26 KiB
Sample Engagement: Mid-Market Hybrid Organisation
This document is a calibration reference for consultants. It walks through a realistic engagement for a specific client profile from first contact through Day 180. Use it to calibrate your own scope estimates, find comparable findings for risk register entries, and understand what a complete engagement looks like for this type of organisation.
Client Profile: Nexus Operations s.r.o.
Fictional client. All details are representative of a real mid-market profile.
| Attribute | Detail |
|---|---|
| Size | 500 employees, 10 IT/admin staff |
| Sector | Professional services (management consulting + outsourced IT services) — NIS2 important entity under digital infrastructure provisions |
| Identity | Active Directory (on-premises, single forest, two domains — legacy acquisition) + Entra ID (hybrid join, Azure AD Connect sync) |
| M365 licensing | E3 — includes Entra ID P1 (Conditional Access), Defender for Endpoint Plan 1, Intune, Exchange Online, SharePoint, Teams. No E5 features: no PIM, no Defender for Identity, no Sentinel, no Purview advanced. |
| Endpoint management | Intune deployed 18 months ago; ~70% Windows enrollment, ~30% macOS enrollment; no iOS/Android policy; Intune used primarily for app deployment, not compliance enforcement |
| Third-party tools | Jira (cloud), GitHub (cloud, mix of org/personal accounts), Confluence (cloud), a legacy on-prem ERP (SAP), an on-prem file server (Windows Server 2016), a CRM (Salesforce), and approximately 12 other SaaS tools identified in procurement; shadow IT suspected |
| Infrastructure | Three offices (Prague HQ, Brno, Warsaw); hybrid work standard; ~80 external contractors at any given time; site-to-site VPN between offices; split DNS; no SD-WAN |
| Current security | No dedicated security tool beyond Defender AV. Microsoft Secure Score: 42%. No SIEM. No SOC. Previous pentest 2 years ago (report available). Previous ISO 27001 attempt abandoned 18 months ago. |
| NIS2 status | In-scope as important entity; national transposition deadline passed; supervisory authority has sent initial questionnaire; response due in 90 days |
| Trigger | NIS2 questionnaire received; CTO has seen the Brownhat Diagnostic approach referenced by a peer; CISO role vacant (they are looking) |
Engagement Context
Why They Called
The NIS2 questionnaire is the proximate trigger but not the underlying problem. The CTO's real concern, surfaced in the discovery call: "We have been growing fast, the acquisition two years ago added a lot of mess, and I genuinely do not know what we would do if we had a serious incident. We have contractors everywhere and I am not sure all of them are properly offboarded when their engagement ends."
This is a common and honest framing. The NIS2 deadline creates a compliance urgency, but the actual risk is operational — undocumented access, accumulated technical debt from the acquisition, and no detection capability.
What the Discovery Call Revealed
The trigger question ("What happened recently that made you call us?") produced: the NIS2 questionnaire, plus a near-miss three months ago — a contractor who had left six months previously used their still-active account to access a SharePoint site. Nobody noticed until the contractor themselves mentioned it to their former manager. No data exfiltration confirmed but not verified.
The accountability question: Named IT lead is the senior sysadmin, Ondřej Blaha. CTO is the executive sponsor. CISO role vacant — the IT lead is acting as de facto security lead without the title or dedicated time.
The tools question: E3 confirmed. Intune confirmed but underutilised. No SIEM. Previous pentest report available (2 years old). Defender AV on all Windows endpoints; coverage on macOS "mostly."
The success question: "Pass the NIS2 questionnaire. Know that if something happens, we can respond. And if I hire a CISO in six months, I want there to be something to hand over."
This is an excellent brief. Concrete, honest, achievable.
What Disqualifies This Client?
Nothing. All green lights:
- Named executive sponsor with budget authority (CTO)
- Named IT lead with operational access (Ondřej)
- Real trigger with a deadline (NIS2 response in 90 days)
- Honest assessment of current state
- Realistic success criteria
One flag to manage: The NIS2 questionnaire response is due in 90 days. This creates urgency that may pressure the client to skip the Brownhat Diagnostic and go straight to "give us a report for the regulator." Resist this. The diagnostic is the report — it produces evidence directly usable in the NIS2 response. Skipping it produces a worse outcome for both the client and the regulator.
Brownhat Diagnostic Findings
What a competent two-day diagnostic would find in this environment. Presented as the consultant would present it to the CTO.
Kill Chain Assessment
The shortest path from "nothing bad has happened yet" to "Nexus Operations cannot operate" runs through identity.
