At a glance
- AI pentest simulated real attacker behavior across the application and integrations
- Shift from fragmented, periodic checks to a clear, prioritized view of real payment risk
- 54 validated findings grouped by severity with reproducible attack paths
- Clear remediation guidance used directly by engineers
- Automatic retesting verified that fixes actually removed vulnerabilities
- Structured pentest report used in partner, audit, and due diligence conversations
Smartendr, now part of orderBilly, is an ordering platform for bars and restaurants. The platform processes around €10 million in transactions each month and serves roughly one million end users. Payments, point-of-sale integrations, and customer data are central to the product, making application security a core requirement for the business.
“I’m mainly responsible for the technical side of the company,” says Robin Praet, co-founder and CTO of Smartendr. “That includes platform architecture, integrations, and security.”
As Smartendr scaled, the team faced a familiar challenge for fast-growing platforms: moving quickly while maintaining confidence in where real risk actually existed.
Challenge: moving fast without full visibility into real risk
As Smartendr grew in transaction volume and user base, its risk profile changed significantly.
“We now have around one million end users every month. At that scale, it only takes a single malicious actor to exploit a weakness.”
Security expectations from restaurants and partners were high. Orders appearing in point-of-sale systems needed to be correctly paid and protected against tampering. At the same time, features such as loyalty programs meant the platform handled personal customer data.
Before adopting Aikido's AI pentesting, Smartendr already followed security best practices. The team relied on a combination of preventive controls, manual reviews, and periodic checks. While this provided baseline coverage, it did not offer a complete or current picture of how the platform could be attacked in practice.
“The biggest issue was fragmentation,” says Robin. “There was no single view of our security posture, which makes it easy to miss edge cases, especially around APIs and integrations.”
With continuous releases and multiple integrations, gaps between security checks became harder to justify. The team needed a way to understand where they were most vulnerable right now, not just where issues might exist in theory.
“It became clear that security could not rely on periodic checks alone,” Robin says. “It needed to fit into how we build and ship software.”
Solution: AI pentesting that shows real attack paths and clear priorities
When evaluating solutions, Smartendr looked for security testing that reflected real-world attack behavior without slowing development.
“Aikido fit our way of working. It integrates into our development flow, gives continuous feedback, and focuses on real, actionable risks instead of noise.”
Smartendr was already using Aikido for preventive security controls. The AI pentest did not surface forgotten basics, but realistic attack paths that only emerge when APIs, payments, and point-of-sale integrations interact under real-world conditions.
Getting started required minimal setup. Because Smartendr’s codebase was already connected to Aikido, launching the AI pentest took only a few clicks.
“There was no heavy configuration or preparation needed,” Robin explains. “Security should be easy to activate, not a separate project.”
The AI pentest ran against Smartendr’s application and surfaced 54 validated findings. While confronting at first, the results provided clarity rather than confusion.
“At first, it was confronting to see how thorough the results were,” Robin says. “At the same time, it gave us a clear picture of what to improve.”
Unlike traditional checklist-style pentests, the AI agents behaved like a real attacker exploring the system. Each finding was validated, grouped by severity, and accompanied by reproducible steps showing how the issue could be exploited in practice.
“The agents behaved more like an actual attacker exploring the system. That made the results more relevant than a checklist-style pentest.”
This allowed Smartendr’s engineers to immediately distinguish what needed to be fixed urgently from what could be prioritized over time.
“The validation steps made it much easier to trust the findings and avoid chasing false positives,” Robin explains.
Some of the most valuable discoveries were non-obvious issues that only appeared when multiple systems interacted, exactly the kind of risk that is hardest to reason about through manual reviews alone.
From assumptions to verified risk reduction
Once remediation began, the guidance provided helped engineers move quickly from understanding issues to fixing them.
“The recommendations were concrete and actionable,” says Robin. “Engineers could go straight from understanding an issue to fixing it.”
Automatic retesting played a critical role in closing the loop. Instead of assuming fixes worked, the team could verify that vulnerabilities were actually removed.
“Once a fix is in place, you get immediate confirmation,” Robin says. “That removes uncertainty and saves time.”
The final pentest report also strengthened conversations beyond engineering. Rather than relying on high-level assurances, Smartendr could point to a structured, recent assessment with clear findings and follow-ups.
“Instead of vague statements about security, we could show a structured and recent assessment. That made conversations with partners, auditors, or potential acquirers more concrete.”
Outcome: clarity, prioritization, and continuous security
After addressing the findings, Smartendr gained confidence in its security posture, not because every risk was eliminated, but because the most important risks were clearly identified, prioritized, and verified.
“We have a clearer understanding of our weakest points,” Robin explains. “Not because everything is perfect, but because the biggest risks are identified and addressed.”
Security is no longer treated as an occasional checkpoint. It has become an ongoing, continuously verified practice that fits directly into the development workflow.
“With the help of Aikido Attack, we can think more proactively about attack surfaces and edge cases when building new features,” Robin says.
Summary
“It gave us a much clearer and more realistic view of our actual risk, without slowing down how we build and ship software,” Robin concludes.
