How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Infrastructure Penetration Test: Essential 2026 Guide

Your app is live. Users are signing up. The product team is shipping quickly, and the backend runs on services that feel managed, modern, and mostly safe by default.

That is exactly when teams miss infrastructure risk.

For startups on Supabase, Firebase, and similar platforms, the weak points are rarely dramatic. They are usually exposed functions, permissive storage, leaked keys in client bundles, weak environment separation, or access rules that look correct until someone tests them like an attacker would. An infrastructure penetration test exists to answer one practical question: if somebody starts probing the systems underneath your app, how far can they get?

What Is an Infrastructure Penetration Test

An infrastructure penetration test is a controlled security engagement where testers try to identify and exploit weaknesses in the systems that support your application. That includes internet-exposed services, cloud configuration, identity boundaries, database access paths, network controls, storage layers, CI/CD touchpoints, and internal trust relationships.

A concerned person holding a glowing digital device while examining cloud infrastructure security through a magnifying glass.

A simple way to think about it is physical security. A vulnerability scanner is like checking whether the locks on your office match a list of known faulty lock models. An infrastructure pentest is hiring a professional team to walk the perimeter, test side entrances, inspect the alarm response, try to reach restricted rooms, and prove what happens after the first door opens.

What it is not

Teams often confuse infrastructure testing with two adjacent activities.

Vulnerability scanning is useful, but it is not the same thing. Scanners identify likely issues based on signatures, versions, and known patterns. They do not reliably show exploitability, attack paths, or business impact.

Application pentesting focuses on the behaviour of your product itself. Think auth flows, business logic, payment abuse, insecure object access, and multi-step privilege bypasses in the app layer. That matters too, but it is a different scope.

Infrastructure work sits underneath that. It asks questions such as:

What is exposed externally: Open services, admin panels, forgotten environments, public buckets, unprotected endpoints.
What trust assumptions fail: Over-privileged roles, weak segmentation, poor secret handling, broad service credentials.
What happens after foothold: Can a low-level compromise turn into wider access across data stores or internal systems?

Why startups should care

Early-stage teams often assume managed services remove the need for this kind of testing. They reduce some operational burden. They do not remove configuration risk.

A proper pentest gives you evidence. It shows what an attacker could do, not just what might be wrong in theory. That matters because 72% of organisations report that penetration tests directly prevented data breaches, saving an average of $1.9 million per incident according to Bright Defence’s penetration testing statistics.

A managed platform can still be insecure if your access model, secrets, or exposed functions are wrong.

For a startup, the value is straightforward. You find real attack paths before a customer, researcher, or attacker finds them first.

Scoping Your First Infrastructure Pentest Engagement

The first pentest usually goes wrong before testing starts. Not because the testers are weak, but because the scope is vague, approvals are incomplete, and nobody has decided what “good coverage” means.

A solid engagement starts with a Rules of Engagement document. That is the operational contract between your team and the pentesters. It defines what is in scope, what is out of scope, when testing happens, which systems are sensitive, who can approve escalation, and what to do if the team finds a severe issue during the test.

The minimum you should define

Before you speak to any provider, get clear on these points:

Assets in scope: Production, staging, admin panels, APIs, storage, CI/CD, mobile backends, edge functions, VPN access, internal networks.
Business constraints: Trading hours, release windows, customer-facing systems, regulated data, systems that cannot tolerate aggressive testing.
Contacts: A named engineering contact, a security contact, and an executive fallback if the testers need urgent approval.
Success criteria: Are you testing exposure from the public internet, validating an assumed breach, or reviewing architecture depth?

If you need help choosing a provider, this guide on pen test partners is a useful starting point for evaluating fit.

Black-box, gray-box, and white-box

The testing model changes what you learn.

According to VikingCloud’s explanation of infrastructure penetration testing, the accepted process starts with reconnaissance and enumeration, then moves to controlled exploitation. The same source also frames the three common approaches that shape scope and depth.

Black-box

The tester starts with little or no internal knowledge.

