Pentests for student data, the grade engine,and the SSO that connects them.

Student PII lives behind SSO, LMS APIs, and grade engines that admit teachers, parents, and 70k students at the same scope. Our engagements ship roster-IDOR, SSO claim drift, and grade-engine tampering as reproducible PoCs. Reports accepted by FERPA, COPPA, SOC 2, and ISO 27001 auditors.

CREST-conducted · CERT-In empanelled · FERPA + COPPA ready

See the edtech attack paths
Student records, roster API, LMS grade engine, and proctoring stream converging on a single proof-of-exploit at the centre.

FERPA + COPPA scoping

Consent boundaries, age-gates, sibling-record IDOR, and parent-proxy paths threat-modelled before testing starts.

Working proof-of-exploit

Captured roster API responses, LTI launch tampering traces, and grade-write deltas, not a scanner score.

Re-test included

Every finding re-tested after your team ships the fix. Written closure your auditor will accept.

Three doors into edtech security.

Pick the engagement that fits your stack: roster APIs, LMS integrations, grade engines, proctoring AI. FERPA, COPPA, and SOC 2 evidence travels with every report.

BugDazz Autonomous

Continuous coverage on OneRoster endpoints, Canvas and Brightspace API tokens, and grade-engine writes between annual pentests. SOC 2 evidence on every run.

See BugDazz

Red team engagement

Unannounced tests against student records, grade engines, and proctoring streams. We measure whether your SOC catches roster exfil and SSO replay before the press does.

Brief a red team

AI and LLM pentest

We test AI tutors, proctoring vision models, and grading copilots: prompt injection, student-PII exfil, grading-bias manipulation, COPPA under-13 consent boundaries.

See AI pentest

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • CERT-In empanelled auditor
  • AICPA SOC 2 Type II
  • ISO/IEC 27001

Why a privacy review isn't a pentest

A consent box checked is not a record protected.

FERPA reviews, COPPA assessments, and state-privacy questionnaires grade policy and contracts, and a platform with every form signed can still hand an attacker the entire student roster. SecureLayer7's pentesters chain the items a privacy audit calls 'documented': an OneRoster scope, a parent-proxy session, an LTI launch parameter. Then we walk you through the proof your auditor will accept and your product-security team will fix.

In scope

Eight student-data exposure paths. Tested by hand.

Each category is exercised by a pentester with a CVE history in roster, SSO, LMS, and proctoring stacks. Listed in the order an attacker typically chains them.

LMS APIs

IDOR across student records, course-enrollment tampering, role escalation from student to instructor.

SSO + identity

SAML/OAuth signature wrap, Roster API drift, LTI 1.3 launch parameter tampering, parent-proxy boundary abuse.

Grade and quiz engines

Answer-key exfiltration, mid-submission rewriting, time-window race, plagiarism-detector bypass.

Student-data API

Bulk-export drift, FERPA consent-boundary IDOR, directory-info leakage, transcript replay.

Proctoring + remote assessment

Webcam-stream exfil, browser-lockdown bypass, AI-detection evasion, ID-doc liveness bypass.

Mobile edtech app

Biometric bypass, deep-link account takeover, classroom-pairing replay, Keychain drift.

Parent + guardian portal

Parent-proxy session takeover, COPPA-age-gate bypass, sibling-record IDOR.

Payment + billing

Tuition-payment race, fee-waiver tampering, scholarship-eligibility forgery.

EDTECH ATTACK SURFACE.

What an attacker chains to walk student records out of a modern edtech stack.

8
  1. 01
    Roster API IDOR

    OneRoster GET on /students with a swapped sourcedId, cross-tenant student read across an entire district.

  2. 02
    SAML signature wrap

    Wrapped SAML assertion replays a student session under an instructor NameID, full grade-engine takeover.

  3. 03
    LTI 1.3 launch tamper

    Manipulated launch parameters on the LTI 1.3 deep-link flow, grade-write into the LMS from an external tool.

  4. 04
    FERPA consent IDOR

    Consent-boundary check missing on the guardian-PII endpoint, guardian contact records exposed to siblings and former students.

  5. 05
    Proctoring webcam exfil

    Signed-URL replay on the proctoring stream archive, recorded exam video pulled outside the session window.

  6. 06
    Mobile deep-link hijack

    Malformed deep link on the classroom-pairing flow lands a student session into a researcher-controlled device.

  7. 07
    COPPA age-gate bypass

    Age verification rerunnable through a sibling-account path, under-13 PII accepted without verifiable parental consent.

STUDENT-DATA EXPOSURE PATHS WE TEST.

EDTECH PENTEST METHODOLOGY.

Eight phases. Roster-to-records, closed-loop.

Threat-modelled to your LMS, your roster topology, your LTI tool catalog, and the privacy laws your audit serves. Not a template we run against every SaaS.

01

FERPA + COPPA + state-privacy scope mapping

Consent boundaries, age-gates, district contracts, and state laws (SOPIPA, CCPA-K12, NY Ed Law 2-d) mapped before any traffic.

02

SSO + LTI + roster API audit

SAML, OIDC, LTI 1.3, OneRoster, and instructor/student/parent claim graphs walked end-to-end. One of the two largest bug classes in real edtech.

03

LMS + grade-engine boundary probe

Course-enrollment tampering, role escalation, grade-write reachability from external tools, quiz-engine race windows.

04

Student-data API consent boundary testing

Bulk-export drift, directory-info leakage, transcript replay, FERPA consent-boundary IDOR, sibling-record exposure.

05

Mobile + proctoring runtime audit

Biometric bypass, deep-link takeover, classroom-pairing replay, webcam-stream exfil, browser-lockdown bypass, AI-detection evasion.

06

Chained finding + FERPA-grade reporting

Findings correlated, chained into roster-to-records attack paths, scored with PII blast-radius. Regulator-ready PDF, severity CREST-mapped.

07

Free re-test

After fixes ship, the same scope is re-exercised. The proof-of-exploit reverts on patch, written closure per finding.

08

Detection-eng handoff

Detection rules, log queries, and runbooks handed to your CISO + product-security so the same chain trips an alarm next time.

Meet the lead

A pentester who has shipped edtech findings to regulators.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

Leads engagements across LMS, SSO, LTI, and roster APIs. Published CVEs in identity-federation and session-handling components used across edtech SaaS. The pentester your CISO will meet on day one of scoping.

  • Scopes CREST-conducted offensive engagements end-to-end.
  • Translates findings into board-level risk decisions.
  • Owns post-engagement detection-engineering handoff.
John Dill, vCISO at SecureLayer7

Pick a 30-minute slot. We will scope your engagement on the call.

Book a 30-min call

Common procurement questions

What buyers ask about edtech penetration testing.

Six questions district IT, CISOs, and product-security teams send before signing an edtech pentest SOW. Answered against our methodology and your auditor.

Show all 6 questions

Partner tear-sheet

Hand a 2-page EdTech tear-sheet to the buyer.

A printable summary your partner can drop into a pitch deck: named EdTech threats, methodology, compliance mapping, and the engagement leads to call. Saves as PDF from the browser.

Open the tear-sheetDownload PDF
Sample edtech pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full roster-to-records kill chain, working PoC traces, FERPA consent diffs, and re-test scope. Sent on request after a 5-minute scoping call.