How Castore Stays Ahead of Web Supply Chain Threats — Across 30+ Online Stores

— and found vulnerabilities their own vendors didn’t know existed

At a Glance

• Customer: Castore
• Industry: Premium Sportswear / eCommerce
• Challenge: Maintain continuous visibility and control over third and fourth-party scripts across 30+ brand and partner stores — without disrupting existing infrastructure or diverting development resources.
• Solution: Reflectiz Web Exposure Management platform
• Results:
  • Fourth-party vulnerability discovered and remediated that the script vendor itself had missed
  • Hidden pixel behavior uncovered — a single ad tag calling dozens of undisclosed external domains
  • Continuous script monitoring across 30+ stores with minimal operational overhead
  • No developer involvement required at any stage

The Challenge: You Can’t Secure What You Can’t See

Castore is a premium British sportswear brand supplying professional sports teams and consumers across soccer, F1 and cricket. Its web footprint is more complex than it looks: alongside the flagship retail site, Castore manages the online stores for its professional sports team partners — a portfolio that shifts with sponsorships but consistently runs above 30 active sites.

Modern retail sites don’t just run their own code. Every customer service widget, ad pixel, analytics tag, and chat tool brings its own dependencies — and those dependencies bring their own. By the time you’re three or four layers out from your own codebase, you’re in territory that almost no one monitors. That’s exactly where attackers look for footholds.

Before Reflectiz, Castore had limited visibility into what those third and fourth-party scripts were actually doing. With 30+ checkout pages in scope, the exposure was real — and growing with every new sponsorship.

The Threat You Didn’t Know You Had

Shortly after going live with Reflectiz, the team started finding things.

The most significant discovery came from an unlikely source: a customer service chat widget embedded on one of the stores. Reflectiz traced the script’s behavior and found it was loading a vulnerable library — not directly, but through a chain of dependencies that led to a fourth-party component neither Castore nor the chat vendor had been tracking.

This is exactly the kind of exposure that Magecart-style attackers exploit. A compromised or vulnerable third-party component, quietly present on a checkout page, accessible to an attacker without ever touching the retailer’s own infrastructure.

Castore notified the vendor. The vendor escalated to their own supplier. The vulnerability was remediated.

The Pixel That Was Doing More Than Its Job

The second discovery came from the marketing stack — specifically, an ad pixel Castore had intentionally onboarded for an advertising program.

On the surface, it was an approved, known tag. What Reflectiz revealed was what it was doing in the background: calling out to a significant number of external domains beyond the one expected destination. An invisible web of connections, triggered silently on every page load, invisible to any tool that only monitors first-party behavior.

“It’s interesting seeing how some of them sort of chain. You have this one pixel that’s actually linking tons of other sites in the background.”

For a retailer processing customer data across multiple territories, understanding exactly what your scripts are communicating — and to whom — isn’t optional. It’s the difference between a compliant data flow and an undisclosed one.

Why Traditional Approaches Don’t Scale

Castore evaluated alternatives before choosing Reflectiz. One competing solution would have required proxy configuration on every site, substantial setup effort, and still delivered no auditing capability — just script visibility, with a manual process to build on top. Across 30+ sites, that approach collapses under its own weight.

Reflectiz required no changes to web infrastructure. No firewall rules. No involvement from Castore’s third-party development agency. No agent installation.

From deployment, the platform scanned all sites, built a complete script inventory, and began monitoring for changes and new behaviors. The remaining setup — reviewing and approving the existing script baseline — was handled entirely in-house.

Staying on Top of 30+ Sites

Continuous monitoring across a portfolio this size needs to be operationally sustainable. Smart approvals and bulk actions mean that a script approved across one set of properties doesn’t need to be manually cleared 30 separate times. Changes and anomalies surface as alerts rather than requiring constant manual review.

The Business Impact

• Threat discovery: Fourth-party vulnerable library identified and remediated — missed by the vendor themselves
• Supply chain visibility: Hidden pixel behavior surfaced, revealing undisclosed external data flows
• Operational scale: Continuous coverage across 30+ stores with low maintenance overhead
• Zero developer overhead: No infrastructure changes, no agency involvement, no internal build required
• Sustained confidence: Peak trading periods — kit launches, sales events — require no special security preparation

The Bottom Line

Castore’s story is a clear illustration of the modern web security problem: the threats that matter most are rarely in your own code. They’re in the scripts you trust, and the scripts those scripts trust. Without visibility into that chain, you’re not just flying blind — you’re relying on your vendors to catch their own vulnerabilities. As Castore discovered, that’s not a safe assumption.