Compromised contractor credential (still active after offboarding)
→ Access to M365 (no MFA enforced, or legacy auth bypasses MFA)
→ Access to SharePoint / Teams (all data)
→ Access to Exchange (all email, calendar, contacts)
→ Password spray against Entra ID → escalate to admin account
→ Domain Admin via Entra ID Connect sync account
→ Full AD compromise → all on-prem systems
→ ERP (SAP) → financial data, operational disruption
This is not theoretical. The six-month-old contractor account near-miss is one credential spray away from the beginning of this chain.
Secondary kill chain (on-prem):
Internet-facing VPN endpoint (legacy firmware, no MFA)
→ Internal network access
→ Lateral movement via NTLM relay (expected: NTLM not disabled)
→ File server → ERP → AD
Findings by Priority
P0 — Kill Chain Nodes
| ID | Finding | Evidence |
|---|---|---|
| P0-001 | No MFA enforced for remote access or M365 | Entra ID sign-in logs show 34% of sign-ins in past 30 days without MFA; Conditional Access policies exist but are in Report-Only mode, never activated |
| P0-002 | Active contractor accounts: 23 confirmed stale | Elysium identifies 23 accounts with last login > 90 days owned by contractors whose engagements are confirmed ended in HR system; 6 have been inactive for > 6 months |
| P0-003 | KRBTGT password never rotated | Last rotation: 847 days (default since domain creation). Any Golden Ticket attack persists across credential resets until KRBTGT is rotated. |
| P0-004 | Azure AD Connect sync account has excessive privilege | The sync service account has DCSync rights on the on-premises domain. Compromise of Entra ID admin → on-prem domain compromise via this account. |
| P0-005 | VPN endpoint: no MFA, outdated firmware | Cisco ASA, firmware 18 months out of date; no MFA for VPN authentication; used by all contractors and remote employees |
| P0-006 | No tested backup restore | Backups run nightly (confirmed); no restore has ever been tested; ERP backup destination is on the same network segment as the ERP server |
P1 — Material Risk
| ID | Finding | Evidence |
|---|---|---|
| P1-001 | Legacy authentication not blocked | Sign-in logs: 847 legacy auth attempts in past 30 days from 34 unique accounts; these bypass MFA regardless of CA policy |
| P1-002 | Domain Admins using workstations for email and browsing | BloodHound: 4 of 5 Domain Admin accounts have interactive logon events from standard workstations; no PAW architecture |
| P1-003 | Service accounts: 31 with non-expiring passwords, 12 with unknown owners | AD audit; 7 service accounts have Domain Admin-equivalent rights with no documented purpose |
| P1-004 | Intune compliance not enforced in Conditional Access | Compliant device requirement is in CA policy but excluded for all users via the "AllUsers_ExceptionGroup" group containing 489 of 500 users |
| P1-005 | Third-party SaaS access not reviewed | 12 known SaaS tools; Entra ID app registrations show 47 enterprise applications with consent grants; 11 have "Mail.ReadWrite" or equivalent scopes from unidentified sources |
| P1-006 | No MFA on GitHub | GitHub org admin accounts without MFA enforced at org level; mix of personal and managed accounts; no SSO integration with Entra |
| P1-007 | SAP ERP on-prem: default admin credentials not changed on secondary instance | Confirmed during document review of previous pentest report |
| P1-008 | No logging beyond M365 default 90-day retention | No SIEM; no secondary log retention; M365 audit log at 90-day E3 default; ERP and file server logs local only, 30-day retention |
P2 — Housekeeping Queue
| ID | Finding |
|---|---|
| P2-001 | NTLM not disabled; NTLMv1 still permitted in GPO |
| P2-002 | Basic authentication still enabled for Exchange (in addition to legacy auth block needed above) |
| P2-003 | 89 stale AD accounts (not contractors — former employees; some date to 2019) |
| P2-004 | DNS records for 14 decommissioned services still exist |
| P2-005 | Firewall ruleset last reviewed 3 years ago; 23 rules with "any/any" destination |
| P2-006 | macOS endpoints: Defender coverage patchy; 31 devices not enrolled in Intune |
| P2-007 | No documented vendor access procedure; contractors provisioned ad hoc |
| P2-008 | Windows Server 2016 file server: extended support ends October 2026 |
| P2-009 | Jira/Confluence: 67 former employee accounts still active |
| P2-010 | SharePoint external sharing enabled globally with no policy; 14 sites have external links active |
Quick Wins (Closeable Before Day 30)
- Activate CA policies — already in Report-Only; switch to Enabled. MFA enforcement for all sign-ins with zero new tooling. (2 hours)
- Disable 23 confirmed stale contractor accounts — HR-confirmed departures; disable immediately. (1 hour, needs HR sign-off already obtained)
- Remove AllUsers_ExceptionGroup from CA compliance policy — 489 users are excepted from device compliance for no documented reason. Remove the exception. (30 minutes)
- Block legacy authentication — CA policy for legacy auth block already exists in the tenant (Microsoft provides a template); activate it. Test first with sign-in log review. (4 hours including testing)
- Enforce MFA on GitHub org — Organisation setting, 2 minutes to enable; will force any admin without MFA to enrol at next login. (5 minutes)
Module Recommendation and Rationale
Recommended Sequence
Brownhat Diagnostic + Quick Wins (Weeks 1-4)
↓
Module 2: M365 Identity Security (Weeks 4-10) ← Primary kill chain
↓
Module 6: On-Premise AD Hardening (Weeks 8-14) ← Runs in parallel from week 8
↓
Module 1: Endpoint Management (Weeks 14-18) ← Hardens existing Intune
↓
Module 7: Recovery & Resilience (Weeks 16-20) ← Runs in parallel from week 16
Rationale
Why Module 2 first: The kill chain runs through identity. P0-001 (no MFA enforced), P0-002 (stale contractor accounts), and P1-001 (legacy auth) are all Module 2 work. These are also the fastest path to demonstrable NIS2 evidence — Article 21 explicitly requires MFA and access control measures.
