A Four-Phase Security Audit — From Reconnaissance to Remediation
Verdas structured the engagement in four phases — passive reconnaissance and asset discovery, external penetration testing, internal network and application assessment, and finally a full written remediation report with a prioritised action plan presented directly to the IT team and board. All testing was conducted under a formal scope-of-work agreement and rules of engagement, with the IT manager briefed daily on any critical findings as they were discovered.
Open-source intelligence (OSINT) gathering performed against the organisation's public internet footprint — enumerating exposed IP ranges, subdomains, certificate transparency records, public code repositories, and leaked credential databases. The asset discovery phase identified several services exposed to the internet that the IT team were unaware were publicly reachable, including an unpatched remote management interface and a staging web application containing internal data.
Full black-box external penetration test conducted against all internet-facing assets within the agreed scope. Testing methodology followed OWASP and PTES frameworks. Automated vulnerability scanning combined with manual exploitation attempts. Four critical vulnerabilities identified and verified — including an unauthenticated remote code execution path on an exposed web service, and a misconfigured VPN gateway accepting legacy authentication protocols. All critical findings escalated to the IT manager immediately on discovery per the rules of engagement.
Onsite internal assessment conducted across both the corporate IT network and the production floor OT network segment. Network architecture reviewed, firewall rule sets audited, and Active Directory configuration examined for privilege escalation paths, stale accounts, and insecure delegation settings. Line-of-business and supplier-facing applications assessed for authentication weaknesses, access control failures, and injection vulnerabilities. Supplier VPN access reviewed — network segments found to be far broader than operationally necessary.
Full written security assessment report produced — covering all 23 findings, each documented with severity rating, detailed technical description, evidence, business risk context, and specific remediation guidance. Findings categorised by severity (Critical, High, Medium, Low) and mapped to a prioritised remediation roadmap with estimated effort and owner assignment. Report presented to the IT team in a structured walkthrough session, followed by a board-level executive summary covering business risk and investment required. Verdas remained available for remediation support queries for 30 days post-delivery.
Selected Vulnerabilities Identified During the Engagement
The following findings represent a selection of issues uncovered across the external and internal testing phases. All findings were responsibly disclosed to the client before any public reference, and all critical and high severity issues have since been fully remediated.
Unauthenticated Remote Code Execution — Exposed Web Service
An internet-facing legacy web application used for supplier order submissions was found to be running an unpatched version of its underlying framework containing a publicly known RCE vulnerability. Successful exploitation was demonstrated in a controlled manner, confirming an attacker could execute arbitrary commands on the underlying server without any authentication. The service had not appeared in the IT team's asset inventory as an internet-facing system.
Misconfigured VPN Gateway Accepting Legacy Authentication
The primary remote access VPN was configured to accept NTLMv1 authentication — a protocol deprecated due to well-documented weaknesses allowing offline password cracking from captured challenge-response pairs. Combined with several domain accounts found in leaked credential databases during the OSINT phase, this represented a realistic path to initial network access without any valid credentials.
Overprivileged Supplier VPN Access — Lateral Movement Risk
Third-party supplier accounts connecting via VPN were granted network access to a far broader range of internal segments than their operational function required — including file servers and internal management interfaces. A compromise of a supplier's credentials would provide an attacker with direct access to internal systems without any further exploitation required.
Active Directory Misconfiguration — Privilege Escalation Path
Kerberos delegation settings on several service accounts allowed unconstrained delegation — enabling a low-privilege domain account to potentially impersonate any user, including Domain Admins, under certain conditions. Multiple stale privileged accounts belonging to former employees were also identified with no expiry date and passwords unchanged in over four years.
Line-of-Business Application — Broken Access Control
An internal production scheduling application was found to have insufficient access controls — authenticated users could access and modify records belonging to other departments by manipulating URL parameters. No server-side authorisation check was performed to verify the requesting user's entitlement to the accessed resource.
A Prioritised Remediation Roadmap for the IT Team
Following the assessment, Verdas delivered a full written security recommendations report structured around three time horizons — immediate actions required within 72 hours, short-term hardening over the following 30 days, and a strategic roadmap for building sustained security maturity. Each recommendation included the assigned owner, estimated effort, and the specific technical steps required to resolve or mitigate the finding.
From Unknown Exposure to a Hardened, Documented Environment
| Area | Before the Audit | After Remediation |
|---|---|---|
| Asset Inventory | No formal register — unknown internet exposure | Full documented asset register with patch status and owner |
| Remote Access | VPN accepting legacy auth, no MFA on admin accounts | MFA enforced on all remote access and admin accounts |
| Patch Management | Reactive — no defined SLA or vulnerability scanning | Monthly scanning, defined patch SLAs, documented policy |
| Firewall Rules | Unreviewed for 3+ years — 47 redundant rules | Full audit complete — minimised and documented ruleset |
| Supplier Access | Broad network access with no segmentation | Restricted to dedicated zones — no internal infrastructure access |
| Active Directory | Stale accounts, unconstrained delegation, no review cycle | Stale accounts disabled, delegation constrained, review cadence set |
| Security Awareness | No formal training programme — years without a session | Annual training programme and quarterly phishing simulations |
| Board Visibility | No security reporting to management or board | Executive summary delivered — security risk on board agenda |
All Critical and High Findings Resolved — A Defensible Security Posture Established
Within 72 hours of the critical findings being disclosed, the most dangerous vulnerabilities were patched or mitigated. Over the following six weeks, the IT team worked through the full remediation roadmap with Verdas available for technical queries throughout. By the end of the engagement, every critical and high severity finding had been fully resolved, a formal patch management policy was in place, MFA was enforced across all remote access, and the board had a clear view of the organisation's security posture for the first time.
"We knew we had gaps but we didn't know where or how serious they were. Verdas found things we genuinely didn't know existed — systems exposed to the internet that weren't even on our radar. The report was clear, the remediation guidance was practical, and they walked the team through everything rather than just handing over a document. We went from not knowing our exposure to having a plan we could actually execute."
Don't Wait for an Incident to Find Your Gaps
We'll audit your environment, test your defences, and give your team a clear remediation roadmap — before an attacker finds them first.
Book a Security Assessment