Results
Zeno’s systems demonstrated a strong security foundation
No critical or high-severity vulnerabilities were identified
No user data was accessed or exposed
Most issues were governance or hardening-related, not actively exploitable
>90% alignment with OWASP WSTG best practices
The engagement not only strengthened the platform — it also helped Zeno secure a 120-seat enterprise client in the Netherlands, validating the platform’s readiness for larger deployments and high-trust use cases.
All findings were responsibly disclosed, with actionable remediation guidance provided. Most issues centered around authorization hygiene, dependency management, and cookie configurations — not systemic flaws.
About the client
Industry: LegalTech / AI SaaS
Location: Rotterdam, Netherlands
Engagement: White-box Penetration Testing
Their platform supports legal research, document analysis, due diligence, and (soon) contract drafting — all within a secure, centralized environment designed for high-trust professional use.
Given the sensitive nature of the client data processed, Zeno aligns its security posture with legal industry standards and maintains compliance with GDPR and ISO 27001. As they began serving larger enterprise clients, the Zeno team recognized the importance of validating their systems beyond checklists — especially for security-conscious stakeholders handling privileged data.
“If something goes wrong, it can ruin lives.” That mindset shaped Zeno’s approach from day one. Security wasn’t layered on later — it was embedded from the start.
The Challenge
At Zeno, security is foundational
While the team had implemented strong practices internally, including automated scanning via Aikido and ISO 27001 certification, they had never undergone a full manual penetration test. As they scaled, they wanted to pressure test their architecture — not just to satisfy compliance requirements, but to meet the bar they set for themselves.
Their goal wasn’t just technical validation — it was business-critical. A major prospective client required independent proof of platform security. Zeno knew that an external audit could unlock the next level of growth.
They don’t treat it as an afterthought or a checkbox — they design for it, test it, and constantly challenge it.
The Objective
Engage an external team capable of simulating real-world attacker behavior
using full access to source code, infrastructure, and documentation. This was about gaining visibility, surfacing blind spots, and ensuring resilience across every layer of the stack
Our solution
Sekurno conducted a white-box penetration test and source code review that mirrored how a determined and informed adversary might approach the Zeno platform
Our testing followed established methodologies
-
OWASP Web Security Testing Guide (WSTG)
-
OWASP Threat Modeling Process
-
Penetration Testing Execution Standard (PTES)
Scope included
-
Zeno’s full web platform, management backend, and API
-
Supporting infrastructure and authentication flows
-
Internal permission models and LLM-related components
-
Access to multiple user roles, documentation, and source code
This deep access enabled a contextual and attacker-realistic review, combining static analysis and dynamic exploitation techniques.
Alongside security findings, we also surfaced residual testing artifacts and leftover functionality — non-security issues that the Zeno team proactively addressed to further harden their product.
Deliverables included a comprehensive checklist of all tested items, with clear problem descriptions, severity ratings, and reproduction steps — equipping the Zeno team with full transparency for remediation and future proofing.
Key takeaways
Security-first culture
Zeno didn’t wait for a breach or customer pressure to act — they sought external validation on their own terms.
Transparency = depth
By sharing their code, infra, and docs, Zeno enabled a far deeper and more meaningful assessment.
Enterprise-ready posture
The results provide assurance for larger clients evaluating Zeno as a trusted data processor under GDPR and ISO frameworks.
Efficient collaboration
Weekly updates, rapid clarifications, and strong internal preparedness led to a faster-than-expected delivery timeline — with high confidence from both technical and business stakeholders.
Conclusion
Zeno’s security engagement was not a formality. It was a proactive stress test of the trust they’ve built with clients — and a reflection of their leadership’s deep commitment to secure, resilient AI systems in the legal space.
We’re proud to have supported a team that sees security not as a compliance line item — but as a design principle. This mindset is rare, and it sets a benchmark for what secure-by-default LegalTech can look like.