Why Module 6 second, partially parallel: P0-003 (KRBTGT rotation), P0-004 (AD Connect privilege), and P1-002 (Domain Admins on standard workstations) require AD access and change windows. This work can start in week 8 as Module 2 is closing — the identity team has already been engaged, the change management process is established.
Why Module 1 third, not first: Intune is already deployed and roughly functional. It is not the kill chain. Hardening Intune (compliance policies, CA integration, full macOS enrollment) is important but secondary to closing the identity gaps. It belongs in Week 14 when identity work is complete.
Why Module 7 matters here: The ERP backup (P0-006) is a kill chain node. Recovery and Resilience validates backup integrity and produces the restore test evidence that NIS2 business continuity requirements directly demand. Starting Module 7 in parallel with Module 1 from Week 16 gets this done within 180 days.
Not recommended in this engagement:
- Module 5 (AI Sovereignty Bridge): not in the kill chain; deferred to Phase 4
- Module 10 (Red Team): requires a hardened foundation; schedule at 12 months post-engagement
- Module 12 (Blue/Purple Team): requires detection infrastructure not yet deployed; follow-on engagement
- Module 8 (OT): not applicable — no OT environment
Day 30 / Day 90 / Day 180: This Specific Client
Day 30 Deliverables
| # | Deliverable | Nexus-specific detail |
|---|---|---|
| 1 | Brownhat Diagnostic report | Kill chain documented (identity → AD → ERP); 5 quick wins; module roadmap |
| 2 | ASTRAL deployed | Intune + Entra ID baseline committed; Azure DevOps project ASTRAL-Nexus created; drift detection live |
| 3 | PULSAR deployed | M365 audit events ingesting; Ondřej confirmed as reviewer; Teams tab pinned in IT channel |
| 4 | T0 accounts hardened | 3 Global Admins: MFA enforced, dedicated admin accounts separated from daily-use accounts |
| 5 | Attack surface report | VPN endpoint flagged (P0-005); external-facing services enumerated |
| 6 | Quick wins closed | CA policies activated; 23 contractor accounts disabled; legacy auth blocked; GitHub MFA enforced; Intune compliance exception removed |
| 7 | Findings backlog opened | All diagnostic findings entered in ADO Work Items; Ondřej named as owner for P0/P1; CTO briefed on P0 count (6) and quick wins status |
NIS2 value at Day 30: The Brownhat Diagnostic report and the quick wins closure log constitute direct evidence for NIS2 Article 21 (access control, MFA, asset management). PULSAR starts accumulating the audit log retention the questionnaire will ask about.
