Case Studies on Eknix — Web security & performance for the enterprise

Digital bank: securing an API estate they didn't know they had

Sun, 10 May 2026 00:00:00 +0000

The challenge

Four years into operation, the bank had grown fast. Microservices, third-party integrations, multiple mobile app versions, open banking connectors. Engineering shipped constantly and the API estate accumulated with it. Ahead of a DORA compliance review, the security team wanted to establish what their actual API surface looked like before the regulator did.

The answer was uncomfortable. They thought they had around 300 API endpoints. We found 441.

Around 140 additional endpoints: old API versions never decommissioned, internal services exposed externally during development and never pulled back, integration endpoints from partnerships that had since ended. Six had no authentication requirement at all. One of them returned customer transaction history without an auth header.

Hotel group: shutting down credential stuffing on a loyalty programme

Fri, 10 Apr 2026 00:00:00 +0000

The challenge

The client runs a loyalty programme across a group of mid-market hotels in Europe. Members accumulate points on stays and redeem them for free nights and room upgrades, or transfer them to airline frequent flyer programmes. Several million registered accounts, active enough that points have real monetary value to members and, it turned out, to attackers.

The fraud team spotted it first. An unusual volume of points-to-miles conversion requests, all routing to the same small set of airline frequent flyer numbers. The accounts initiating the transfers looked normal: real members, real historical activity, real email addresses. Just not the real owners converting them.

European challenger bank: PCI DSS at the edge, zero outages in two years

Wed, 08 Apr 2026 00:00:00 +0000

The challenge

A fast-growing European challenger bank had outgrown its initial cloud-native architecture. With customer count tripling year-over-year and increasing scrutiny from financial regulators, the platform needed:

A PCI DSS Level 1 Service Provider ready edge architecture
Sub-200ms TTFB across Europe
A serious answer to DDoS and credential stuffing
Workload-level isolation for cardholder data environments

The existing stack — a single-region cloud provider’s WAF and CDN combination — couldn’t deliver any of these at the required level.

Fashion retailer: stopping SMS pumping before it became a $500k problem

Thu, 05 Mar 2026 00:00:00 +0000

The challenge

The client is a mid-market fashion retailer with a European customer base. Customers log in with their phone number and receive a one-time code by SMS — no password, OTP is the authentication. Normal SMS volume ran around 50,000 messages per month. Predictable cost.

At 3am on a Tuesday, the login flow stopped working. Their SMS gateway had suspended the account for unusual traffic. The attack had been running four hours.

Global retailer: Black Friday-ready in 90 days

Thu, 15 Jan 2026 00:00:00 +0000

The challenge

A top-100 global retailer had spent two years quietly outgrowing its existing CDN deployment. With a major Black Friday campaign 90 days out, the team flagged two problems they couldn’t solve internally:

Catalog cache hit ratio was 71% — and origin egress was scaling alarmingly with traffic
Scraper traffic from competitors had reached an estimated 18% of total catalog requests
Previous peak seasons had required emergency origin scaling and triggered Tier-2 incidents

The platform team needed a 90-day path to confident peak readiness.

Regional airline: cutting search latency in half, globally

Sun, 30 Nov 2025 00:00:00 +0000

The challenge

A regional airline group with operations across three continents was losing competitive ground in metasearch placement — primarily because their search response times were too slow. Internal data showed look-to-book ratio dropping below industry benchmark in three key markets.

The technical root cause was a series of inefficient paths between metasearch partners, the airline’s booking API, and downstream GDS calls. Each hop added latency, and the existing CDN deployment wasn’t optimized for the request patterns.