What an external assessment looks like
A 4,000-employee healthcare provider asked us to validate their attack surface ahead of a payor audit. The excerpt below is page 7 of the executive deliverable.
During asset attribution, the engagement identified 3 internet-facing systems attributable to the organization that were absent from the asset inventory provided at kickoff. Of these, one (vpn-legacy.██████.com) terminated an obsolete IPSec stack vulnerable to CVE-2024-3400 with a publicly available exploit chain.
Remediation effort is concentrated in three workstreams (asset retirement, credential rotation, federation hardening). Estimated engineering time: ~80 hours. A 30-day retest is included; details in §9 (Remediation Plan).
Excerpt · External Threat Exposure deliverable
What an internal assessment looks like
A regional bank engaged us 60 days after a new CISO joined. The excerpt below is from §4 (Lateral Movement Modeling) of the technical deliverable.
The engagement modeled lateral movement from a generic helpdesk-tier credential (HELPDESK-█████) to Tier-0 assets. Four distinct paths reached domain admin in fewer than 6 hops; the shortest required 3 hops and exploited unconstrained delegation on a legacy print-server.
| From | Via | Hops | Detection |
|---|---|---|---|
| Helpdesk service acct | Unconstrained delegation · PRINTSRV-04 | 3 | Not logged |
| Generic domain user | ADCS ESC1 misconfig | 4 | Logged · no alert |
| Backup operator group | DCSync abuse via stale ACL | 5 | Not logged |
| Finance desktop | SCCM client push misconfig | 6 | Logged · alerted |
Of the four paths, three rely on techniques (T1558.003, T1649, T1003.006) for which the SIEM ruleset has no detection content. Recommended Sigma rules and Defender XDR queries are provided in Appendix C.
Excerpt · Internal Threat Assessment deliverable
What a compliance gap report looks like
A SaaS company engaged us for SOC 2 Type II readiness with a 90-day audit window. The excerpt below is the per-control gap register — the document an external auditor consumes directly.
| Control | Status | Gap | Effort |
|---|---|---|---|
| CC6.1 — Access provisioning | GAP | No documented JML process for contractor accounts | L |
| CC6.2 — User registration | MET | — | — |
| CC6.3 — Access modification | GAP | Privileged-access reviews not performed quarterly | M |
| CC6.6 — External access | GAP | VPN allows password-only auth for vendor accounts | L |
| CC6.7 — Data transmission | MET | — | — |
Each gap row is paired with: (a) reproduction evidence, (b) remediation owner, (c) target close date, and (d) the framework cross-walk to ISO 27001 A.9 and NIST 800-53 AC-2. See Appendix B for cross-framework map.
Excerpt · SOC 2 Gap Assessment deliverable
Want a deliverable like this for your environment?
Most engagements start with a 30-minute scoping call. We'll tell you whether we can help — or who can — by the end of it.
Scope an engagement →