CASA · Internal
Critical Asset Security Assessment
Test the systems that, if breached, would hurt the most. CASA combines configuration review, access analysis, and authenticated exploitation against the crown-jewel applications and data your business depends on.
Not all assets matter equally
Most security testing programs spread effort uniformly across whatever falls inside scope. CASA inverts that — we identify the assets that, if compromised, would cause material financial, regulatory, or operational damage, and we go deep on those. The result is a much higher signal-to-noise ratio than a generic LAN-wide assessment, and findings that align directly with what executives and boards already worry about.
CASA pairs naturally with LANSA (assume-breach internal testing) and BBPen (goal-based adversary simulation). LANSA tells you whether an attacker can reach a crown jewel; CASA tells you what happens once they do.
Methodology
Crown-jewel inventory
Workshop with business and IT to identify which systems, if breached, would actually hurt the most. The asset list is the deliverable from this phase — and is often valuable on its own.
Threat modeling
STRIDE-style analysis per asset — what can go wrong, who would do it, and how. We surface the attack paths worth testing before we start testing.
Configuration & access review
Hardening review against vendor and CIS benchmarks. Privileged access review — who has it, who shouldn't, and how it's actually used.
Exploitation & lateral movement
Authenticated and unauthenticated testing. Privilege escalation, lateral movement to and from the asset, abuse of inter-application trust.
Data-at-rest exposure
Where the sensitive data actually lives, how it's encrypted (or isn't), and what an attacker with foothold inside the asset can pull out.
Reporting & remediation
Per-asset findings tied to specific controls and owners. Prioritized remediation, retesting included.
Typical crown-jewel categories
Financial systems
ERP (SAP, Oracle EBS, NetSuite, Workday Financials), GL, AP/AR, treasury, wire transfer.
Customer data
CRM, customer support tooling, data warehouses, marketing automation, BI.
Source code & IP
Source repos, build infrastructure, artifact registries, signing infrastructure.
Healthcare
EHR/EMR (Epic, Cerner, Athena), PACS imaging, scheduling, billing.
Identity
Active Directory tier-0, IdP (Okta, Azure AD/Entra), PAM vault, secrets manager.
OT / industrial
Historians, HMI, SCADA front-ends, engineering workstations adjacent to ICS.
Techniques
- Authenticated configuration review (CIS, vendor baselines)
- Privileged access review and tier-0 mapping
- Application-layer authentication & authorization testing
- Privilege escalation (local + application + cloud IAM)
- Lateral movement testing — to and from the asset
- Inter-app trust abuse (SSO, service accounts, API keys)
- Database-layer review (permissions, sensitive data, encryption)
- Logging & detection coverage assessment
Highlights
- Crown-jewel asset inventory and prioritization
- Configuration & access review against vendor + CIS baselines
- Privilege escalation and lateral-movement testing
- Data-at-rest exposure analysis
- Detection & logging coverage validation
- Per-asset reporting with owner-mapped remediation
- Free retesting within six months
Pairs well with
Coverage you should consider alongside CASA.
LANSA
LAN Security Assessment
Assume breach — then prove what an insider can reach.
ADSA
Active Directory Security Assessment
AD is the keys to the kingdom — make sure they're locked.
WASA
Web Application Security Assessment
OWASP-aligned testing of the apps your business runs on.
MSSA
Microsoft Server Security Assessment
Windows Server hardening, the right way.
BBPen
Advanced Black Box Penetration Testing
Care for a game of capture-the-flag?
PPPA
Policies, Procedures and Practices Assessment
Review the documents — and whether anyone follows them.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.