This is the closest simulation of an outside attacker. It is good for understanding what your public footprint reveals and whether exposed assets can be chained into access. The trade-off is time. Testers spend more effort discovering what exists before they can exploit it.

Gray-box

The tester gets partial knowledge or limited access.

For startups, this is often the best value. You can provide a low-privilege account, limited documentation, or a test user and ask a more targeted question: if an attacker compromises one account or one token, how much can they pivot? This tends to match real incidents better than pure black-box work.

White-box

The tester gets broad internal context.

That can include architecture diagrams, IAM structure, cloud inventory, and source-level insight into how backend components are wired. White-box testing is less realistic as an attacker simulation, but much better for finding deep trust and design failures quickly.

Common scoping mistakes

The teams that get weak outcomes usually make one of these errors:

They scope only the obvious perimeter: Main domain and API, but not admin tools, old staging systems, storage, or mobile backends.
They exclude identity and secrets handling: Which removes some of the most valuable attack paths from the engagement.
They ask for “a pentest” instead of attack scenarios: External breach, assumed breach, insider-style access, and architecture review are not interchangeable.

If your stack uses Supabase or Firebase, ask explicitly whether the engagement will test database exposure, storage permissions, service credentials, and serverless function access paths.

A good scope is narrow enough to be testable and broad enough to reflect how your stack works.

The Pentester's Playbook A Step-by-Step Methodology

A professional infrastructure penetration test looks methodical from the outside, but it feels like a disciplined heist. Every phase builds on the one before it. Good testers do not jump straight to exploitation. They collect context, test assumptions, and chain small weaknesses into credible impact.

Infographic

Reconnaissance

The first phase is quiet. The tester gathers public information and builds an attack map.

That usually includes subdomains, login portals, exposed services, certificate transparency clues, cloud-hosted assets, public code artefacts, and naming conventions that reveal environment structure. Startups often leak more than they realise through old preview deployments, mobile bundles, documentation portals, and neglected admin routes.

This phase matters because later exploitation is faster when the tester already knows where privilege boundaries probably exist.

Scanning and enumeration

Next comes active probing. The tester then starts checking what is really exposed and how systems respond.

The work often includes:

Port and service discovery: Finding reachable services and identifying what each endpoint appears to run.
Version and behaviour checks: Looking for outdated software, weak protocols, permissive responses, and unusual banners.
Auth surface mapping: Enumerating login flows, password reset routes, API gateways, and admin interfaces.
Cloud and backend touchpoints: Identifying storage, functions, database proxies, and externally callable service endpoints.

Enumeration is not glamorous, but it is where many engagements become valuable. The tester stops dealing in assumptions and starts building a realistic path.

Gaining access

This is the phase people picture when they hear “pentest”, but it usually starts from something small.

A low-severity configuration issue by itself may not look dangerous. Combined with a weak service exposure or a leaked secret, it can produce a foothold. The point of a real pentest is not to list isolated weaknesses. It is to show the attack chain.

In UK pentest reporting, testers who got inside the perimeter achieved full control of infrastructure in 100% of tested companies, often reaching maximum domain privileges in an average of 5 days according to Pentest-Tools penetration testing statistics.

For a startup team, the practical lesson is blunt. Once an attacker gets a foothold, small trust errors compound quickly.

Privilege escalation and lateral movement

A foothold is rarely the end goal. The tester now asks a more dangerous question: what else can this access reach?

In traditional infrastructure, that may involve weak internal segmentation, credential reuse, overbroad group membership, or insecure trust between systems. In cloud-heavy startup stacks, lateral movement often looks different. It can mean moving from one service account to another, pivoting from a low-privilege function to broader data access, or using deployment secrets to reach environments that were assumed separate.

What this often looks like in practice

Sometimes it is obvious. An exposed internal admin service accepts weak authentication. More often it is subtle:

a CI token with access beyond build automation
a backend function that trusts caller metadata too easily
a storage rule that reveals enough data to support privilege escalation
a database role with broader rights than the application path needs

Post-exploitation

Post-exploitation is where the tester proves impact without causing harm.

