April 1, 2019

Case Study: Automated Vulnerability Scans vs. Full Penetration Tests

Attention to Detail – More than just automated scans

Download the PDF

A well-known client had a secure network according to assessments conducted by other firms. The client had previously worked with a large top-tier security company who provided regular security scans and had not observed any lapses in their security posture.

The network in question was not different from many we encounter; a moderately sized subnet with 500 or more nodes. The network is part of a global network with segmentation applied to only allow partial access between the two networks. The client wanted to be sure that they were not missing anything and came to Loki Labs to see if we could identify any vulnerabilities.

Our team of seasoned analysts, operators, and developers follow a standard multi-phased methodology that aligns with our service offerings. This approach was learned and refined over years from experience in Computer Network Operations for government, military, and commercial clients against a wide range of targets. For this client, the approach included:

  • Open source intelligence (OSINT) gathering and reconnaissance
  • Vulnerability scanning and enumeration
  • Exploitation and advanced threat techniques, tactics, and procedures
  • Further network expansion

OSINT and Reconnaissance

Loki performed open source reconnaissance before beginning the vulnerability scanning against the external and internal networks. During the OSINT phase, Loki searches for any information to help identify passwords in use, documents with pertinent information to aid in the penetration test, or any network information that exists on the internet.

Through open source reconnaissance Loki was able to discover account credentials available on the internet through a web service, HaveIBeenPwned. This is a website that identifies the availability of hacked credential material contained in security breaches.

Vulnerability Scanning

While the OSINT research continued, Loki began scanning the client’s internal and external networks to map out the terrain and determine if any vulnerabilities could be identified. These scans are an efficient way to probe for known vulnerabilities, as well enumerate the ports and services available on the network. Most of the commercially available tools will provide stylized reports for you, detailing what the scan discovered.

Exploitation and Advanced Threat Techniques, Tactics, and Procedures

From years of experience in the US Department of Defense and Intelligence Community, Loki knows that a simple vulnerability scan never tells the whole story. Our team of analysts, operators, and developers have years of experience working on obtaining access to high value targets that require more than googling CVEs or seeing what is available in Metasploit.
The Loki team was looking for more access to find business critical data. We were able to gain access to a server by using information gained during the initial phases of the assessment. This system proved critical to expanding and elevating our access in the network.

Further Network Expansion

By using the credentials gathered during the OSINT and Scanning and Enumeration phases, Loki was able execute additional scans which provided information on the configuration of the network’s domain. This information combined with the footholds Loki established provided a path to gain the necessary access to completely take over the network and domain. While the scope of this assessment prevented Loki from moving further up into the global network, little could have stopped us with this level of access.


Automated scans provide organizations with useful information about their networks. However, they are just one step in the overall process of evaluating the security posture of a network. Experienced subject matter experts are needed to conduct a complete analysis of all available information and produce actionable insights. A thorough security evaluation needs to include many aspects of your organization’s communications, operational infrastructure, and threat model in order to be effective.

What sets Loki Labs apart from other security companies is our ability to emulate the mindset of malicious cyber actors most likely to target them and help organizations protect against them. In this case, we found vulnerabilities on this client’s network that previous companies had not.

The client was provided an extensive write-up of the security findings, including specific remediation suggestions to prevent future attacks. We bring this expertise and top-of-the-line service to all of our clients, where we provide customized solutions for their cybersecurity needs.


– April 1, 2019