Day 90 Deliverables
| # | Deliverable | Nexus-specific detail |
|---|---|---|
| 8 | MFA for all users enforced | CA policy covering all 500 users; verified via sign-in logs; helpdesk prepared for exceptions (expected: ~15 users requiring assisted enrolment) |
| 9 | Legacy auth blocked | Verified: zero legacy auth sign-ins in past 7 days in PULSAR |
| 10 | CA baseline deployed | Device compliance required; location-based policies for Warsaw office (different risk profile); sign-in risk policy active |
| 11 | P0 vulnerabilities closed | P0-002 (contractors) ✓ Day 30; P0-003 (KRBTGT) rotated with two-rotation process; P0-004 (AD Connect account) de-privileged; P0-005 (VPN MFA) enforced |
| 12 | AD attack path reduction | BloodHound before/after: paths to Domain Admin reduced from 847 to <50; service accounts with Domain Admin rights reduced from 7 to 0 |
| 13 | Vendor access hardened | Contractor provisioning procedure documented; offboarding checklist created and linked to HR process; Ondřej named as monthly reviewer |
| 14 | T0 backup integrity | ERP backup tested and restored to isolated environment; restore time documented (target: <4 hours); backup destination moved off same network segment |
| 15 | ASTRAL: first restore drill | Intentional test change made and restored via pipeline; process documented |
| 16 | PULSAR: top 5 alert rules | CA policy modification; new Global Admin assignment; bulk mailbox export; new high-privilege app consent; VPN authentication failure spike |
NIS2 value at Day 90: MFA enforcement (Article 21c), access control and account management (Article 21i), audit log retention accumulating since Day 30 (Article 21j), backup integrity evidence (Article 21c business continuity). Sufficient to respond to the NIS2 questionnaire with evidence, not assertions.
Day 180 Deliverables
| # | Deliverable | Nexus-specific detail |
|---|---|---|
| 17 | Alert runbooks | 5 PULSAR alert runbooks signed off by Ondřej; escalation path to CTO documented |
| 18 | Custom detection rules | Contractor account creation outside HR-approved window; SAP admin login outside business hours; bulk SharePoint download |
| 19 | Client independence | Ondřej completes live walkthrough: reviews ASTRAL PR, investigates a PULSAR event, resets a compromised Elysium-flagged account |
| 20 | Housekeeping: 3 cycles | Cycles 1–3 completed; 67 Jira/Confluence accounts resolved; 89 stale AD accounts processed (disabled with justification per account); DNS cleanup in progress |
| 21 | Module completion packages | Module 2, Module 6, Module 1 completion packages delivered to nexus-security ADO repository |
| 22 | Risk register closure | Before/after comparison: P0 count 6 → 0; P1 count 8 → 2 (P1-007 SAP default credentials and P1-005 app consent review in housekeeping queue) |
| 23 | Retained capability scope | Agreed quarterly scope: monthly ASTRAL drift review, quarterly BloodHound + Elysium run, PULSAR health check, housekeeping queue advancement |
Findings Backlog — Initial Population
Pre-populated from the Brownhat Diagnostic. Consultants: adapt IDs and details to your actual findings.
ADO Work Items project: ASTRAL-Nexus (same project as ASTRAL deployment)
Owner: Ondřej Blaha
Cadence: Monthly housekeeping review, first Thursday of each month
P0 — Kill Chain (all closed by Day 90)
| ID | Finding | Source | Owner | Status | Target |
|---|---|---|---|---|---|
| B-001 | No MFA enforced: 34% of sign-ins without MFA | Brownhat | Ondřej | Closed Day 30 | Day 30 |
| B-002 | 23 stale contractor accounts with valid credentials | Elysium | Ondřej | Closed Day 30 | Day 30 |
| B-003 | KRBTGT password 847 days old | BloodHound | Ondřej | Closed Day 75 | Day 60 |
| B-004 | AD Connect sync account has DCSync rights | BloodHound | Ondřej | Closed Day 70 | Day 60 |
| B-005 | VPN: no MFA, firmware 18 months outdated | Brownhat | Ondřej | Closed Day 80 | Day 90 |
| B-006 | No tested ERP backup restore | Brownhat | Ondřej | Closed Day 85 | Day 90 |
P1 — Material Risk
| ID | Finding | Source | Owner | Status | Target |
|---|---|---|---|---|---|
| B-010 | Legacy auth not blocked: 847 sign-ins in 30 days | PULSAR | Ondřej | Closed Day 30 | Day 30 |
| B-011 | Domain Admins using standard workstations | BloodHound | Ondřej | Closed Day 65 | Day 60 |
| B-012 | 7 service accounts with Domain Admin rights, no documented purpose | AD audit | Ondřej | Closed Day 72 | Day 60 |
| B-013 | Intune compliance exception covers 489/500 users | ASTRAL | Ondřej | Closed Day 30 | Day 30 |
| B-014 | 47 Entra app registrations with Mail.ReadWrite or higher scope | Entra audit | Ondřej | In Progress | Day 120 |
| B-015 | GitHub org: no MFA enforcement, personal/managed account mix | Brownhat | Ondřej | Closed Day 30 | Day 30 |
