Scene 1 (The Investigation Begins)
OK. I’m irreplaceable. But how do I prove that, objectively?
After playing with ChatGPT in our little experiment, I’d been in a downward spiral. LLMs could automate vulnerability scanning, that much was clear. XBOW was finding SQLi, XSS, XXE… all the OWASP Top 10 classics that filled pentest reports. They were pattern-matching their way through the grunt work, 24/7 no breaks needed.
But business logic? That was different.
Business logic vulnerabilities aren’t about missing input validation or forgotten auth checks. They’re about understanding how an application should work, and finding the ways to abuse it that developers never considered. Objectively, these are the gaps between intention and implementation. This is where the real skill lives. This is where I’ve always made my money. OWASP calls them “the most detrimental to the application” specifically because they require an understanding of the context as well as creativity. A vulnerability scanner can’t detect them. Pattern matching can’t find them.
They require a pentester, a hacker, with the right mindset who understands the business purpose and can find ways around it.
My hypothesis was simple: If I could prove that business logic vulnerabilities were actively exploited by real threat actors, then I’d have evidence that humans were still essential. LLMs might automate the easy stuff, but they couldn’t replace human understanding and reasoning.
I just needed data.
So I set out to find it. Where do sophisticated attackers exploit business logic bugs? I started with APT groups. Nation-state actors with the resources, skills, and motivation to find complex vulnerabilities. These groups are extensively documented by threat intelligence teams. CrowdStrike OverWatch, LevelBlue, Mandiant, Kaspersky, they all publish detailed profiles with tactics, techniques, and procedures.
If anyone was exploiting business logic for initial access or post-compromise escalation, it would be APTs. The research should basically gush out of the computer.
I pulled up the first report.
“This type of vulnerability cannot be detected by a vulnerability scanner and relies upon the skills and creativity of the penetration tester. In addition, this type of vulnerability is usually one of the hardest to detect, and usually application specific but, at the same time, usually one of the most detrimental to the application, if exploited.”1
Scene 2 (APT: The Search for Evidence)
I started with CrowdStrike’s OverWatch reports. Then Mandiant. Then Kaspersky. I had data in front of me for forty APT groups, hundreds of documented campaigns spanning years of solid threat intelligence work.
After poring through these documents, a pattern formed. It was consistent. It was almost boring in its repetition if it wasn’t for the details surrounding the attacks. Spear phishing dominated initial access, around 80% of the campaigns. Another 15% exploited known CVEs. Stolen credentials, strategic web compromises, the occasional zero-day.
Once inside, lateral movement was the Windows-centric pass-the-hash attacks. Escalated privileges were handled with Windows bugs and persistence was your bog-standard planted backdoors and webshells.
Business logic exploitation? Zero. Not for initial access. Not for escalation. Not for persistence.
How could that be? I searched harder. Re-reading that which was previously read.
The closest I found was APT27 (Emissary Panda), known normally as an espionage group, deploying ransomware in one atypical campaign. But even then it was: webshells, public CVEs, standard TTPs. No business logic.
Forty groups. Zero business logic. But then I realized, these are the APTs that got caught. This is what leaves evidence. This is how we were able to obtain the data. What about the ones that succeed?
I couldn’t shake the thought, maybe I was looking in the wrong place entirely.
“Actors behind advanced persistent threats create a growing and changing risk to organizations’ financial assets, intellectual property, and reputation by following a continuous process or kill chain: Target specific organizations for a singular objective, attempt to gain a foothold in the environment (common tactics include spear phishing emails), use the compromised systems as access into the target network, deploy additional tools that help fulfill the attack objective.”2
Scene 3 (The Fraud Discovery)
Maybe business logic exploitation wasn’t about APT groups at all. Maybe I’d fixated on the wrong kind of attack.
I shifted focus. Instead of nation-state espionage, what about fraud? Not data breaches per se, but actual financial fraud. There is tons of fraud that’s not the phish your way in, encrypt all the data, extort. There’s policy abuse. Abuse of promotional systems. The kind of exploitation that costs companies money but never gets reported to the FBI.
