Case studies

Anonymized walkthroughs of representative engagements.

Each case follows the same shape your portal does: scope, attack path with MITRE ATT&CK references, notable findings, the remediation cycle, and the outcome. Customer details are anonymized; the techniques, configurations, and remediation steps are representative of real engagements.

Case 01

Cross-account exfiltration path in a mid-market SaaS environment.

A representative engagement, with customer details anonymized. The customer is a B2B SaaS company in financial services; scope covered their public perimeter, web and API surfaces, and production AWS tenancy. The agent ran in review-before-exploitation mode — meaning every exploit attempt was paused for customer approval before it executed. The narrative below tracks the engagement from kickoff to validated remediation, in the form your team would see in the portal.

Engagement
eng_e2025_19
Sector
B2B SaaS, mid-market
Scope
External + Web/API + AWS production tenancy
Operator mode
Review before exploitation
Hosts in scope
312
Engagement window
11 days (4 active testing days)
Critical
2 findings
High
4 findings
Medium
5 findings
Low
3 findings
01 · Scope

What was in, what wasn’t.

Engagement scope covered three surfaces: the customer’s internet-facing perimeter (47 hosts across two cloud tenancies and a co-located edge), their primary web application and authenticated API (one production domain plus a staging subdomain), and their AWS production account (265 cloud resources across IAM, S3, RDS, ECS, and Lambda).

Explicitly out of scope: third-party SaaS integrations, the customer’s development AWS account, employee endpoints, and the corporate network. Out-of-scope assets were configured as hard guardrails in the engagement agreement and enforced by the agent throughout the engagement window.

02 · The path

External entry to demonstrated impact.

The agent reached customer-data exfiltration in five transitions over three active testing days. The trace below shows the route taken; dashed edges are alternate paths the agent surfaced but the customer declined to execute.

Attack path — SaaS cross-account exfiltration External entry through a staging admin panel, lateral pivot through a CI service account, cloud role abuse via cached credentials on a CI runner, and impact on a customer-data S3 bucket. MITRE ATT&CK techniques are labeled on each transition. EXTERNAL WEB / API IDENTITY CI / AD CLOUD DATA T1190 T1078 T1021 T1550 T1530 0.0.0.0/0 www.acme.io app.acme.io auth.staging.acme.dev mail.acme.io svc-jenkins svc-monitoring ci-runner-01 ci-runner-02 ad-prod-dc01 aws/role-deploy aws/role-readonly prod-bastion s3://customer-data CRITICAL · DATA EXFIL rds-prod-customers secrets-vault

The techniques below are MITRE ATT&CK references — the industry standard catalog of attacker behaviors.

T1190
Foothold: staging admin panel was reachable from the public internet and accepted credentials sprayed from a leaked-credential corpus.
T1078
Pivot: the staging admin role mapped to svc-jenkins, a CI service account with cross-environment privileges.
T1021
Lateral: session reuse against the production CI runner — the runner trusted the same SSO realm as staging.
T1550
Cloud: the runner held cached AWS credentials for an over-permissioned deploy role spanning prod and staging.
T1530
Impact: the deploy role had unrestricted read access to customer-data S3, including PII records for 142,000 end users.
03 · Notable findings

The two criticals.

Each finding in the portal carries the technique, the evidence the agent collected, and the exact command or request that produced it. Two are summarized below; the rest are detailed in the engagement report.

Critical F-019-001

Cross-account role-chain to customer-data S3

A deploy role used by the production CI runner held s3:GetObject against the customer-data bucket through an over-broad Resource: "*" policy clause inherited from a template. Combined with a stale Jenkins service-account credential reachable from a staging admin panel, an external attacker could traverse from public web to customer PII without ever entering the internal network.

Critical F-019-002

Staging admin reachable from public internet, accepting reused credentials

The staging admin panel at auth.staging.<customer>.dev was reachable without VPN and authenticated against the same SSO realm as the production environment. Two service accounts authenticated successfully using credentials present in a public credential dump; one of those accounts granted the role escalation path described in F-019-001.

04 · Remediation

Closed in nine days, validated on the platform.

  1. D+1
    Findings assigned in the portal

    The customer’s security lead assigned F-019-001 to their platform team and F-019-002 to their IT/identity team, both directly in the portal. Internal tickets were created via the Jira integration with full evidence attached.

