Azure DevOps - 2025 Penetration Test
Casaba Security performed a focused penetration test of specific Azure DevOps components, including GitHub Advanced Security features and Shared Platform Services supporting authentication, token validation, and service-to-service access. The five-week assessment combined architecture reviews, source code review, dynamic testing, and manual verification of authorization controls, token and session handling, and user-supplied input processing. Testing was conducted in coordination with the service teams, with findings discussed with engineering throughout the engagement to confirm impact and mitigation options.
View on Service Trust Portal →
M365 - Third-Party Vulnerability Assessment (2025)
Over a nine-month engagement, Casaba Security conducted a security review across 19 Copilot implementations, 24 web applications, and 5 desktop applications within the Microsoft 365 suite. Casaba's dedicated AI security testing team used custom in-house LLM test automation alongside manual testing to evaluate both traditional web application security and AI-specific attack surfaces. Activities included information gathering, public documentation review, architectural design review, and hands-on testing of in-scope components.
View on Service Trust Portal →
M365 - Third-Party Vulnerability Assessment of M365 Copilot (2024)
Casaba Security assessed the security of Microsoft 365 Copilot, testing for both AI-specific and traditional security vulnerabilities across the Copilot experience. The engagement included automated fuzzing and manual prompt injection testing to evaluate the system's resistance to cross-prompt injection attacks, data exfiltration, and responsible AI violations. Casaba validated behavior across multiple RAI harm categories and applied Microsoft's Vulnerability Severity Classification for AI Systems.
View on Service Trust Portal →
Azure DevOps - Penetration Test Summary Report (2024)
Casaba Security performed a security assessment of the Azure DevOps platform during September 2024, targeting high-priority flows including authentication processes, identity management, proof of presence implementations, and the Extension Marketplace. The assessment used a gray-box approach combining source code review with dynamic testing. Approximately 35% of the engagement focused on static code analysis across the codebase, 40% on manual code review of key areas, and the remainder on design review, dynamic testing, and infrastructure analysis. The team worked closely with Microsoft engineering, conducting deep-dive interviews and detailed code reviews while maintaining access to development environments for live testing.
View on Service Trust Portal →
Third-Party Vulnerability Assessment of Purview Data Governance (2024)
Microsoft engaged Casaba Security to perform penetration testing of the Purview Data Governance application. This assessment evaluated the security posture of the data governance platform, which provides organizations with tools for managing and governing their data estate across on-premises, multi-cloud, and software-as-a-service environments.
View on Service Trust Portal →
Dynamics 365 - Sales - Security Assessment Penetration Test (2022)
Casaba Security performed a security assessment of the Dynamics 365 Sales platform. The team worked closely with the product team to identify important features in scope and address specific areas of concern. Testing covered multiple attacker perspectives, evaluating the platform's security from different threat models in order of least to most likely real-world scenarios.
View on Service Trust Portal →
Microsoft Intune Infrastructure - Third Party Penetration Test (2018)
Casaba Security conducted two in-depth penetration tests of the Microsoft Intune applications and services infrastructure between September and December 2018. This assessment evaluated the security of the Intune mobile device management and mobile application management platform, which organizations use to manage and secure employee devices and applications.
View on Service Trust Portal →