Does the Promptbook replace a pentest?

No. It helps identify signals and organize review. Impact validation, exploitation chain, and fix confirmation stay in the Manual Pentest.

Why is the Manual Pentest not sold through public checkout?

Because scope, authorization, environment, and operational risk need to be evaluated before a proposal.

What does the misantropia attack teach companies?

That the most common vector is not sophisticated: a leaked credential reused on an admin panel with no MFA. Every SaaS has an equivalent panel (admin, Stripe, cloud) that needs the same access control.

Which controls protect a SaaS admin panel?

Mandatory phishing-resistant MFA, leaked-password blocking, least privilege and scope per environment/tenant, dual approval for irreversible actions, session rotation, login rate-limiting and anomalous-access detection.

Why isn't SMS MFA enough for admin access?

SMS is interceptable via SIM swap and OTP phishing. For administrative access, use phishing-resistant MFA such as passkey/FIDO2 or an authenticator app.

Your admin panel is your Civil Defense — and it probably has the same hole

Brazil's fake Civil Defense alert fell to a login with no MFA. Your Stripe Dashboard, AWS console and admin panel share the same door. How to close it first.

TL;DR (AI Summary)

The misantropia attack took down a national system not through sophistication, but because a critical panel (IDAP) accepted a login with a leaked credential and no MFA. Every SaaS has its own IDAP: the admin panel, the Stripe Dashboard, the cloud console, the CMS. This guide shows how to treat administrative access as high-impact infrastructure — phishing-resistant MFA, least privilege, environment scoping, leaked-password blocking, dual approval and detection — so one reused password never becomes your product's national incident.

The question the misantropia case forces

On June 20, 2026, an intruder fired fake emergency alerts to millions of phones across Brazil. No zero-day. Just a login: a staffer credential, leaked and reused on a panel with no multi-factor authentication (MFA). The panel was called IDAP. Yours has another name — Stripe Dashboard, AWS console, your SaaS admin, CMS, support panel — but the door is the same.

The uncomfortable question: if one of your team's passwords leaks today, what does it open?

Every SaaS has an IDAP

Think of the panels that, alone, can cause damage at scale:

The product admin that reads and edits every customer's data.
The Stripe Dashboard that issues refunds, changes prices, exports customers.
The cloud console (AWS/GCP) that starts, stops and deletes.
The CMS / content panel that publishes to everyone.
The support panel that impersonates users.

Each one is a mass-broadcast waiting for the wrong credential. The misantropia attack showed the cost when that access is too broad and too lightly protected.

The 7 controls that turn a panel into a vault

1. Phishing-resistant MFA, mandatory

Not optional for an admin account. And not SMS — SMS is interceptable. Use passkey/FIDO2 or an authenticator app. Without a second factor, a leaked password is the access.

2. Leaked-password blocking

Check every login against compromised-credential datasets (the misantropia attack used a password already for sale). Forcing a change when the password appears in a breach closes the vector before credential stuffing.

3. Real least privilege and scope

The credential that fired alerts had national reach — it shouldn't have. In your SaaS: separate access by tenant, by environment (dev/stage/prod) and by role. Whoever handles support doesn't need the power to drop the database.

4. Dual approval for irreversible actions

Mass dispatch, refunds above a threshold, production deploys, data deletion: require two people or two distinct factors. A single compromised account cannot cause maximum damage alone.

5. Rotation and session revocation

Privileged passwords expire. Stale sessions die. When someone leaves the team, access disappears the same day — not next quarter.

6. Rate-limiting and strong captcha on the admin login

Credential stuffing is automation. Limit attempts, require a real challenge (not arithmetic, the only barrier in the real case) and block suspicious origins.

7. Anomalous-access detection and logging

A login from a new country, an odd hour, an unknown device: alert. The Civil Defense system only noticed from the headlines. You want to notice in minutes.

The 5-minute test

Open your SaaS's most dangerous panel and answer:

Does it require MFA? What kind?
How many people have access? Do they all need it?
Can a single credential cause maximum damage?
Would you know if someone logged in right now with a colleague's password?

If any answer is uncomfortable, you have an IDAP waiting for its misantropia. That is exactly what RET reviews in Risk Review and proves in manual pentest: access, permission and the leaked password — before a criminal does.

Sources

Your admin panel is your Civil Defense. If a leaked, MFA-less password can fire your product's most dangerous action, the attack is already built — it just needs the right password to surface on the deep web.