Dying Light 2: Stay Human

Dying Light 2: Stay Human launched as a globally anticipated AAA title. With massive player demand expected from day one, Techland needed absolute confidence in both security and scalability.

The challenge extended across multiple layers of the game’s ecosystem:

• Securing complex online and gameplay services — Hundreds of client-to-client RPCs and backend APIs required rigorous validation to prevent exploits.
• Validating 1M+ concurrent user capacity — Infrastructure had to operate reliably at extreme concurrency.
• Maintaining performance under load — Authentication, inventory, rewards, and player stats systems had to remain responsive.
• Ensuring Epic Online Services (EOS) API compliance — Misuse or rate-limit violations could trigger throttling or service disruption.

A vulnerability in gameplay logic or instability in backend services would directly impact player experience at scale. This wasn’t about surface-level endpoint checks. It required deep infrastructure testing before millions of players connected.

As a Tencent Gold Partner, Cyrex deployed a specialized team of senior security and performance engineers to work directly against the game’s architecture.

Gameplay Services

Two senior security engineers tampered with and validated hundreds of client-to-client RPCs. The objective was clear: identify exploit paths that could compromise gameplay integrity, player progression, or multiplayer fairness.

Online Services

Two additional senior security engineers systematically tested dozens of REST API endpoints. This included authentication flows, backend logic, and data handling mechanisms.

Client-Side Implementation

A dedicated security engineer focused on client-side implementations, including the game binary and its underlying Chrome Engine components. The goal was to uncover manipulation vectors or bypass opportunities from the player’s end.

This layered approach ensured both server-side and client-side attack surfaces were rigorously assessed.

Cyrex executed a targeted Online Services Test designed to simulate real player behavior during initial session flows.

We tested:

• Authentication
• News feed retrieval
• User status checks
• Reward fetching
• Inventory loading
• Player statistics retrieval
• Storage patch data requests

By targeting all backend API endpoints called during early gameplay sessions, we validated the system’s ability to operate at full intended load capacity.

The engagement aimed to verify stability and performance at 1 million+ concurrent users (CCU), identifying bottlenecks and degradation points long before launch.

Beyond performance and security, Cyrex conducted a formal EOS API Compliance Check.

This included:

• Request pattern analysis
• Response behavior validation
• Verification against documented EOS rate limits
• Best-practice alignment for API usage

The objective was to prevent throttling or disruption caused by excessive or non-compliant API calls. For a title operating at AAA scale, this validation was critical.