A Routine Pentest Uncovered a Much Bigger Risk
How a limited internal pentest evolved into a full IoT and OT security assessment across 6,000+ IP addresses, without a single hour of operational downtime.
CLIENT CATEGORY
Critical Infrastructure Organization, Aeronautical Sector
IMPLEMENTED SOLUTIONS
Red Team Services
Advanced Penetration Testing
Strategic Security Consulting
Adversarial Treat Modeling
ENGAGEMENT MODEL
Started as a limited internal pentest and grew into a recurring, expanded assessment program
LOCATION
North America
METHODOLOGY
OWASP and NIST frameworks, adapted for critical infrastructure environments
A Small Test Can Reveal a Big Risk
The client asked for a straightforward internal pentest covering a small part of their corporate network. The goal was simple: confirm internal risk exposure.
Even at that limited scale, the findings did more than confirm expectations. They showed how close routine corporate systems sat to operationally critical systems, and how much that proximity raised the stakes of a single incident.
As the engagement expanded, so did the risk profile:
- Legacy systems that behave unpredictably under standard scanning and fingerprinting.
- IoT and operational devices where a routine test can create real operational risk.
- Zero room for error. Operational continuity could not be interrupted at any point.
Why It Mattered
Security leaders in critical infrastructure face a hard question: if one system is compromised, how far can the damage travel? For this client, the honest answer was farther than assumed. A single weak point in a low-security zone carried a direct path to the systems that keep operations running, the kind of risk a board needs mapped, not guessed at.
How It Evolved
Prosegur Cybersecurity's team stayed engaged well past the report. What started as a standard pentest delivery became continuous collaboration, with analysts embedded alongside the client's engineering team.
That relationship is what opened the door to a much larger assessment, one that expanded in scope as trust grew, rather than a one-time engagement that ended at the final report.
What We Achieved
- Assessment expanded to 6,000+ IP addresses across corporate and operational networks.
- No operational disruption, despite complex IoT and legacy systems in scope.
- Findings translated into business risk terms the board could act on.
- A shift from a single engagement to an ongoing security partnership.
Do you want your company to be a success story too?
Explore how we can transform your business into a more profitable and efficient enterprise using our best solutions.