That proof might involve demonstrating access to sensitive records, showing the ability to alter privileged data, validating that secrets can be extracted, or confirming that key systems can be controlled from the achieved position. The tester is not trying to maximise damage. The tester is establishing business risk in concrete terms.

The best pentest reports do not stop at “vulnerable”. They show what an attacker could reach, modify, or extract from that starting point.

For startups, this stage often changes internal priorities. A finding that looked like a minor config issue becomes urgent once the report shows it could expose user data, bypass tenant isolation, or unlock production administration.

Reporting

Reporting is where weak pentests fall apart.

A good report should include the vulnerability, the affected asset, the proof of exploitability, the likely impact, and the practical fix. The reporting standards referenced in the earlier VikingCloud source align with what strong buyers expect: proof-of-concept evidence, likelihood and impact context, and remediation guidance that engineers can use.

A useful report answers these questions

| Question | Why it matters | |---|---| | What exactly is wrong? | Engineers need a specific issue, not a category label | | Where is it exposed? | Teams need the affected system, function, role, or route | | How was it exploited? | Reproducibility helps validation and retesting | | What is the business impact? | Product and leadership need prioritisation context | | What is the fix? | A finding without remediation advice slows everything down |

Remediation support

The final stage is usually not glamorous either. It is confirmation.

Good pentesters help your team validate whether fixes closed the path or only changed the symptom. That matters because infrastructure issues tend to reappear when teams patch the visible endpoint but leave the trust model untouched.

Key Checks for Modern Cloud and BaaS Infrastructure

For teams on Supabase and Firebase, the highest-value checks are rarely the same ones you would prioritise in a classic corporate network. The infrastructure still matters, but the fault lines shift toward access control, service trust, storage exposure, and secrets management embedded in development workflows.

A professional analyzing a cloud computing architecture diagram representing database security and infrastructure penetration testing concepts.

A useful companion read is this practical guide to a cloud penetration test, especially if your backend is spread across managed services rather than traditional hosts.

Row Level Security that looks safe but is not

RLS is one of the biggest traps in modern stacks. Teams add a policy, tests pass for the happy path, and everyone moves on.

The problem is that policy logic can fail under edge conditions. A rule might protect reads but not writes. It might assume a field is immutable when it is not. It might allow broader access through a join, function, or role path than the original author realised.

This is why manual validation matters. According to LRQA’s guide to the fundamentals of infrastructure penetration testing, 40 to 60% of automated vulnerability scanner findings require manual exploitation to confirm genuine risk. For RLS, that gap is especially important. Static checks can tell you a policy exists. They cannot always prove whether tenant isolation holds under realistic queries and state changes.

Public or weakly protected RPCs

Database functions and RPC endpoints often slip through reviews because they feel internal. In practice, if they are callable and under-protected, they become one of the cleanest routes to abuse.

A pentester will check whether a function:

trusts caller-controlled input too broadly
executes with elevated rights
bypasses checks enforced elsewhere in the app
exposes administrative behaviour through a thin wrapper
returns more data than intended under edge cases

This is one of the most common mismatches between application assumptions and infrastructure reality. Developers think a function sits behind UI permissions. Attackers call it directly.

Leaked API keys and service credentials

Frontend bundles, mobile apps, CI logs, and public repositories often leak information that attackers can use as stepping stones. Not every exposed key is catastrophic, but service-role credentials, privileged tokens, and backend configuration secrets are different.

For BaaS stacks, pentesters check where secrets live and how far they reach if exposed. A leaked low-privilege client key may be expected. A leaked service credential or admin secret can turn a harmless artefact into direct data exposure.

Places teams forget to inspect

Client bundles: Web builds often contain URLs, keys, environment markers, and feature flags.
Mobile packages: IPA and APK files frequently reveal backend endpoints and implementation clues.
Serverless config: Edge functions and cloud functions can inherit secrets that are broader than their runtime need.

Storage rules and object exposure

Storage is where many startups accidentally publish more than intended.

