// CASE STUDIES · EVIDENCE-DRIVEN
Real projects with measurable outcomes.
We anonymize details to protect client confidentiality. The five cases below are representative projects completed by the Kritera team over the past 24 months. Each is presented through a sector · scale · outcome triumvirate.
Case 01 — AI Chatbot Security Audit at a Private Bank
Sector: Finance (private bank)
Scale: 8M active customers, LLM-based live support
Duration: 6 weeks
Scope: Prompt injection, output validation, RAG security, GDPR (KVKK) compliance
Finding: The customer support chatbot was tested against the OWASP LLM Top 10. 23 critical findings were identified — 4 of them were prompt injection vulnerabilities that could lead to financial-commitment manipulation. In the embedding vector store, 1,847 customer record fragments were detected and PII redaction was applied.
Outcome: All high/critical findings were resolved. System prompt layering architecture was built. The GDPR notice was updated. After 4 months of monitoring, a retest was performed — zero critical findings. The bank received “fully compliant” status under the “artificial intelligence governance” heading in its annual audit.
Case 02 — Penetration Testing for a Public Health Authority
Sector: Public health
Scale: 12 hospitals, 30,000+ users, critical patient data
Duration: 8 weeks
Scope: Web + network + system + database penetration testing, TS 13638-aligned reporting
Finding: Testing the hospital information system (HIS) and laboratory integration produced 47 high/critical findings. Three of them led to unauthorized patient-record access; five enabled lateral movement from the administrative network into the clinical network.
Outcome: A 64-page TS 13638-compliant report was delivered. Critical findings received a 30-day, high findings a 60-day remediation calendar. A retest 6 months later confirmed that all high/critical findings were closed. The organization became audit-ready under GDPR.
Case 03 — Common Criteria (EAL3+) Consulting in Energy
Sector: Energy / critical infrastructure
Scale: Smart meter firmware, millions of subscribers
Duration: 14 months
Scope: ISO/IEC 15408 Common Criteria EAL3+ certification consulting
Finding: EAL3+ certification was targeted for the smart meter firmware. 18 gaps were identified in the existing security architecture: missing secure boot chain, no firmware signing, weak physical attack protection.
Outcome: All gaps were closed. ST (Security Target) and PP (Protection Profile) documents were prepared. Coordinated with an independent evaluation lab (CC ITSEF), the EAL3+ certification was obtained at the end of 14 months. The customer became the only certified domestic manufacturer in the EPDK compliance process.
Case 04 — RAG Architecture for an E-commerce Platform
Sector: E-commerce / retail
Scale: 2M product catalog, 500K active customers
Duration: 16 weeks (PoC → production)
Scope: RAG architecture design, vector database, secure AI governance
Finding: The customer wanted a natural-language search experience across a 2M-product catalog. Pre-PoC evaluation found that the existing full-text search was limiting conversion rates.
Outcome: PoC was completed in week 8 (10K products), production launch in week 16. OpenAI embeddings + Qdrant vector database + custom re-ranking layer. GDPR-compliant logging, prompt-injection defense, cost-anomaly detection. Conversion rate increased by 23%; average session time rose 41%. Monthly AI cost was kept to USD ~0.002 per active customer.
Case 05 — Cybersecurity Training at a Defense Supplier
Sector: Defense industry supplier
Scale: 240 engineers, critical control system development
Duration: 6 months (modular training program)
Scope: Secure coding, threat modeling, IoT security, red-team simulation
Finding: The customer aimed for the entire software team to work with a “secure by design” mindset. Initial assessment showed 62% of the team had insufficient OWASP Top 10 awareness.
Outcome: A 6-month modular program via Kritera Academy: OWASP Top 10, threat modeling (STRIDE), secure coding examples, live red-team attack simulation (CTF). 220 of 240 engineers completed the program. Post-certification measurement saw OWASP awareness reach 94% and secure code review success reach 78%.
Which Could Be Your Case?
Each organization’s cybersecurity or AI journey is unique. In a free 30-minute initial call we clarify your needs and priorities together.