How I missed this beautiful piece of research I have no idea, I’m sure I might not be the only one.
TL;DR they had a “universal” WAF bypass for SQLi. https://t.co/1KYZ9i2T4e