooks, admin API, audit logs, backups). About half of all later findings traced back to assumptions surfaced here.

    STRIDE map · attack-surface inventory

  2. Wk 2

    Application + IaC audit

    Manual code review augmented with Semgrep custom rules. Checkov against Terraform surfaced 47 misconfigurations. Dependency scan via Trivy. Secrets scan via Gitleaks (found 2 leaked AWS keys).

    14-page audit report · 26 findings

  3. Wk 3

    Critical fixes + secrets migration

    Two critical issues fixed in 48 hours (hardcoded client-bundle API key, weak JWT secret). All env-var secrets migrated to HashiCorp Vault with short-lived runtime fetches.

    0 critical · secrets in Vault

  4. Wk 4

    IAM tightening + DevSecOps wiring

    213 IAM policies tightened to least-privilege. Admin role split into 3 personas. Semgrep + Checkov + Trivy wired into CI on every push to main.

    IAM clean · CI security gates live

Architecture

The stack we shipped on

Infra

  • AWS
  • Terraform
  • VPC isolation

Secrets

Replaced .env-style secrets

  • HashiCorp Vault
  • Short-lived tokens

SAST / DAST

  • Semgrep
  • OWASP ZAP
  • Burp Suite

Supply chain

  • Trivy
  • Snyk
  • Gitleaks

IaC scanning

Runs on every PR + push to main

  • Checkov
  • GitHub Actions

Risks we actively managed

  • SOC 2 audit-evidence gaps — every finding tracked with reproducible PoC and verification PR.
  • Customer-facing launch deadline — non-negotiable; we fixed in priority order and ticketed the rest.
  • Operational regression during hardening — feature-flagged IAM changes; rolled back automatically on permission denials in CI.
  • Insider-threat exposure via leaked keys — both rotated within 30 minutes of discovery; CloudTrail reviewed for misuse.
Workflow

Tracked end-to-end in BuildOS.

Every meeting summary, requirement, sprint, task, and metric in this case study was rendered in BuildOS during the engagement. The customer's team had read-only access to the same workspace from week one, they saw Friday demos, weekly velocity, and AI-generated checklists without us sending status emails.

See BuildOS

The challenge

Arcata Cloud was four weeks from a public launch and a SOC 2 Type 1 audit. Their security posture had grown organically alongside the product over two years, fast iteration, "we'll fix it when we have time," all the things every Series B has done. The CTO wanted an outside team to find the gaps before the auditor did.

The launch deadline was non-negotiable. So was the SOC 2 timeline, the largest enterprise customer in their pipeline had it as a contractual prerequisite. Failing the audit would mean either delaying launch or losing the customer.

How we approached it

Two phases. First two weeks: comprehensive threat-model and audit across code, API, infrastructure, and identity. Last two weeks: prioritized fixes, we worked alongside their team in a shared Slack channel, pairing on the highest-severity findings.

The threat-model came first deliberately. About half of the audit findings traced back to assumptions surfaced in the workshop, assumptions nobody had ever written down, much less stress-tested.

What we shipped

Audit phase (weeks 1–2)

  • Threat-modeling workshop with engineering. Full STRIDE pass on every key asset: user sessions, payment webhooks, admin API, audit logs, backup files.
  • Application security audit. Manual review augmented with Semgrep custom rules; full coverage of authentication, authorization, and data-handling code paths.
  • IaC audit using Checkov. Surfaced 47 misconfigurations across Terraform, over-permissive IAM, public S3 buckets, missing encryption-at-rest on three databases.
  • Dependency scan with Trivy + npm audit. Identified 12 outdated dependencies with known CVEs.
  • Secrets scan with Gitleaks. Found two leaked AWS keys in old commits (rotated immediately).
  • 14-page security report formatted for the SOC 2 auditor's expected evidence shape.

Hardening phase (weeks 3–4)

  • Two critical fixes shipped first. A hardcoded API key in the client bundle and a JWT signing secret weak enough to brute-force, both shipped within 48 hours of discovery.
  • Secrets migration. All environment-variable secrets moved to HashiCorp Vault; runtime fetch with short-lived tokens.
  • IAM least-privilege overhaul. 213 IAM policies tightened; admin role split into three role-specific personas; access reviews scheduled monthly.
  • API hardening. Rate limits added to all authenticated endpoints; idempotency keys required on all state-changing operations.
  • DevSecOps wiring. SAST (Semgrep) and IaC scan (Checkov) added to CI; dependency scan (Trivy) runs on every push to main.

Outcomes

  • 26 findings total (2 critical, 7 high, 12 medium, 5 low).
  • 100% of high and critical issues resolved before launch. Mediums and lows ticketed for the next quarter with named owners.
  • 0 critical CVEs at public launch.
  • SOC 2 Type 1 passed on first attempt with zero engineering-side observations. The auditor specifically called out the threat-model documentation as exceeding expectations.
  • Internal team trained on the new patterns; recurring quarterly review cadence established.
  • The enterprise customer signed.

What we'd repeat

The threat-modeling workshop was the highest-leverage hour of the engagement. About half of the audit findings traced back to assumptions surfaced in the workshop, assumptions that had never been written down, much less stress-tested. If we ran this engagement again in two weeks instead of four, we'd still spend the first day on threat-modeling.

The other lesson: prioritize ruthlessly. We resisted the temptation to fix everything; we shipped the criticals, the highs, and the medium-but-easy items. The mediums-but-hard items went into the backlog with named owners. Four weeks isn't enough to fix everything that's wrong, but it is enough to make sure nothing critical ships.

We knew our security posture had grown organically. We didn't know we had two critical issues we'd been shipping for nine months. Hashorn found them, helped us fix them, and got us through SOC 2 on the first try.
PI

Priya Iyer

CTO, Arcata Cloud

Want a result like this?

Tell us what you're building, we'll tell you how we'd ship it.

Book an intro call →