CC Security Audits is a boutique security firm focused on iGaming platforms. We find what automated scanners miss: exposed admin panels, session hijack chains, and account takeover vectors through deep manual analysis.
CC Security Audits started with real security work, not theory. In early 2026, while building distributed storage systems at Curio Storage, we kept finding critical vulnerabilities in the platforms around us. Admin panels exposed to the internet. OAuth flows missing PKCE. WebSocket backends leaking internal data without any authentication. CORS policies that let any website read user sessions.
We reported every single one. Responsibly, every time. And we noticed a pattern: the platforms that needed the most help were mid-size iGaming operators. Big enough to handle real money, too small for a dedicated security team. So we became that team.
Today we focus exclusively on iGaming. We know the stacks: Laravel, Rails, Node.js backends, Centrifugo and Socket.io real-time layers, SumSub and Shufti KYC integrations, Curaçao and Costa Rica licensing requirements. We find vulnerabilities that matter, write clear reports, and help teams fix them.
Black-box and grey-box testing of your web applications, APIs, and infrastructure from an attacker's perspective.
Casino-specific review covering payment flows, KYC bypasses, game integrity, withdrawal logic, and chat system security.
Deep dive into OAuth/OIDC, JWT handling, 2FA flows, session management, and account takeover chains.
Cross-origin policies, CSP headers, cookie flags, API gateway configs, and CDN rules. We find these in nearly every engagement.
Monthly surface monitoring, priority testing for new releases, and re-testing after fixes. Security is not a one-time event.
Clear reports with CVSS scoring, reproduction steps, and fix guidance. Written for engineers and executives alike.
API reflected any Origin header with Access-Control-Allow-Credentials: true. An attacker-controlled page could read authenticated responses including balances, personal data, and session tokens from any logged-in player.
Profile update endpoint accepted undocumented fields. By injecting a phone number, an attacker could enable SMS-based 2FA, then use password reset to take over any account and initiate withdrawals.
Account TakeoverSocket.io real-time chat system accepted connections without authentication. Connected clients received all player support messages in real time.
Data ExposureSocial login via Google/Telegram had no CSRF protection or PKCE challenge. Attacker could force-link their own identity to a victim's account through login CSRF.
Authentication BypassClient-side JavaScript leaked 700+ feature flags including internal user IDs and security toggles (WAF bypass, VPN detection, geo-restriction) with their current states.
Information DisclosureAll findings were responsibly disclosed and remediated. No client data was exfiltrated during testing.
We define the engagement: which domains, APIs, and environments are in scope. You set the rules, we work within them.
Deep surface mapping. Subdomains, tech stack fingerprinting, API endpoint discovery, JavaScript analysis, infrastructure enumeration.
Hands-on exploitation attempts against authentication, authorization, business logic, payment flows, and platform-specific vectors.
Detailed report with CVSS scores, proof-of-concept steps, and fix guidance. We re-test after your team patches.
Focused on 1-2 critical areas
Complete external security assessment
Continuous protection
We respond within 24 hours. Tell us about your platform and we'll send a scoping proposal.