Critical Asset Security Assessment (CASA)

Internal vulnerability assessment, manual validation and penetration testing of mission-critical assets including applications, servers, routers, and switches for validation of layered-security and defense in depth. Testing is performed inside the network perimeter, behind firewalls, for unfiltered results. The CASA tests susceptibility to attack propagation should perimeter defenses be breached. Scope includes internal-only systems, as well as Internet-facing (DMZ) critical assets but in this case analyzed from within the network.


  • Scanning to create a baseline of vulnerabilities and security risks
  • Best-of-breed open source and commercial vulnerability harvesting tools
    • A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides
  • Manual validation to eliminate false positives, confirm findings
  • Manual testing to find additional vulnerabilities not found by scanning tools
  • Penetration testing through custom-designed and pre-existing exploits to test real severity
    • Illumant’s pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS)
  • Classification of severity of findings
  • Remediation recommendations
  • Benchmark analysis of results vs industry


Networks, systems, applications, services, ports, protocols from within firewalls boundaries – unfiltered analysis:

  • Web applications (non-credentialed testing)
    • For credentialed testing see Web Application Security Assessment (WASA)
  • Web/intranet sites
  • Servers
  • Firewalls
  • Internal routers
  • 100,000+ known vulnerabilities, unique vulnerabilities from custom designs, configurations and software

internal vulnerability assessment manual validation penetration testing practical remediation advice exploits

internal systems/networks internal perspective applications servers routers firewalls

PCI HIPAA GLB best-practices