Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

Client:

A consulting company providing full-cycle services for bringing pharmaceutical and medical products to the Eurasian markets

Industry:

Healthcare

Focus:

Protection of confidential data and compliance with regulatory and partner security requirements

Main challenge:

Ensuring compliance with the information security standards of a potential business partner

Market:

Eurasian countries

Services provided:

Black-box pentest of two web resources with different domain zones (UA and UK), and assessment of related infrastructure components

Key Takeaways

Conducted black-box pentest of two web resources and infrastructure components

Identified 19 vulnerabilities: 1 critical, 8 medium, 7 low, and 3 informational

Delivered a detailed technical report with recommendations to meet security standards

weeks to complete the testing

vulnerabilities identified

100%

of project goals achieved

Case Study: Consulting Company – Security Testing of Web Resources and Infrastructure

Mar 7, 2025

14 min

Is it possible to prepare a global company’s digital assets to meet partnership security requirements in just two weeks? Yes, it is! A consulting company hired Datami to perform a black-box pentest of its web resources and infrastructure. Our team identified 19 vulnerabilities and delivered effective recommendations to enhance cybersecurity.

The client is an international company that provides consulting services in the pharmaceutical and medical device sectors. It supports brands at every stage of entering the Eurasian markets — from regulatory strategy to certification, marketing, and localization.

As the company operates in a regulated industry and is partially involved with medical data, information security and compliance with partner requirements and international standards are top priorities.

Objectives and challenges

The company approached Datami for a security testing as part of its preparation for a strategic partnership. The potential partner had specific information security requirements — meeting them was a key condition for collaboration.

The goal of the project was to evaluate the security posture of public-facing digital assets: web resources with UK and UA domains and related infrastructure components.

Conduct black-box penetration testing without access to source code or internal systems
Identify vulnerabilities, assess their severity, and map out possible attack vectors
Deliver a structured report with findings and recommendations to improve security posture

Penetration testing

External black-box testing of web resources and infrastructure

Threat identification

Risk analysis of public domains and digital services

Report and recommendations

Summary of findings and actionable steps to meet partner security requirements

Datami Methodology: Security Testing of Digital Infrastructure

Our approach

We applied a black-box pentest — the team had no prior access to source code or internal systems, which allowed us to simulate the actions of a real attacker.

The assessment covered two web resources with Ukrainian and British domains, along with associated infrastructure components.

We combined manual and automated techniques, using modern scanners and attack simulation methods.

Despite limited visibility, the testing successfully identified vulnerabilities of varying severity — from configuration issues to technical flaws.

Black-box

The testing was performed without access to internal information — only from the perspective of an external user, closely simulating real-world cyber threats.

Key project stages and solutions

During the testing, the Datami team followed a structured approach focused on external testing without access to internal information.

This ensured maximum realism and allowed us to evaluate the system’s resilience to attacks while meeting the partner’s security requirements.

Preparation

Analysis of public resources, clarification of the scope, and identification of testing priorities.
Pentest Execution

External black-box testing of two web resources and related infrastructure components. A combination of automated scanners and manual verification was used.
Analysis and Reporting

Preparation of a report detailing the discovered vulnerabilities (1 High, 8 Medium, 7 Low, 3 Informational) along with recommendations for remediation and improved protection.

Fewer critical risks — more confidence

Results and recommendations

At the start of the project, the client’s digital assets faced elevated risks: outdated CMS components were discovered, potentially exposing the systems to attack vectors. The public-facing infrastructure lacked adequate protection and access controls.

During the black-box pentest, the Datami team identified 19 vulnerabilities: 1 high-risk (unauthorized access to the admin panel), 8 medium, 7 low, and 3 informational.

The client received clear recommendations to improve security, including:

updating all CMS components to the latest versions;
implementing additional access controls for critical areas;
monitoring and configuring event logging;
fixing vulnerabilities in plugins and infrastructure configurations.

After implementing these recommendations, the risk of cyberattacks was significantly reduced. The company avoided potential reputational and financial losses associated with the leakage of sensitive data.

The project was completed within two weeks. All critical vulnerabilities were promptly addressed by the client upon receiving the technical report.

Key project takeaways

This case study demonstrated how the project provided the company with a clear understanding of the cybersecurity status of its digital assets, along with concrete steps to eliminate vulnerabilities and improve compliance with information security standards.

Penetration testing enabled the client to prepare for partner compliance requirements without risking sensitive data exposure. All project goals were achieved within the planned timeframe.

