A Routine Pentest Uncovered a Much Bigger Risk

How a limited internal pentest evolved into a full IoT and OT security assessment across 6,000+ IP addresses, without a single hour of operational downtime.

CLIENT CATEGORY

Critical Infrastructure Organization, Aeronautical Sector


IMPLEMENTED SOLUTIONS

Red Team Services

Advanced Penetration Testing

Strategic Security Consulting

Adversarial Treat Modeling


ENGAGEMENT MODEL

Started as a limited internal pentest and grew into a recurring, expanded assessment program


LOCATION

North America


METHODOLOGY

OWASP and NIST frameworks, adapted for critical infrastructure environments

A Small Test Can Reveal a Big Risk

The client asked for a straightforward internal pentest covering a small part of their corporate network. The goal was simple: confirm internal risk exposure.

Even at that limited scale, the findings did more than confirm expectations. They showed how close routine corporate systems sat to operationally critical systems, and how much that proximity raised the stakes of a single incident.

As the engagement expanded, so did the risk profile:

  • Legacy systems that behave unpredictably under standard scanning and fingerprinting.
  • IoT and operational devices where a routine test can create real operational risk.
  • Zero room for error. Operational continuity could not be interrupted at any point.
     

Why It Mattered

Security leaders in critical infrastructure face a hard question: if one system is compromised, how far can the damage travel? For this client, the honest answer was farther than assumed. A single weak point in a low-security zone carried a direct path to the systems that keep operations running, the kind of risk a board needs mapped, not guessed at.

How It Evolved

Prosegur Cybersecurity's team stayed engaged well past the report. What started as a standard pentest delivery became continuous collaboration, with analysts embedded alongside the client's engineering team.
 

That relationship is what opened the door to a much larger assessment, one that expanded in scope as trust grew, rather than a one-time engagement that ended at the final report.
 

What We Achieved

  • Assessment expanded to 6,000+ IP addresses across corporate and operational networks.
  • No operational disruption, despite complex IoT and legacy systems in scope.
  • Findings translated into business risk terms the board could act on.
  •  A shift from a single engagement to an ongoing security partnership.
     

Do you want your company to be a success story too?

Explore how we can transform your business into a more profitable and efficient enterprise using our best solutions.