YETI.SECURITY  /  JOURNAL  /  2026.03.22

Northstar Robotics: fixing twelve findings before the report shipped

How Northstar's platform team closed 71% of issues during a four-week pen-test — and why that matters for how we run engagements.

// CASE STUDY 2026.03.22 3 min read case-studypen-testremediation

In Q2 2026 we ran a four-week penetration test against Northstar Robotics, a fleet-management SaaS for autonomous logistics vehicles. The engagement covered their production web app, the operator mobile apps (iOS + Android), and their customer-facing API.

We found 28 issues — two critical, four high, nine medium, eight low, five informational. None of those numbers are unusual. The unusual part: by the time we sent the final report, 20 of the 28 were already fixed. Six more had open PRs. Two were deferred deliberately, with a documented exception.

That’s 71% closed during the engagement window. Industry baseline is closer to 12%.

How

We work in your repo, not adjacent to it. Specifically:

Day one: we file findings as we discover them. The first finding (a stored XSS in the fleet-name field) was in their tracker by the end of Tuesday of week one. The first PR from their team landed Thursday.

Daily 15-minute sync. Their VP of Engineering, Sayid Ahmadi, joined the call most days. The conversations were five minutes of new findings, ten minutes of “yeah, we’ve started on YS-004, anything you’d add?”

We re-test in-engagement. Once a finding has a PR, we validate it on the staging branch before merge. If the fix breaks a related path, we catch it inside 24 hours instead of three months later.

The final report is a summary, not a discovery. By the time it ships, nothing in it is news to the customer’s team. The report exists to be shared with auditors and customers, not to be the primary signal channel.

Why this matters

The conventional pen-test model assumes the report is the deliverable. The findings are sealed until they ship. The customer then opens the PDF, prints six pages, and adds half the medium-severity items to next quarter’s backlog, where most of them age out.

We think the engagement is the deliverable — the report is just the artifact that proves it happened.

// from the customer

“Yeti shipped twelve PRs against findings during the engagement. Our previous pen-test gave us a PDF.”

— Sayid Ahmadi, VP Engineering, Northstar Robotics

What it cost

The engagement was scoped at $55K, four weeks, two senior testers. We delivered slightly under hours (the customer’s team was efficient enough to give us short re-test cycles, which is the cheapest version of an engagement to run).

For comparison, Northstar’s prior pen-test (different vendor, similar scope) ran $48K, took three calendar months from kickoff to report, and closed 12% of findings inside the engagement window.

Reading

The redacted final report is available on request to qualified prospects. Email [email protected] and we’ll send a copy inside an hour.

Found this useful? Send it to someone who'd benefit, or email us a question.

// more from the journal

Keep reading.

// THREAT BRIEF
2026.05.07

Crampon-7: credential-stuffing wave targeting fleet-management SaaS

A coordinated campaign is replaying credentials from a 2025 breach against fleet-management SaaS login endpoints. Eleven known victims. Indicators inside.

READ →
// FIELD NOTES
2026.04.10

The first six findings we see, every time

Across 38 engagements the same six issues appear in roughly the same order. Treat the list as a pre-emptive remediation roadmap.

READ →