A cybersecurity firm asked us to pentest them. We found what their own team missed.

A U.S.-based cybersecurity consulting firm came to us with an unusual request: they wanted an external penetration test conducted against their own infrastructure. The firm routinely audited other companies’ systems, but their internal posture had never been tested by an outside party. Their concern was reasonable. Clients were beginning to ask whether the firm itself could survive the same scrutiny it applied to others.

Internally, the team believed their setup was solid. Their web properties were behind standard protections, their internal tooling was access-controlled, and their staff was security-trained. But belief isn’t the same as verification, and a firm in the business of finding vulnerabilities in other organizations can’t afford to have its own glass house exposed.

We ran a full external penetration test against their public-facing infrastructure: web applications, subdomains, API endpoints, DNS configuration, email authentication, and SSL/TLS posture. The assessment uncovered several vulnerabilities, including misconfigured headers on a staging environment that had been left exposed, an outdated TLS cipher suite on a secondary domain, and a subdomain with directory listing enabled that revealed internal documentation paths.

None were critical-severity on their own, but chained together they represented a meaningful reconnaissance surface for a motivated attacker. For a firm whose reputation depends on airtight security, the optics alone would have been damaging.

The engagement was structured as a collaborative barter: ShultzPrime provided the assessment, and the firm reciprocated with security consulting and advisory support for our own operations. The exchange created a relationship that continues today, with both teams periodically stress-testing each other’s infrastructure and sharing threat intelligence informally.