Customer / Codehouse

How Code House Strengthened Platform Security with ZeroThreat’s Automated Web & API Pentesting

ZeroThreat Strengthening Code House Platform Security

Measurable Outcomes

Security

validated during UAT before production

Earlier

visibility into application risks

Timely

critical vulnerabilities fixed between releases

Fewer

critical findings during penetration testing

Improved

security posture confidence

Code House at a Glance

Industry
Industry

Accounting & Payroll Software

Location
Location

Australia

Platform Type
Platform Type

Web Application + APIs

Primary Need
Primary Need

Early and repeatable security validation for a business-critical platform

ZeroThreat Solution Used
ZeroThreat Solution Used

Automated Web & API Pentesting

Overview

Code House develops and maintains a core payroll and debtors solution Workforce One where data accuracy, compliance, security and system reliabiity are critical.

With penetration testing already part of its security program, the team adopted ZeroThreat to strengthen early security validation, improve visibility into application and API risks, and reduce late-stage surprises before production deployments. ZeroThreat complements existing security practices by enabling repeatable pre-release validation and faster confirmation of fixes.

Impact Summary

OutcomeBenefit
Pre-release security validationTick_icon.svg Reduced risk of issues reaching production
Earlier risk visibilityTick_icon.svg More time to remediate critical findings
Timely remediation of critical vulnerabilitiesTick_icon.svg High-risk issues addressed between releases
Improved release confidenceTick_icon.svg Fewer security-driven delays
Stronger security postureTick_icon.svg Penetration testing used for assurance, not discovery

About Code House

Code House builds and maintains a business-critical accounting and payroll software platform used to manage sensitive financial and employee data.

The platform is continuously enhanced through regular updates, with security validation performed in a structured staging (UAT) environment before production releases. Given the nature of the product, security and reliability are treated as ongoing responsibilities rather than one-time checks.

The Security Challenge

Code House already had penetration testing in place as part of its security program. However, relying primarily on periodic penetration tests created challenges:

  • Limited visibility into security risks earlier in the release cycle
  • Findings often surfaced late, leaving limited time for remediation
  • Manual effort required to validate fixes after changes
  • Gaps between penetration tests where issues could remain undetected

The team needed a way to complement penetration testing with earlier, repeatable security validation—without adding operational overhead.

Why Code House Chose ZeroThreat

Code House adopted ZeroThreat as part of its pre-production security validation process after identifying four key requirements:

  1. Automated web and API pentesting across the platform
  2. Earlier identification of exploitable application and API risks
  3. Faster validation of fixes through repeatable scans
  4. Complements existing penetration testing with earlier coverage
Before ZeroThreatAfter ZeroThreat
Reliance on periodic penetration testingTick_icon.svg Security validated during UAT
Limited early visibility before releaseTick_icon.svg Earlier visibility into application and API risks
Manual validation of fixesTick_icon.svg Fix impact confirmed through re-scans
Late discovery of some issuesTick_icon.svg Fewer critical surprises during penetration testing

How ZeroThreat Fits into the Product Workflow

When scans are run

  • Security scans are executed in the staging (UAT) environment
  • Scans are aligned with release readiness, not a fixed schedule
  • Additional scans are run when significant changes are introduced

How findings are handled

  • Vulnerabilities are reviewed and prioritized based on severity
  • Critical and high-severity issues are addressed immediately
  • Lower-severity or complex issues are planned into upcoming updates
  • Critical vulnerabilities are fixed promptly and included in live updates when required

Real Vulnerabilities Identified by ZeroThreat

In recent release scans, ZeroThreat identified security risks across both the web application and supporting APIs, including:

  • Input validation and state handling weaknesses
  • Client-side security risks across complex user workflows
  • Insecure handling of sensitive data in browser storage
  • Session and cookie configuration gaps impacting security controls
  • Error handling behaviors that could expose unintended information

These issues are difficult to identify consistently through periodic testing alone and benefit from repeatable, automated validation earlier in the release cycle.

What Mattered Most

Several of these risks were identified earlier in the development lifecycle, allowing the team to remediate them and validate fixes before production, improving overall platform security without disrupting release timelines.

Measurable Impact

After integrating ZeroThreat, Code House observed measurable improvements in security readiness and operational efficiency.

Security & Release Outcomes

  • Security risks identified earlier in the release cycle
  • Faster validation of fixes before production
  • Fewer critical findings during penetration testing

Workflow Improvements

  • Reduced last-minute remediation pressure
  • Clearer prioritization of security issues
  • Improved coordination between development and security reviews

Team Confidence

  • Greater confidence during release readiness checks
  • Improved clarity on vulnerability severity and impact
  • Penetration testing used for assurance rather than discovery
quote
5.0
Starauthor

We replaced our old scanning tool with ZeroThreat after seeing how comprehensive the product is. It adds strength to our security testing and ensures that our systems are kept up to date with latest technology. The scans are deep and reports provide outstanding feedback to our team.

author

Gavin Andrew

Code House, Managing Director

Conclusion

For product teams like Code House, security is not about replacing penetration testing—it’s about making security earlier, more predictable, and easier to validate.

By complementing existing penetration testing with ZeroThreat, Code House strengthened its ability to identify and address security risks before production, validate fixes faster, and maintain confidence in the platform’s security posture as it evolves.

About ZeroThreat

ZeroThreat is a web and API pentesting platform that helps teams identify real, exploitable vulnerabilities through automated testing, deep API discovery, and clear remediation guidance—so security keeps pace with modern development cycles.

Start Your Free Scan Now

Trusted by 5,000+ security teams across the world and growing...

Run a free scan