Aspect

Before the project

After implementation

Security posture

High risk due to outdated CMS components and lack of protection

19 vulnerabilities identified; remediation steps provided

Critical vulnerabilities

Risk of unauthorized access to protected areas of web resources

1 critical issue discovered and promptly resolved by the client

Account compromise

Risk of unauthorized access to protected areas of web resources

1 critical issue discovered and promptly resolved by the client

Account compromise

Potential due to exposed interfaces and weak configurations

Risk reduced after restricting access and updating systems

Security compliance

Partial compliance with partner requirements

Access control strengthened; implementation of recommendations initiated

Case: Scheduled Penetration Testing of Mobile Applications and Internal Network

Critical, medium, and low vulnerabilities were identified in mobile applications and the network
Risks were demonstrated through public Wi-Fi access and bypassing network restrictions

Services:

Mobile app pentesting, infrastructure penetration testing

Jun 20, 2025

Distribution Company Case: Penetration Test with Red Teaming Elements

21 vulnerability identified: 8 medium, 12 low, and 1 informational
Simulated internal attack: Wi-Fi password successfully cracked

Services:

Black-box penetration test with elements of Red Teaming

Jun 6, 2025

Case Fraudline: Scheduled Pentest of a Whistleblowing Platform

Identified 6 technical vulnerabilities: 5 low-risk and 1 informational
Performed additional manual testing of business logic

Services:

automated gray-box pentest, audit of secure coding practices, additional manual review of business logic

May 23, 2025

Back to all cases

Datami articles

The Equifax Data Breach: A Preventable Catastrophe

Datami Newsroom

The Equifax Data Breach: A Preventable Catastrophe

This incident occurred back in 2017, but cybersecurity experts are still studying it in detail. This case features a series of classic security failures – serving as a clear example of what not to do.

Jun 30, 2025 3 min

Unconventional Records: Pentesters Hacked a Tesla in Just 2 Minutes

Datami Newsroom

Unconventional Records: Pentesters Hacked a Tesla in Just 2 Minutes

Today, all it takes to take over a car is a computer. That’s exactly what hackers demonstrated at a special competition - they hacked a Tesla in just 120 seconds, and the result became a true sensation.

Jun 27, 2025 3 min

Top 5 Reasons to Invest in Penetration Testing in 2025

Datami Newsroom

Top 5 Reasons to Invest in Penetration Testing in 2025

Today, nearly every business is closely connected to the internet: websites, mobile apps, cloud data storage, electronic payments, and more. This brings great convenience, but at the same time, it introduces additional risks and potential financial losses

Jun 25, 2025 3 min

Show all articles

On this page you will learn what cookies are and how and when we use them. Definition of the term Cookies Cookies are pieces of data that a web server generates and that a website stores on your user device (computer, smartphone, tablet, etc.). Each website or third-party service sends cookies to the browser installed on your device only if your browser allows it. This is possible if you have not set any restrictions in your browser settings to save cookies. Browsers are a very well thought out technology. They protect personal data and allow websites to access only cookies that were previously sent to them. Cookies are divided into: session cookies. They are stored in the memory of the browser only during your session, after leaving the site immediately removed. permanent. They are stored in the memory of the browser for a long time. Definition of the term “browser” A browser is an application for browsing websites. The most popular browsers are Chrome, Internet Explorer, Firefox and Safari. All listed browsers are safe. In the settings of these browsers, cookies can be easily disabled, as well as change the settings of their work. You can: accept all cookies; ask the browser to notify when cookies are used; do not accept cookies. Cookies on ak1-3.com.ua and how we use them We use cookies to: our site is more functional; to understand how you navigate on the site, what content you consume better, to develop the content strategy of the site; understand how many visits to the site were per day, month, year. Analyze the geographical identity of users of the site, the number of repeated visits and other data. Cookies that we use on our site. Third-party cookies. The buttons of social networks, videos and some other services of our site are the property of other companies. These companies may also use cookies on your device if you have used them on our site or have been previously registered with them. The privacy policy of the use of personal data by these services can be found on the websites of these services. Blocking cookies All browsers allow simple actions to disable cookies. To disable them, you must go to your browser settings and find cookies in them. But we must remember that blocking cookies can have a negative impact on the performance of many websites. How to delete files You can also always delete cookies that are stored on your computer. To do this, follow the instructions of your browser Again, deleting cookies can have a negative effect on the performance of many websites.