At a glance

• AI pentest simulated real attacker behavior across the application
  
• 54 validated findings, grouped by severity with reproducible attack paths
  
• Clear remediation guidance used directly by engineers
  
• Automatic retesting confirmed when fixes resolved issues
  
• Structured pentest report used in partner, audit, and due diligence conversations
  
  

Smartendr, now part of orderBilly, is an ordering platform for bars and restaurants. The platform processes around €10 million in transactions each month and serves roughly one million end users. Payments, point-of-sale integrations, and customer data are central to the product, making application security a core requirement for the business.

“I’m mainly responsible for the technical side of the company,” says Robin Praet, co-founder and CTO of Smartendr. “That includes platform architecture, integrations, and security.”

When periodic checks stopped being enough

As Smartendr grew in transaction volume and user base, the company’s risk profile changed.

“We now have around one million end users every month. At that scale, it only takes a single malicious actor to exploit a weakness.”

Security expectations from restaurants and partners were high. Orders appearing in point-of-sale systems needed to be correctly paid and protected against tampering. At the same time, features such as loyalty programs meant the platform handled personal customer data.

Before adopting Aikido's AI pentesting, Smartendr relied on best practices, manual reviews, and ad hoc security checks. While these approaches provided coverage, they did not offer a complete or current view of how the platform could be attacked.

“The biggest issue was fragmentation,” says Robin. “There was no single view of our security posture, which makes it easy to miss edge cases, especially around APIs and integrations.”

With continuous releases and multiple integrations, gaps between security checks became harder to justify.

“It became clear that security could not rely on periodic checks alone,” Robin says. “It needed to fit into how we build and ship software.”

Choosing AI pentesting that fits development workflows

When evaluating solutions, Smartendr looked for a way to test security realistically without slowing development.

“Aikido fit our way of working. It integrates into our development flow, gives continuous feedback, and focuses on real, actionable risks instead of noise.”

Rather than introducing new processes or heavy coordination, the team wanted security testing that engineers could run and act on directly.

Running the AI pentest

Getting started required minimal setup. Because Smartendr’s codebase was already connected to Aikido, launching the AI pentest took only a few clicks.

“There was no heavy configuration or preparation needed,” Robin explains. “Security should be easy to activate, not a separate project.”

The pentest ran against Smartendr’s application and surfaced 54 findings.

“At first, it was confronting to see how thorough the results were,” Robin says. “At the same time, it gave us a clear picture of what to improve.”

Realistic testing and clear prioritization

According to Robin, the tests felt closer to real-world attacks than traditional pentests.

“The agents behaved more like an actual attacker exploring the system. That made the results more relevant than a checklist-style pentest.”

Each finding was validated and grouped by severity, making it easy to understand where to focus first. Reproducible steps showed how issues could be exploited in practice.

“The validation steps made it much easier to trust the findings and avoid chasing false positives,” Robin explains.

Some of the most valuable findings were non-obvious issues that appeared only when multiple systems interacted.

From fixes to verified results

Once engineers started remediation, the guidance provided helped them move quickly.

“The recommendations were concrete and actionable,” says Robin. “Engineers could go straight from understanding an issue to fixing it.”

Automatic retesting confirmed whether fixes actually resolved the problems.

“Once a fix is in place, you get immediate confirmation,” Robin says. “That removes uncertainty and saves time.”

Results and impact

After addressing the findings, Smartendr gained more confidence in its security posture.

“We have a clearer understanding of our weakest points,” Robin explains. “Not because everything is perfect, but because the biggest risks are identified and addressed.”

The final pentest report also supported conversations outside engineering.

“Instead of vague statements about security, we could show a structured and recent assessment with clear findings and follow-ups,” Robin says. “That made conversations with partners, auditors, or potential acquirers more concrete.”

The experience also influenced how the team approaches security going forward.

“Security is no longer something we check occasionally,” Robin says. “We think more proactively about attack surfaces and edge cases when building new features.”

Summary

“It gave us a much clearer and more realistic view of our actual risk, without slowing down how we build and ship software,” Robin concludes.