The issue is not always a fully public bucket. Sometimes it is partial exposure. Predictable object paths, weak read conditions, broad write permissions, or metadata leakage can all create useful attack paths. In user-generated content systems, storage mistakes can become privacy incidents fast.

Logic flaws in serverless functions

Serverless code often sits in an awkward place. Teams think of it as application logic, but its deployment, privileges, and external exposure make it part of the infrastructure attack surface too.

A pentester will look for functions that:

accept input without strong authorisation checks
trust JWT claims without validating the full context
call privileged backend resources on behalf of weak callers
expose test or admin pathways left over from development

In BaaS environments, the most serious findings often come from trust boundaries that looked “obvious” to the team that built them.

The main takeaway is simple. Modern cloud stacks reduce some operational burden, but they create a different style of infrastructure risk. The dangerous issues are often policy, permission, and trust problems rather than obvious server compromise.

Essential Tools and Automation Strategies

Traditional pentesting tools still matter. They are proven, flexible, and widely understood.

A digital illustration representing infrastructure penetration testing with Nmap, network automation tools, and security monitoring eyes.

Nmap remains useful for discovery and enumeration. Nessus is still common for vulnerability assessment. Metasploit helps validate exploitation paths in controlled scenarios. These tools fit well in consultant-led engagements and mature internal security programmes.

The problem is not the tools themselves. The problem is cadence.

Periodic testing versus continuous testing

Most startups change infrastructure too often for occasional testing to be enough. You add a function, change a policy, push a mobile build, rotate an integration, or expose a preview environment. The attack surface changes before the next manual assessment arrives.

That is why automated validation has become necessary. Not as a replacement for human pentesters, but as a second layer that runs continuously and catches the drift between formal engagements.

A useful comparison looks like this:

| Approach | Good at | Weak at | |---|---|---| | Manual pentest | Attack chaining, business context, logic abuse, exploit proof | Frequency, speed, cost | | Traditional scanners | Broad known-issue detection, recurring baseline checks | False positives, context, nuanced logic flaws | | Modern continuous scanning | Fast feedback on cloud and BaaS misconfigurations, regression detection | Deep adversarial judgement without human review |

Why internal visibility matters

External exposure is only part of the picture. Startup environments often have flat trust assumptions between components, especially when speed wins over segmentation.

According to Bulletproof’s piece on internal pen testing, internal tests reveal 3x more exploitable paths in the flat network designs common in UK startups. That matters for modern stacks because “internal” no longer just means office LANs. It includes backend trust paths, service-to-service permissions, RPC reachability, and data access relationships hidden behind the public app.

What works well in practice

The strongest setup for an agile team usually combines both styles.

Use manual pentests for depth: Especially when architecture changes are large, regulated data is involved, or you suspect trust-model flaws.
Use automation for drift detection: Scan repeatedly for exposed RPCs, misconfigured RLS, leaked keys, public storage, and other regressions introduced by ordinary shipping.
Connect results to delivery: Findings should land where engineers work, not in a PDF nobody reopens.

If you are exploring this model, this overview of automated penetration testing software is a helpful reference point.

What does not work

Teams waste time when they rely on one layer only.

A scanner-only approach misses important context and creates noise. A consultancy-only approach creates long gaps between checks. A compliance-only mindset encourages “pass the test” behaviour rather than steady risk reduction.

The practical target is not perfect coverage. It is shortening the time between introducing a security flaw and detecting it.

That is where automation earns its keep. It gives engineers feedback while the change is still fresh enough to fix cleanly.

Building Your Pentest Plan A Sample Checklist

Most startup pentests go better when someone turns the engagement into an operations checklist rather than a vague security initiative. The table below is built for cloud-heavy teams using managed backends, mobile apps, and fast release cycles.

