The $200K Bug a NZ Startup Ignored, and the 2-Hour Pentest That Would Have Caught It

Every engineering team has a backlog item that never got picked up. Most of the time, nothing comes of it. This is the story of the one time it did.

A growing New Zealand SaaS company, which will stay unnamed here because the lesson matters more than the embarrassment, was six months into a fast growth push. A contractor doing a routine code review flagged something small on an internal ticket: an API endpoint tied to discount codes did not properly check whether the amount being applied matched what the account was actually entitled to. The note read, almost word for word, “should validate server side, low priority for now.”

It sat in the backlog for four months.

How a small ticket became a $200,000 problem

The team was not careless. They were busy, which is a different thing entirely. New features were shipping every two weeks. The discount endpoint worked exactly as intended for every normal customer, so nothing about it ever looked broken from the outside.

Then finance noticed a gap between issued discounts and the marketing campaigns that were supposed to explain them. A small number of accounts had been applying discount values that did not exist anywhere in the company's actual offers, again and again, for weeks. By the time the pattern was confirmed, the company was looking at fraudulent discounts, chargebacks, the engineering hours needed to trace and patch the issue, the compliance reporting that came with it, and a noticeable dent in a fundraising conversation that was already underway. The final number landed north of $200,000.

The endpoint at the center of it all was the exact one flagged four months earlier. Nobody had ignored a warning out of arrogance. The warning had simply never been tested.

What a 2-hour pentest actually looks like

Here is the part most founders do not expect. Catching this would not have needed a six-week engagement or a full application audit. It would have needed a short, scoped test aimed at one part of the system: the discount API and the logic sitting behind it.

A focused api pentest service does not test everything a product does. It targets a specific set of endpoints, the kind that move money, change permissions, or touch sensitive data, and tries every reasonable way to break them. For an endpoint like this one, a competent tester would have sent a request with a discount value the account was never authorized to receive, watched whether the server accepted it, and had an answer within two hours. That is the entire test. No new infrastructure. No weeks of waiting.

This is also why penetration testing for startups looks different from penetration testing for a 500-person enterprise. A startup does not need to test every corner of its product every month. It needs the handful of endpoints that touch money, accounts, and customer data tested properly, especially right before launch and right after anything in that area changes.

The real math behind penetration testing cost

This is usually where the conversation stalls. Founders assume a proper test means a large invoice and weeks of delay, so the backlog item stays exactly where it is.

The reality is more forgiving. Penetration testing cost in Australia and New Zealand varies a lot depending on scope, and a full application test naturally costs more than a two-hour targeted check on a single API. But even a complete, CREST-certified engagement still sits far below what this one company ended up paying in fraud losses, engineering time, and a stalled fundraising round. A scoped test on a handful of high-risk endpoints, the kind most relevant to an early-stage product, costs a fraction of that again.

The honest comparison is not test cost against zero. It is test cost against the cost of finding out the hard way, which this company now knows in painful detail.

Put plainly, the invoice for a scoped test rarely reaches five figures. The bill for ignoring one, as this story shows, can run well past six. That gap is the entire argument for testing early rather than waiting for finance to spot something odd in the numbers.

Why backlog tickets are the wrong place to store risk

The deeper issue here was never the missing validation check itself. It was where the warning lived. A line in a project management tool, buried under feature requests and bug fixes, has no urgency attached to it. Nobody walks past it daily. Nobody is accountable for clearing it before the next release.

A flagged risk needs somewhere that gets looked at on a schedule, ideally by someone whose job is to confirm whether it is actually exploitable, not just theoretically possible. That is the gap that structured penetration testing closes. A tester does not just note that something looks risky. They try to break it, confirm whether it works, and hand back a clear answer instead of a guess sitting in a backlog.

What this means for your roadmap

Most startups are not sitting on a $200,000 bug because their engineers are careless. They are sitting on one because a reasonable-sounding note got deprioritized in favor of the next feature, and nobody ever circled back with a real test to settle the question.

The fix is rarely as big as founders fear. A scoped penetration testing service, aimed at the endpoints that touch money and customer data, can close that gap in hours, not months. For a startup heading into a funding round or a compliance review, that same scoped test doubles as proof to investors and buyers that security gets checked, not just assumed.

The next backlog ticket that says “low priority for now” might be nothing. It might also be the next $200,000 lesson. The only way to know which one it is, is to actually test it.

Plan Security Better

Plan Your Annual Pentesting Strategy the Right Way

Learn how modern SaaS companies structure pentesting across the year to reduce risk, stay compliant, and avoid last-minute panic before audits.

Get the Annual Pentesting Plan

FAQ