Shipping & Logistics — Enterprise VAPT (2000+ servers, 65+ apps)

Engagement context

An enterprise shipping & logistics group running operations across multiple geographies commissioned a rolling VAPT programme covering its complete production estate. Footprint included a global Active Directory forest, customer-facing freight booking portals, internal logistics dashboards, partner APIs, and a heavy backbone of internal microservices supporting cargo tracking and customs workflows.

Methodology

Phased delivery across multiple quarters to keep operational risk manageable:

1. Wave-based scoping. Estate carved into priority waves — perimeter-exposed first, internal AD second, then progressively the partner-facing APIs and back-office applications.
2. External attack-surface mapping. Asset enumeration, certificate transparency cross-references, exposed cloud assets, and shadow-IT inventory before active testing.
3. Authenticated & unauthenticated VAPT. Web app + API testing aligned to OWASP Top 10 and OWASP API Top 10. Active Directory testing using BloodHound for attack-path enumeration.
4. Manual exploitation chains. Validated business-logic flaws and authentication-flow weaknesses that scanners cannot detect — cross-tenant data exposure across customer accounts, partner-API token replay, and lateral movement chains across the AD forest.
5. Reporting cadence. Per-wave technical report plus an executive summary; a single rollup at the end of the programme for board reporting.
6. Continuous retest. Each wave retested 30 days after the engineering team closed findings. Closure metrics rolled into the next wave's scope.

Tooling

Burp Suite Professional, Nuclei (custom templates for the group's in-house frameworks), Nmap, Nessus, BloodHound, CrackMapExec, Mimikatz, Impacket suite, ScoutSuite for AWS posture review, and Postman / custom scripts for the partner APIs. Frameworks referenced: OWASP ASVS L2, OWASP API Top 10, MITRE ATT&CK Enterprise, CIS Benchmarks for OS / DB hardening.

Representative findings

• Cross-tenant data exposure on the freight booking portal — broken access control let one customer enumerate consignment IDs of others.
• Partner-API JWT secret reuse across staging and production; replay window mapped end-to-end.
• Active Directory: Kerberoastable service accounts plus an unconstrained-delegation host providing a path to Tier-0 within the forest.
• Multiple internal applications still running outdated middleware with public RCE PoCs available; reachable from compromised user-tier hosts.
• Cloud bucket misconfiguration leaking historical telemetry data; remediated within hours of disclosure.

Outcomes

• ~80% reduction in measurable organisational risk exposure across the programme's waves.
• Closed AD attack paths to Tier-0 with concrete configuration changes, validated on retest.
• API gateway re-architected so partner secrets rotate independently — measured replay-window collapse from days to minutes.
• Engineering org's SDLC absorbed several Nuclei templates from the engagement as part of CI gating.

Why it worked

Wave-based scoping kept the operational impact predictable. The retest cadence after each wave meant engineering owned a tight feedback loop instead of a quarterly “dump” — which is the failure mode of most enterprise VAPT programmes.