Case Study

Working with Leroy Merlin to prioritize risks in alignment with their needs

Retail | Milan, Italy



Implementation of websites, mobile apps, and digital payment methods to support e-commerce lead to expanding attack surfaces

Customers making purchases online expose themselves to compromised financial accounts, PII and payment card information

Attacks lead to loss of revenue and credibility for impacted retailers


Hadrian’s attack surface management tools used open source data collectors and passive data sources to identify assets previously unknown to Leroy Merlin

Cross-asset testing analyzed assets across multiple cloud sharing providers and domains and provided information on how they linked together

Fingerprinting technology contextualized assets by considering the language of the application, version and common vulnerabilities

Insights collected were used to develop unique attack paths tailored to Leroy Merlin’s attack surface

Hadrian collaborated with Leroy Merlin’s security team to prioritize risks in alignment with their needs


About Leroy Merlin

Leroy Merlin Italy is subsidiary of Adeo and is based out of Lille, France. A home improvement and gardening retailer, Leroy Merlin serves countries in Europe, Asia, South American and Africa.

Leroy Merlin has 100 000 employees, and €7.5B in annual revenue. In 2020 Leroy Merlin accelerated its digital and cloud transformation, developing online shopping tools and an app. 



Annual revenue

€ 7.5B


Discovering Forgotten Assets

Hadrian deployed asset discovery tools with the express purpose of identifying unknown assets. In the case of Leroy Merlin, Hadrian used prior knowledge of e-commerce security to deploy tools that targeted areas most likely to contain forgotten assets.

For example, application developers in the e-commerce industry often accidentally leave administration pages available allowing attackers to access sensitive administration functions. Hadrian used this insight and deployed a hacking module designed to identify forgotten administration directories/pages.

Hadrian was able to identify a vulnerable endpoint with an unmonitored administration page. 

Group 3901

"Hadrian's platform identifies vulnerabilities in a deeper way than other fully automated tools. The insights provided by Hadrian helped us to improve our system's hardening. Excellent insights."

CISO, Leroy Merlin

False positives removed


Critical risks found


Developing Targeted Testing
to Identify Potential Data Breach

When a forgotten or unmonitored asset was identified Hadrian drew on open-source information and its own logic to determine relevant attack paths. Targeted testing allowed Hadrian to validate Leroy Merlin’s security without overburdening IT infrastructure.

In the case of the unmonitored administration page, Hadrian was able to determine the most effective test by considering the context of the application, specifically its language, and framework. Hadrian ran a test that often revealed risks on assets with similar frameworks.

The test revealed credentials for database passwords and Google Cloud, as well as cookies containing sensitive user information. 

Eventing Technology Generates Complex Attack Paths

Hadrian was built using event-driven technology. Event-driven testing means long, complicated attacks are broken down into smaller components and can be combined in different sequences allowing for flexibility.  In addition,  insights collected through past tests trigger new modules resulting in a testing methodology that is highly adaptable. The smaller components allow Hadrian to adapt as new insights are revealed.

For example, when Hadrian discovered the cookies in the administration page it triggered a hacking tool. The hacking tool used the cookies to gain access to accounts containing sensitive company and customer information.

Hadrian will continue to collect insights and deploy tests in response to changes in Leroy Merlin’s attack surface.