  2. D+4
    F-019-002 remediated

    Staging admin placed behind the corporate VPN; SSO realms separated for staging and production; the two exposed service accounts rotated and added to the credential-rotation policy. Targeted retest triggered from the portal confirmed the panel was no longer reachable from the public internet.

  3. D+9
    F-019-001 remediated

    The deploy role’s S3 grants were scoped to the specific deployment-artifact buckets it needed; the wildcard clause was removed from the policy template. The CI runner’s cached credentials were rotated and the runner was configured to refuse stale tokens. Retest run from the customer’s deploy pipeline via the API; the validation result was returned to their CI workflow as a structured response.

  4. D+11
    Engagement closed; report issued

    Executive summary and technical report issued to the customer’s security and engineering leads. Customer used the report as evidence in their SOC 2 Type II audit later the same quarter. Two follow-on retests were run against the same scope in the months that followed.

05 · Outcome

What the customer took away.

A complete penetration test delivered in 11 calendar days from kickoff, with the executive summary and detailed technical report their auditor required. Both critical findings were closed inside the engagement window, and remediation was validated by on-demand retest rather than by a return engagement three months later.

Beyond the deliverables, the customer retained portal access to the engagement for the duration of their audit window, giving their assurance team a live workspace rather than a static PDF. Identical findings did not reappear in their next two quarterly engagements.

Case 02

From a sprayed cloud password to on-prem domain admin in a hybrid environment.

A representative engagement, with customer details anonymized. The customer is a mid-market manufacturing company running a hybrid identity environment — Microsoft Entra ID (formerly Azure AD) for cloud services, on-prem Active Directory for everything else, joined by Entra Connect. Scope covered their internet-facing services, full Azure tenant, and the on-prem Active Directory forest. The agent ran in review-before-exploitation mode — meaning every exploit attempt was paused for customer approval before it executed. The narrative below tracks the engagement from kickoff to validated remediation, in the form your team would see in the portal.

Engagement
eng_e2025_27
Sector
Manufacturing, mid-market
Scope
External + Azure/Entra + On-prem AD forest
Operator mode
Review before exploitation
Hosts in scope
412
Engagement window
14 days (5 active testing days)
Critical
3 findings
High
5 findings
Medium
7 findings
Low
4 findings
01 · Scope

What was in, what wasn’t.

Engagement scope covered three surfaces: the customer’s internet-facing perimeter (38 hosts across one Azure VNet and a co-located edge), their full Azure tenant (subscription policies, Entra ID configuration, Conditional Access policies, app registrations, service principals), and the on-prem Active Directory forest (single forest, two domains, four domain controllers, the Entra Connect server, and 327 Windows endpoints).

Explicitly out of scope: operational-technology and manufacturing-control systems, third-party SaaS integrations beyond M365, employee-owned endpoints, and the corporate guest WiFi. Out-of-scope assets were configured as hard guardrails in the engagement agreement and enforced by the agent throughout the engagement window.

02 · The path

Cloud foothold to on-prem domain compromise.

The agent reached on-prem domain-admin-level access in six transitions over four active testing days. The trace below shows the route taken; dashed edges are alternate paths the agent surfaced but the customer declined to execute.

Attack path — hybrid cloud-to-on-prem privilege chain External password spray against a legacy authentication endpoint validates a cloud service account, which holds Application Administrator rights in Entra ID. Those rights are used to add credentials to an existing service principal with subscription access. That service principal reaches the Entra Connect server, which exposes the directory synchronization account credential. The synchronization account has DCSync rights on the on-prem domain controller. A DCSync retrieves the krbtgt key, which is used to forge domain-admin-level Kerberos tickets, demonstrated against an engineering file share holding intellectual property. EXTERNAL M365 / AUTH ENTRA ACCOUNTS CLOUD APPS HYBRID BRIDGE ON-PREM AD T1110.003 T1078.004 T1098.001 T1003.006 T1558.001 0.0.0.0/0 outlook.office.com basic-auth.outlook teams.microsoft.com svc-finance svc-printsync svc-helpdesk sp/log-shipper sp/reporting-conn sp/cloud-monitor aad-connect-01 MSOL_a8f3... adfs-01 ad-prod-dc01 \\eng-fs01\CAD CRITICAL · IP EXFIL sql-prod-01

The techniques below are MITRE ATT&CK references — the industry standard catalog of attacker behaviors.

