The tenant boundary that wasn’t
A client asked us to assess a web application they were considering acquiring. The target supplied several years of clean penetration-test reports from a reputable firm. At kickoff, they explained that cross-customer access was impossible, because records were separated at the infrastructure level. For the buyer, that tenant isolation was not abstract; it was part of the acquisition risk model.
Where surface testing stops too early
A tool can send a request, receive a successful response, and treat the behavior as normal. Here, the application kept working when a session-token value was removed. It still returned a normal-looking page, with the expected number of records per page. To a scanner, the request looked successful whether the value was present or not.
What we did differently
We manually compared the actual records returned across roles, sessions, and data contexts. The page loaded either way; what changed was the data. With the value removed, the application returned more records than it should have. That value was not an authentication artifact, it was quietly filtering data by domain, organization, and production instance. The tenant boundary depended on inconsistent data-scoping, not the hard separation the buyer had been promised.