I’m excited to share a recent development from one of our projects. It’s not every day we get to talk with friends, family, colleagues, or customers about what we do, and even less often do we get to share how a real report looks. Sometimes, it can create interesting discussions or even deadlocks where specific clients want to hear about or even see a previous client’s results before deciding on a vendor. And most clients are understandably not too happy about sharing their results with other clients.
Not All Projects Need to be Secret
However, not all projects need to be secret, or at least not secret forever. Once the results are in and risks are addressed, the knowledge within the reports usually dies.
The team over at StackHPC has taken the unusual step of publicly sharing the results of their penetration test. This practice is not “never heard of”. There are numerous VPN providers, for example, that publish reports from some of the top-tier consultancies. This is the first one for me in a while, and since I’ve branched out on my own, I’m always proud when clients decide to share the results of security assessments openly. Therefore, I am particularly impressed when StackHPC chose to share the insights from our recent engagement publicly.
Although we’ve conducted numerous assessments similar to this one, confidentiality requirements have typically prevented the public disclosure of our work. Our recent work with StackHPC was carried out between December 2024 and February 2025. Our team conducted a comprehensive penetration test of their Azimuth and Zenith applications. We examined their web application security, architecture design, and Kubernetes infrastructure. StackHPC did a good job both with their application and the way the team worked with me as an external party on this project, and it was a pleasure to work with them from start to finish.
Publishing Security Reports
Of course, we understand not every security assessment can be published, nor are we advocating for it. Some might expose unnecessary information about highly sensitive systems, contain confidential business information, and the results are often under strict non-disclosure agreements.
A Culture of Openness
The offensive security industry is built on shared knowledge and open-source principles, yet many valuable insights from actual work are kept secret. However, I firmly believe that every project that could be published should be published. For some projects, this might mean that they can be published quickly without losing much of their educational value. When they are concerned with open-source projects, like in this case, publication offers benefits to the broader community. In other cases, it may make more sense to wait or publish parts of the report, insights, or findings once they have been addressed.
If you’re interested in reading the StackHPCs take on the project or have a look at the full report, you can find it on StackHPC’s blog..
Erik Wilhelmsson
Founder & Offensive Security Consultant
Our founder with many years of experience working as a security consultant doing pentesting, red teaming and security engineering across diverse industries.