Rockshot

RockShot is a free-to-play dynamic shooter featuring PvP and PvE modes, weapon customization, and competitive multiplayer systems. While core gameplay mechanics are central to the experience, non-gameplay services underpin player progression, monetization, and social systems.

Soleil Ltd required structured security validation across backend and service-layer components, including:

• API endpoints
• Player lobbies
• Authentication workflows
• Shop and transaction systems
• Inventory and equipment management
• Cosmetic item handling
• Player profile management
• Territory and clan systems
• Building systems

In free-to-play titles with in-game economies and competitive environments, vulnerabilities in backend services can impact progression, monetization integrity, and player trust.

Cyrex conducted comprehensive grey box penetration testing, combining architectural awareness with real-world attack simulation.

The engagement focused specifically on non-gameplay functionalities to ensure secure validation of core service components.

We evaluated:

• API endpoint security
• Authentication and session management
• Access control enforcement
• Data handling across player accounts

The objective was to ensure that backend services properly validated user actions and restricted unauthorized access.

Cyrex also assessed:

• Shop and transaction logic
• Inventory and equipment management systems
• Cosmetic item integrity
• Territory and clan functionality
• Player lobbies and building systems

We tested whether economic and social systems could be manipulated through parameter tampering, logic flaws, or improper authorization.

Through structured testing, Cyrex identified multiple vulnerabilities, many deemed high priority by the development team.

We delivered:

• A comprehensive, structured security report
• Clear vulnerability descriptions
• Prioritized remediation guidance aligned with best practices

This enabled Soleil Ltd to address issues efficiently and reinforce backend security controls.