Pre-Pentest Preparation Checklist

| Phase | Task | Consideration | |---|---|---| | Before the test | Define business-critical assets | Identify production data stores, admin interfaces, mobile backends, storage, edge functions, and any customer-impacting services | | Before the test | Choose the test style | Decide whether black-box, gray-box, or white-box gives the best value for your current maturity | | Before the test | Confirm scope boundaries | List in-scope hosts, apps, APIs, cloud services, environments, and explicit exclusions | | Before the test | Prepare Rules of Engagement | Set dates, testing hours, escalation contacts, safe handling expectations, and stop conditions | | Before the test | Decide access level | For gray-box work, prepare test accounts, sample roles, and any limited credentials the provider needs | | Before the test | Map sensitive data paths | Note which databases, buckets, or functions hold the data you care most about protecting | | Before the test | Identify key control questions | Which RLS policies matter most, which RPCs are privileged, which storage paths should never be public | | During the test | Keep one technical contact available | Testers lose valuable time when nobody can answer architecture or access questions | | During the test | Route urgent findings correctly | Agree in advance who can approve immediate action if the team finds a severe issue | | During the test | Monitor operational impact | Watch logs, alerts, and service health so normal test activity does not trigger confusion | | After the test | Triage findings by exploitability and impact | Separate cosmetic issues from findings that create real access or data risk | | After the test | Assign owners for each fix | Put engineering, platform, and product responsibility against concrete items | | After the test | Validate remediation | Retest the exact exploit path, not just the visible symptom | | After the test | Add recurring checks | Convert repeated classes of issues into CI/CD or release-gate validation where possible |

Questions worth asking before day one

A few questions usually sharpen the engagement fast:

Have we included staging and preview environments if they share trust with production?
Which functions or service accounts can act with elevated permissions?
Which access rules protect tenant data, uploads, and internal admin workflows?
If a mobile app leaks implementation detail, what could an attacker do with it?

The best pentest plans are not the longest. They are the clearest.

From Report to Remediation A Continuous Security Posture

A pentest report only matters if it changes engineering behaviour.

Start with prioritisation. Teams often get distracted by the longest list item rather than the most dangerous one. Fix the issues that create access, lateral movement, or sensitive data exposure first. Leave cosmetic hardening for later unless it forms part of a larger chain.

Turn findings into engineering work

The useful workflow is simple:

Confirm the exploit path
Identify the root cause
Apply the smallest safe fix
Retest the original path
Add a guardrail so it does not return

For BaaS-heavy stacks, root cause usually sits in policy logic, broad privileges, secret handling, or a backend function that trusted the wrong input.

A practical remediation example

If a Supabase policy allows wider reads than intended, the fix is rarely “tighten security” as a generic task. It should become a concrete change to the policy condition and role scope.

For example, teams often move from broad authenticated access to a user-bound condition tied to the current authenticated subject, then re-test with both expected and unexpected identities to prove isolation holds. The exact SQL depends on schema and business rules, so the right fix is always contextual.

Build continuous checks after the report

One-off remediation is not enough in fast-moving teams. Someone ships a new edge function, changes a role, adds a storage path, or updates a client bundle, and the same class of issue comes back.

That why mature teams move from point-in-time pentests to a continuous security posture. Manual testing still has a place. It gives depth, creativity, and realistic attack chaining. But ongoing checks belong in the delivery workflow.

What to automate first

RLS regression checks: Catch policy drift after schema or feature changes.
RPC exposure checks: Identify newly public or weakly protected functions.
Secret leakage checks: Inspect bundles, mobile artefacts, and deployment outputs.
Storage permission checks: Detect accidental public access and broad object operations.

The most effective security habit for startups is not “test annually”. It is “verify every meaningful change.”

When teams do this well, pentests stop being ceremonial. They become one part of a tighter loop: test, prove, fix, validate, and monitor for regression.

AuditYour.App helps teams using Supabase, Firebase, and mobile backends find the kinds of infrastructure issues that are easy to miss during normal shipping. You can run a no-setup scan for exposed RLS rules, public RPCs, leaked API keys, and hardcoded secrets, then use continuous monitoring to catch regressions before they reach users. If you want faster feedback between formal pentests, see AuditYour.App.