The starting point
Management knew the sector's regulatory framework would demand more of them — operational resilience, risk management, demonstrable controls — and did not want to walk into that conversation blind. The request was clear: "tell us where we really stand, no make-up, and in what order to fix it." They weren't after a certificate yet, but a reliable baseline to build on.
The scope deliberately left out the industrial/OT side in this first phase — documented as such — and focused on external exposure and the internal corporate network, where most of the immediate risk sat and where remediation was most actionable in the short term.
How we approached it
Two fronts in parallel:
- External audit — discovery of the real attack surface (domains, subdomains, exposed services, forgotten assets), contrasted with what the team believed it had published, and validation of the exposure. It surfaced services no one remembered exposing, an admin panel reachable from the internet, and corporate credentials in third-party public breaches.
- Internal audit — from the corporate network, a review of segmentation, configuration and Active Directory security (privilege-escalation paths, service accounts with excessive permissions, password policies, delegations), system hardening and patch management.
The underlying finding was structural: the internal network was practically flat — a compromised machine at one site could reach critical systems at another — and Active Directory had accumulated years of permissions granted and never revoked. None of this was delivered as a 200-line list, but grouped by risk and by root cause.
Results
2
fronts audited in parallel: external exposure and internal corporate network
3
remediation phases prioritised by risk and effort, with owners
1
single risk dashboard that management and technical teams share and understand
The deliverable wasn't just the report: it was a phased plan the internal team could start executing the following week, with quick-containment measures (close what was exposed, rotate leaked credentials, isolate the admin panel) separated from the structural ones (segment the network, clean up Active Directory) that need a project. The company then faced its regulatory roadmap knowing exactly where it started from.
What made it work
- The real attack surface almost never matches what an organisation thinks it has: the first job is discovering the forgotten.
- Internally, a flat network and an unmaintained Active Directory are the pattern that most often turns a minor incident into a major one.
- A risk-prioritised, executable plan is worth more than an exhaustive report nobody knows where to start with.
Related services
Do you know your real exposure?
An internal and external audit gives you the honest baseline before any compliance project. We tell you where you stand and in what order to fix it.