The numbers hit me immediately.
First-party fraud, users exploiting weaknesses in business logic for direct financial gain. These cost businesses $89 billion annually according to PYMNTS research.3 Meanwhile, the FBI’s Internet Crime Complaint Center reported $16.6 billion in total breach losses for 2024.4
Exploitation of business logic issues wasn’t rare at all. It was massive! It just wasn’t being called a “security incident”.
Once I knew what I was looking for, the examples were everywhere. PayPal discovered that fraudsters had exploited their sign-up bonus program to create 4.5 million fake accounts using automated bots, contributing to the company losing approximately 25% of its market value.5 Citibank’s 2011 web application breach exposed 360,000 customer credit card accounts when attackers discovered they could manipulate account numbers in URLs to access other users’ data, a textbook IDOR (Insecure Direct Object Reference) vulnerability that the company knew about but hadn’t fixed since at least 2008.6 In 2022, a security researcher discovered a business logic flaw in Coinbase’s trading API that would have allowed anyone to sell cryptocurrency they didn’t own, the system verified sufficient balance but not whether you actually owned the correct asset. Coinbase paid a $250,000 bounty (their largest ever) and halted all new trading within hours after the researcher warned it was “potentially market-nuking.”7 These weren’t theoretical vulnerabilities in lab environments; these were real exploits causing real financial damage.
But none of this showed up in the Verizon DBIR. None of it appeared in threat intelligence reports. None of it was tracked by the security teams publishing the statistics I’d spent weeks reading.
Why? Because, for some strange reason, fraud and breaches live in completely different worlds.
When a customer exploits a promotional code vulnerability, that’s tracked by the fraud prevention team. It goes into payment network reports. It shows up in chargebacks and policy abuse statistics. When an attacker steals customer data, that’s tracked by the security team. It goes into breach notification reports. It shows up in the DBIR.
Business logic vulnerabilities enable fraud. Fraud doesn’t get classified as a cybersecurity incident. It stands to reason that I won’t be able to find these business logic exploitation bugs detailed in the security world. Business logic exploitation is almost completely invisible to the security industry.
I’d been searching for business logic exploitation in cybersecurity statistics. But business logic bugs don’t prevent data breaches, they prevent money loss. And money loss is somebody else’s department!
The APT research hadn’t failed because business logic doesn’t matter. It failed because I was looking in the wrong database entirely.
“Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year… Fraud is no longer dominated by low-effort, copy-paste attacks. Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed.”8
Return to the Pentester’s Guide to AI Disruption: A 6-Part Series
- OWASP Web Security Testing Guide, “Introduction to Business Logic” ↩︎
- CrowdStrike, “Advanced Persistent Threat (APT)” ↩︎
- PYMNTS Intelligence, “Protecting Against Promotion Abuse and Other Forms of First-Party Fraud” (July 19, 2022), https://www.pymnts.com/fraud-prevention/2022/pymnts-intelligence-protecting-against-promotion-abuse-and-other-forms-of-first-party-fraud/ ↩︎
- FBI Internet Crime Complaint Center (IC3), “2024 Internet Crime Report”, https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf ↩︎
- Bloomberg, “PayPal Finds Fake Accounts Created to Take Advantage of Incentives” (February 2022); American Banker reports ↩︎
- BankInfoSecurity, “Was Citi Breach Preventable?” (2013), https://www.bankinfosecurity.com/was-citi-breach-preventable-a-6042 ↩︎
- Coinbase Blog, “Retrospective: Recent Coinbase Bug Bounty Award” (February 2022), https://www.coinbase.com/blog/retrospective-recent-coinbase-bug-bounty-award; BankInfoSecurity, “‘Market-Nuking’ Coinbase API Bug Halted New Trading Orders” (February 2022), https://www.bankinfosecurity.com/market-nuking-coinbase-api-bug-halts-new-trading-orders-a-18582 ↩︎
- Sumsub Identity Fraud Report 2025 ↩︎