Doom Eternal

DOOM Eternal, developed by id Software and published by Bethesda Softworks, launched to critical acclaim and significant global adoption. As a large-scale AAA title with online components, protecting backend services was essential to maintaining player trust and operational stability.

The scope focused on non-gameplay backend systems responsible for:

• Matchmaking
• Party and party management
• Account creation and registration
• Session management and authentication
• Account and profile management
• In-game achievements and reward systems

Vulnerabilities in these areas could impact player progression, account integrity, and platform reputation. Bethesda required structured security validation to ensure server-side controls were robust before and after launch.

Cyrex conducted comprehensive grey box penetration testing, combining architectural awareness with real-world attack simulation.

Our objective was to validate the integrity of server-side security controls and identify weaknesses that could be exploited by malicious actors.

The engagement included structured testing of:

• Matchmaking workflows
• Party and session handling logic
• Registration and authentication mechanisms
• Profile management controls
• Achievement and reward validation

We simulated attacker behavior to evaluate access control enforcement, session validation, and business logic protections within backend services.

During testing, Cyrex identified multiple vulnerabilities ranging in severity from low-priority issues to findings deemed critical by Bethesda.

We delivered:

• Detailed documentation of findings
• Proof-of-concept exploitation scenarios
• Prioritized remediation guidance

Following remediation, Cyrex conducted structured sanity and regression testing to confirm that vulnerabilities were resolved and no additional issues were introduced.