← All case studiesGOVERNMENT

Government VAPT — 200+ servers, 40+ applications

Sector: Government · Engagement: VAPT (Black-box + Grey-box) · Window: multi-month

200+
Servers in scope
40+
Applications
~40%
Exposure reduction (retest)

Engagement context

A government department running a mixed estate of internal services, citizen-facing portals, and back-office applications commissioned a comprehensive VAPT covering both server infrastructure and the application surface running on top. Scope spanned 200+ servers (Linux + Windows, mixed hypervisor and bare-metal) and 40+ applications across web, internal API, and a number of legacy thick-client systems still active in operations.

Methodology

Engagement ran in five phases over a multi-month window:

  1. Reconnaissance & asset validation. Cross-checked supplied scope against discovered surface — added previously-undocumented internal services to the inventory.
  2. Vulnerability assessment. Authenticated and unauthenticated scanning across all servers and applications. Dedupe, false-positive triage, and severity normalisation.
  3. Manual exploitation. Authentication bypasses, privilege escalation, server-side request forgery, file upload chain abuse, and IDOR confirmation. Each finding manually validated with a reproducible PoC.
  4. Reporting. Per-finding entries with CVSS v3.1 scoring, business-impact narrative, and remediation steps mapped to the actual stack — not generic OWASP boilerplate.
  5. Retest. All Critical and High findings retested 30 days post-remediation. Closure rate quantified and documented.

Tooling

Burp Suite Professional, Nessus, Nuclei, Nmap, Wireshark, Metasploit, BloodHound, CrackMapExec, custom Python tooling for the legacy thick-client traffic. Configuration audits referenced CIS Benchmarks for the OS / database baselines and NIST SP 800-115 for the overall test programme structure.

Representative findings

Class of issues surfaced (specifics withheld under engagement NDA):

  • Authentication bypass on a citizen-facing portal via header manipulation; full account-takeover path.
  • Server-side request forgery in an internal admin tool reaching cloud metadata services.
  • Active Directory misconfigurations exposing service accounts to Kerberoasting; downgrade to Tier-0 path mapped.
  • Reflected and stored XSS chains across multiple applications sharing a common front-end framework.
  • Outdated middleware components with known RCE CVEs reachable from the perimeter.

Outcomes

  • ~40% reduction in overall vulnerability exposure measured between initial assessment and 30-day retest.
  • All Critical and High findings remediated and re-validated within the retest window.
  • Active-Directory hardening backlog produced, with CIS-aligned guardrails for the next operational cycle.
  • Departmental security team adopted Nuclei templates from the engagement into their continuous monitoring pipeline.

Why it worked

Single-operator-led scoping and reporting kept the technical narrative coherent across 40+ applications. Manual exploitation chains gave the department's engineers a clear “why this matters” rather than a wall of CVSS scores, which materially shortened the remediation conversation.

Shipping & logistics VAPT (2000+ servers) →MENA banking VAPT →VAPT methodology →

Engagement of similar scope?

Tell us about it. We'll come back with a written scope and timeline within one business day.

Book a Scoping Call →