This is an engineering readiness review; full pentests should involve certified partners for regulated industries.

How long does it take?

From a few days for small shops to two weeks for large platforms.

Yes. via retainer or a dedicated hardening sprint.

Security review before peak sales: what we check in code and infra - gmi.software

Security review before peak sales: what we check in code and infra

Mikołaj Lehman

CEO & Founder

A pre-peak security review hunts typical flaws (OWASP), cloud config and access policies before higher revenue attracts bots and attacks.

Application and APIs

SQLi, order IDOR and verbose errors, automated scans plus manual scenarios.

JWT refresh lifetimes and key rotation.

Infrastructure

Public buckets, open admin ports and missing WAF on payment webhooks.

Backups and restore drills, ransomware is an ops risk too.

Process

Short report with P0/P1 fixes before campaigns launch.

We estimate CDN/WAF cost scaling under heavier traffic.

Frequently asked questions

Is this a pentest?: This is an engineering readiness review; full pentests should involve certified partners for regulated industries.
How long does it take?: From a few days for small shops to two weeks for large platforms.
Do you fix findings?: Yes. via retainer or a dedicated hardening sprint.

Content updated: March 2, 2026

Let's talk
about the project.

Have an app idea or need technological support? Write to us — we'll prepare a preliminary analysis and estimate within 48h. Projects that go through our DDT process (Discovery, Design & Technology) come with a price guarantee and a fixed-price agreement — a key differentiator for us.

Write to us[email protected]

Visit us

gmi.software Sp. z o.o.ul. Jana Heweliusza 11 / 819
80-890 Gdansk, Poland

NIP: 5252816287KRS: 0000830003

A pre-peak security review hunts typical flaws (OWASP), cloud config and access policies before higher revenue attracts bots and attacks.

Application and APIs

SQLi, order IDOR and verbose errors, automated scans plus manual scenarios.

JWT refresh lifetimes and key rotation.

Infrastructure

Public buckets, open admin ports and missing WAF on payment webhooks.

Backups and restore drills, ransomware is an ops risk too.

Process

Short report with P0/P1 fixes before campaigns launch.

We estimate CDN/WAF cost scaling under heavier traffic.

Frequently asked questions

Is this a pentest?: This is an engineering readiness review; full pentests should involve certified partners for regulated industries.
How long does it take?: From a few days for small shops to two weeks for large platforms.
Do you fix findings?: Yes. via retainer or a dedicated hardening sprint.

Content updated: March 2, 2026

Security review before peak sales: what we check in code and infra

Application and APIs

Infrastructure

Process

Frequently asked questions

Related articles

NestJS order microservices: when to split the monolith

PostgreSQL RLS: tenant isolation in commerce SaaS

Let's talk
about the project.

Free consultation

Security review before peak sales: what we check in code and infra

Application and APIs

Infrastructure

Process

Frequently asked questions

Related articles

NestJS order microservices: when to split the monolith

PostgreSQL RLS: tenant isolation in commerce SaaS

Let's talk
about the project.

Free consultation

Security review before peak sales: what we check in code and infra

Application and APIs

Infrastructure

Process

Frequently asked questions

Related articles

NestJS order microservices: when to split the monolith

PostgreSQL RLS: tenant isolation in commerce SaaS

Let's talk about the project.

Free consultation

Software House in cities

Mobile apps in cities

Security review before peak sales: what we check in code and infra

Application and APIs

Infrastructure

Process

Frequently asked questions

Related articles

NestJS order microservices: when to split the monolith

PostgreSQL RLS: tenant isolation in commerce SaaS

Let's talk about the project.

Free consultation

Software House in cities

Mobile apps in cities

Let's talk
about the project.

Let's talk
about the project.