T1110.003
Foothold: a legacy Basic Authentication endpoint on Exchange Online remained enabled; svc-printsync authenticated from credentials present in a public credential dump.
T1078.004
Cloud foothold: the compromised account held the Application Administrator role in Entra ID, a residue of an earlier M365 migration.
T1098.001
Privilege chain: App Administrator rights let the agent add credentials to an existing service principal (sp/reporting-conn) that held Global Reader plus an Azure Subscription Contributor role.
T1003.006
On-prem pivot: the Entra Connect server exposed a recoverable copy of the directory sync account (MSOL_xxx) credential, which holds DCSync rights on the on-prem domain by design.
T1558.001
Impact: DCSync retrieved the krbtgt key; golden-ticket forgery enabled domain-admin-level access, demonstrated against an engineering file share holding CAD intellectual property.
03 · Notable findings

The two criticals.

Each finding in the portal carries the technique, the evidence the agent collected, and the exact command or request that produced it. The two criticals that defined the engagement are summarized below; the third critical and the rest of the findings are detailed in the engagement report.

Critical F-027-001

Privilege chain from Entra Application Administrator to on-prem Domain Admin via Entra Connect

A service account in the Entra ID tenant held the Application Administrator role, which permits adding credentials to existing service principals. One such principal held privileges that, combined with access to the Entra Connect server, allowed retrieval of the directory sync account credential. That account had DCSync rights on the on-prem domain by design, which the agent used to derive the krbtgt key and forge domain-admin-level Kerberos tickets. The chain went from a sprayed cloud credential to full on-prem domain compromise without crossing any trust boundary the customer had explicit visibility into.

Critical F-027-002

Legacy authentication endpoint accepting sprayed credentials, bypassing Conditional Access

A legacy Basic Authentication endpoint on the Exchange Online tenant remained enabled and authenticated against the primary Entra ID realm. The service account svc-printsync was successfully authenticated using credentials present in a public credential dump. Conditional Access policies were configured to require MFA for interactive sign-ins but did not apply to legacy authentication protocols — a known but easy-to-miss policy gap.

04 · Remediation

Closed in twelve days, validated on the platform.

  1. D+1
    Findings assigned in the portal

    The customer’s security lead assigned F-027-001 to their identity team and F-027-002 to their M365 administrators, both directly in the portal. Internal tickets were created via the Jira integration with full evidence attached.

  2. D+5
    F-027-002 remediated

    Legacy Authentication disabled tenant-wide. The exposed service-account credentials rotated and added to the credential-rotation policy. Conditional Access policies updated to block legacy authentication for all accounts, including service accounts. Targeted retest from the portal confirmed the endpoints no longer accept credentials.

  3. D+12
    F-027-001 remediated

    Application Administrator role removed from the service account. The Entra Connect server hardened: moved to a Tier-0-isolated subnet, just-in-time admin access enforced via Privileged Identity Management, the directory sync credential rotated and protected via Entra Connect’s encrypted credential store. The agent retest path through the chain now fails at the Application Administrator step.

  4. D+14
    Engagement closed; report issued

    Executive summary and technical report issued to the customer’s security and IT leadership. The customer used the findings to scope a broader Tier-0 hardening project across their Entra Connect and ADFS infrastructure the following quarter.

05 · Outcome

What the customer took away.

A complete penetration test demonstrating a critical cloud-to-on-prem privilege chain, delivered in 14 calendar days from kickoff. Both critical findings were closed inside the engagement window, and remediation was validated by on-demand retest rather than by a return engagement.

Beyond the deliverables, the engagement surfaced a misconfiguration class — legacy authentication, an over-privileged cloud service account, and insufficient Tier-0 segregation around Entra Connect — that the customer’s security team now reviews on a quarterly cadence. The findings were also cited as supporting evidence in their cyber-insurance renewal the following quarter.

Additional engagement summaries available under NDA

See an engagement run against your environment.

A thirty-minute walkthrough — portal, API, report, operator modes — on a staged environment.

Book a demo Contact our team