Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

Client:

A consulting company providing full-cycle services for bringing pharmaceutical and medical products to the Eurasian markets

Industry:

Healthcare

Focus:

Protection of confidential data and compliance with regulatory and partner security requirements

Main challenge:

Ensuring compliance with the information security standards of a potential business partner

Market:

Eurasian countries

Services provided:

Black-box pentest of two web resources with different domain zones (UA and UK), and assessment of related infrastructure components

Key Takeaways

Conducted black-box pentest of two web resources and infrastructure components

Identified 19 vulnerabilities: 1 critical, 8 medium, 7 low, and 3 informational

Delivered a detailed technical report with recommendations to meet security standards

weeks to complete the testing

vulnerabilities identified

100%

of project goals achieved

Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

May 10, 2025

14 min

Is it possible to prepare a global company’s digital assets to meet partnership security requirements in just two weeks? Yes, it is! A consulting company hired Datami to perform a black-box pentest of its web resources and infrastructure. Our team identif

The client is an international company that provides consulting services in the pharmaceutical and medical device sectors. It supports brands at every stage of entering the Eurasian markets — from regulatory strategy to certification, marketing, and localization.

As the company operates in a regulated industry and is partially involved with medical data, information security and compliance with partner requirements and international standards are top priorities.

Objectives and challenges

The company approached Datami for a security testing as part of its preparation for a strategic partnership. The potential partner had specific information security requirements — meeting them was a key condition for collaboration.

The goal of the project was to evaluate the security posture of public-facing digital assets: web resources with UK and UA domains and related infrastructure components.

Conduct black-box penetration testing without access to source code or internal systems
Identify vulnerabilities, assess their severity, and map out possible attack vectors
Deliver a structured report with findings and recommendations to improve security posture

Penetration testing

External black-box testing of web resources and infrastructure

Threat identification

Risk analysis of public domains and digital services

Report and recommendations

Summary of findings and actionable steps to meet partner security requirements

Datami Methodology: Security Testing of Digital Infrastructure

Our approach

We applied a black-box pentest — the team had no prior access to source code or internal systems, which allowed us to simulate the actions of a real attacker.

The assessment covered two web resources with Ukrainian and British domains, along with associated infrastructure components.

We combined manual and automated techniques, using modern scanners and attack simulation methods.

Despite limited visibility, the testing successfully identified vulnerabilities of varying severity — from configuration issues to technical flaws.

Black-box

The testing was performed without access to internal information — only from the perspective of an external user, closely simulating real-world cyber threats.

Key project stages and solutions

During the testing, the Datami team followed a structured approach focused on external testing without access to internal information.

This ensured maximum realism and allowed us to evaluate the system’s resilience to attacks while meeting the partner’s security requirements.

Preparation

Analysis of public resources, clarification of the scope, and identification of testing priorities.
Pentest Execution

External black-box testing of two web resources and related infrastructure components. A combination of automated scanners and manual verification was used.
Analysis and Reporting

Preparation of a report detailing the discovered vulnerabilities (1 High, 8 Medium, 7 Low, 3 Informational) along with recommendations for remediation and improved protection.

Fewer critical risks — more confidence

Results and recommendations

At the start of the project, the client’s digital assets faced elevated risks: outdated CMS components were discovered, potentially exposing the systems to attack vectors. The public-facing infrastructure lacked adequate protection and access controls.

During the black-box pentest, the Datami team identified 19 vulnerabilities: 1 high-risk (unauthorized access to the admin panel), 8 medium, 7 low, and 3 informational.

The client received clear recommendations to improve security, including:

updating all CMS components to the latest versions;
implementing additional access controls for critical areas;
monitoring and configuring event logging;
fixing vulnerabilities in plugins and infrastructure configurations.

After implementing these recommendations, the risk of cyberattacks was significantly reduced. The company avoided potential reputational and financial losses associated with the leakage of sensitive data.

The project was completed within two weeks. All critical vulnerabilities were promptly addressed by the client upon receiving the technical report.

Key project takeaways

This case study demonstrated how the project provided the company with a clear understanding of the cybersecurity status of its digital assets, along with concrete steps to eliminate vulnerabilities and improve compliance with information security standards.

Penetration testing enabled the client to prepare for partner compliance requirements without risking sensitive data exposure. All project goals were achieved within the planned timeframe.

Aspect

Before the project

After implementation

Security posture

High risk due to outdated CMS components and lack of protection

19 vulnerabilities identified; remediation steps provided

Critical vulnerabilities

Risk of unauthorized access to protected areas of web resources

1 critical issue discovered and promptly resolved by the client

Account compromise

Risk of unauthorized access to protected areas of web resources

1 critical issue discovered and promptly resolved by the client

Account compromise

Potential due to exposed interfaces and weak configurations

Risk reduced after restricting access and updating systems

Security compliance

Partial compliance with partner requirements

Access control strengthened; implementation of recommendations initiated

Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

Conducted black-box pentest of two web resources and infrastructure components
Identified 19 vulnerabilities: 1 critical, 8 medium, 7 low, and 3 informational

Services provided:

Black-box pentest of two web resources with different domain zones (UA and UK), and assessment of related infrastructure components

May 10, 2025

Case Study: Andromeda Systems – Mobile App Pentest with Reverse Engineering

Conducted a grey-box app pentest using SAST, DAST, and reverse engineering
Identified critical vulnerabilities that could have led to data leaks; improved resilience to attacks

Services provided:

reverse engineering, full grey-box pentest using SAST, DAST

May 10, 2025

Case Study HIDEEZ: Security Testing of Encryption and Authentication Before Product Release

Conducted a white-box pentest of cryptography and authentication mechanisms
Identified 6 vulnerabilities: 1 critical, 2 medium, 3 low

Services provided:

White-box penetration testing with source code analysis of encryption and authentication modules; static code analysis (SAST) and dynamic application security testing (DAST), aligned with OWASP ASVS best practices

May 10, 2025

Back to all cases

Datami articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Oleksandr Filipov: Security engineer at Datami, author of articles

Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

Learn what an Internal Network Penetration Test is and how to prepare for it. Discover the meaning, stages, and challenges of conducting an Internal Network Pen Testing.

May 8, 2025

Network Penetration Testing: What Is It?

Oleksandr Filipov: Security engineer at Datami, author of articles

Network Penetration Testing: What Is It?

What is network penetration testing? Learn more about the approaches and types of network pentests, the key stages, and the outcomes of a network penetration test.

May 1, 2025

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Oleksandr Filipov: Security engineer at Datami, author of articles

Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

Cybersecurity in healthcare is at risk: hospitals face more cyberattacks than banks. Learn how to protect medical data with expert tips from Datami.

Apr 24, 2025

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.