Skip to content
6 min read

The anatomy of a security assessment

  • #security
  • #osint
  • #pentesting

People tend to picture a security assessment as someone furiously typing exploits in a dark room. In practice it's slower, more methodical, and far more about patient observation than fireworks. For one of my projects I ran an assessment that walked through the early stages of a real attack using ethical hacking techniques, all of it documented with notes and evidence so the findings could be handed over transparently. The structure it followed is worth sharing, because the same shape applies almost everywhere, and because the conclusions it reaches are not the ones most people expect.

A note before the steps: everything below happens inside an agreed scope, with permission, and with the goal of producing a fix list rather than a trophy. The techniques are the same ones an attacker would use, which is exactly why running them yourself, ethically, is valuable. You find the holes before someone who isn't friendly does.

Start with what's already public (OSINT)

Before touching anything, you gather open-source intelligence: information that's already out there for anyone willing to look. A WHOIS lookup tells you who registered a domain, how long it has existed, where DNS and mail are hosted, and sometimes leaks contact details or the name of a third-party provider. Tools like theHarvester sweep for email addresses and subdomains tied to the target.

The interesting part isn't the raw data, it's what it implies. Is DNSSEC missing, leaving DNS responses open to spoofing? Is the site sharing a single IP address with a thousand other domains, which hints that an external party manages the infrastructure and widens the attack surface? Has the hosting moved around in ways that suggest loose change control? None of this is an attack yet. It's the map you draw before taking a single step, and a surprising amount of risk is already visible from your own desk, before you go anywhere near the target's network.

OSINT also feeds every later phase. The email address you find here becomes the target of the phishing test. The provider you identify shapes what you expect to see on the network. Reconnaissance isn't a warm-up, it's the foundation the rest of the assessment is built on.

Map the network and the devices

Once on site, the next phase is reconnaissance of the actual environment. A ping sweep with a tool like Nmap (nmap -sn across the local subnet) reveals which devices are alive. Follow-up scans on each live host uncover open ports, running services and operating systems. You then cross-reference all of that against what you can physically see and photograph: IP cameras and the recorder they feed, VoIP desk phones, a point-of-sale terminal, the gateway router, a wireless access point, the odd office desktop.

The deliverable from this phase is a network map. Once you know what's connected and what each device does, the weak spots start to stand out on their own. A camera recorder exposing a management port. An access point with SSH open. A gateway with a web interface reachable from the wrong side. Individually these are small. Mapped together, they tell you where to look closely and where someone with bad intentions would too.

Don't skip physical security

This is the phase people forget, and it's often the easiest way in. During the assessment the single most striking finding had nothing to do with code: a room containing network equipment was simply unlocked, with nobody around. From there the exposure was obvious. The recorder had spare, active Ethernet ports, which meant anyone could plug a laptop straight into the internal network with no restriction at all. There was a free power outlet right next to it, which meant someone could quietly leave a small device behind, a Raspberry Pi or similar, plugged in and connected, as a permanent foothold that phones home long after the intruder has left.

Spare USB and video ports on the same device add more options: a malicious USB drive, an attempt at firmware tampering, or pulling data straight off the box.

The lesson is blunt. Digital defenses are close to pointless if a stranger can walk up and physically attach to your network. Locked doors, restricted areas and a habit of not letting unknown people wander through sensitive spaces are security controls, every bit as much as a firewall, and usually cheaper.

Probe the digital surface, gently

With the map in hand, you carefully test the exposed services, staying within scope. A device whose web interface is "protected" by only a four-digit PIN is a good example of weak-by-design: even with a short lockout after a few wrong attempts, the number of possible codes is so small that brute-forcing is a matter of time, not possibility, and a tool like Burp Suite can automate the attempts. An exposed file-sharing service is a potential entry point even when default passwords don't immediately work, because it's another door that shouldn't be open to the whole network.

Just as important is noticing what's done right, because an assessment is an honest picture, not a hit piece. A router that locks out logins for an increasing period after repeated failures is genuinely effective against brute force. A device that has already disabled an old, insecure protocol has reduced its own risk. Those are findings too, the reassuring kind, and naming them builds trust with the people you're reporting to.

Test the human layer (phishing)

Most real attacks begin with a person, so a realistic assessment includes a controlled phishing test. In practice that means cloning a login page the targets would recognise, standing up a simple backend that records whether anyone submits credentials (and harmlessly redirects them onward so nothing actually breaks), and sending a believable message. Believable usually means impersonation: posing as a trusted partner, or as a real internal colleague whose name and role you found on a public profile like LinkedIn, written in the target's own language and tone with a personal greeting.

It's an uncomfortable test to run, but it answers the one question no scanner can: would a real employee actually click, and then actually type their password? The deliverable here isn't to embarrass anyone. It's hard evidence for why awareness training and multi-factor authentication are worth the investment, turning "people should be careful" into a measured result the organisation can act on.

The findings are almost never exotic

Every phase above points at the same conclusion. The serious risks were an unlocked door, a near-default PIN, a missing DNSSEC record, an internal port left open, and a willingness to trust an email because it carried a familiar name. None of it was a Hollywood zero-day. And so the recommendations were equally down to earth:

  • Lock the doors and restrict who can reach sensitive areas.
  • Deactivate unused network and USB ports, and keep equipment out of easy reach.
  • Segment the network so compromising one part doesn't hand over everything.
  • Keep systems patched so known vulnerabilities don't linger.
  • Run phishing-awareness training and turn on multi-factor authentication.

The real lesson

The value of an assessment isn't in finding something exotic. It's in methodically walking the same path an attacker would, from public records to the physical room to the inbox, writing down every small thing you find along the way, and turning a pile of unglamorous weaknesses into a short, honest, prioritised list of things to fix. Attackers are opportunists. They take the cheapest way in, and the cheapest way in is almost always one of these mundane, fixable gaps. Doing the boring work first is how you close them before anyone else goes looking.