| B-016 | SAP secondary instance: default admin credentials not changed | Pentest report | IT Lead (SAP) | Open | Day 90 |
| B-017 | No audit log retention beyond 90 days | Brownhat | Ondřej | Closed Day 1 (PULSAR) | Day 30 |
P2 — Housekeeping Queue
| ID | Finding | Source | Owner | Status | Target |
|---|---|---|---|---|---|
| B-100 | NTLM not disabled; NTLMv1 permitted | AD audit | Ondřej | Open | Q3 |
| B-101 | 89 stale AD accounts from former employees | Elysium | Ondřej | In Progress (Cycle 2) | Q3 |
| B-102 | 14 DNS records for decommissioned services | AD audit | Ondřej | Open | Q3 |
| B-103 | 23 firewall rules with any/any destination | Firewall review | Network | Open | Q4 |
| B-104 | 31 macOS devices not enrolled in Intune | ASTRAL/Intune | Ondřej | In Progress (Module 1) | Day 180 |
| B-105 | No documented vendor access procedure | Brownhat | Ondřej | Closed Day 85 | Day 90 |
| B-106 | Windows Server 2016 file server: EOL Oct 2026 | Brownhat | CTO | Open | Oct 2026 |
| B-107 | 67 former employee accounts in Jira/Confluence | Brownhat | Ondřej | In Progress (Cycle 1) | Q3 |
| B-108 | SharePoint external sharing: 14 sites with active external links | ASTRAL | Ondřej | Open | Q3 |
| B-109 | Basic auth still enabled for Exchange | Brownhat | Ondřej | Open | Q2 |
NIS2 Article 21 Compliance Map
Evidence produced by this engagement against the Article 21 measures. Use this table in the NIS2 questionnaire response.
| Article 21 Measure | Requirement | Evidence from this engagement |
|---|---|---|
| 21(2)(a) Policies on risk analysis and information security | Documented policies | Brownhat Diagnostic report; module completion packages; risk register |
| 21(2)(b) Incident handling | Detection and response capability | PULSAR alert rules + runbooks; incident escalation procedure |
| 21(2)(c) Business continuity, backup, DR | Tested backup and recovery | Module 7: ERP backup restore test report; Recovery Time documented |
| 21(2)(d) Supply chain security | Vendor/supplier risk management | Contractor access procedure; vendor access inventory; offboarding checklist |
| 21(2)(e) Security in acquisition, development | Secure development and procurement | (Partial — addressed in Phase 4; not covered in 180-day programme) |
| 21(2)(f) Policies to assess effectiveness | Metrics and review cadence | ASTRAL drift history; PULSAR event summaries; quarterly BloodHound/Elysium; housekeeping cycle reports |
| 21(2)(g) Cyber hygiene and training | Basic hygiene and awareness | MFA enforcement; CA policies; device compliance; housekeeping stream |
| 21(2)(h) Cryptography and encryption | Encryption standards | (Addressed via CA device compliance and baseline — documented) |
| 21(2)(i) HR security, access control, asset management | Identity governance, privileged access | Module 2: MFA, CA, privileged account management; Module 6: AD hardening; stale account process |
| 21(2)(j) Authentication, MFA | MFA for all users | CA policy enforced for all 500 users; verified via sign-in log (Day 90 deliverable #8) |
For the supervisory authority questionnaire: The strongest evidence package is: (1) the Brownhat Diagnostic report showing risk analysis was conducted, (2) the ASTRAL baseline showing configuration management is operational, (3) the PULSAR deployment showing logging and monitoring is in place, and (4) the Day 90 MFA enforcement verification via sign-in logs. These four items directly answer the most common questions in NIS2 supervisory questionnaires.
Investment Estimate
Effort ranges using the module investment levels from Modular Engagements. Day rates applied per engagement proposal.
| Phase | Activity | Estimated Effort |
|---|---|---|
| Brownhat Diagnostic | 2-day workshop + report | 16–20 consultant hours |
| Quick wins implementation | CA policies, account disables, GitHub MFA | 8–12 hours (same week as diagnostic) |
| Module 2: M365 Identity Security | MFA rollout (500 users, 10 admins, contractors), CA baseline, legacy auth block, app consent review, ASTRAL/PULSAR deployment | Low to medium (20–30 consultant days) |
| Module 6: On-Premise AD Hardening | KRBTGT rotation, service account cleanup, PAW for admins, BloodHound remediation, AD Connect de-privilege | Low to medium (15–25 consultant days) |
| Module 1: Endpoint Management | Intune compliance baseline, macOS enrollment, CA integration, ASTRAL hardening | Low (8–15 consultant days) |
| Module 7: Recovery & Resilience | Backup integrity testing, ERP restore drill, DR runbooks | Low (8–12 consultant days) |
| Total 180-day programme | ~55–80 consultant days |
Infrastructure costs (one-time, at cost):
- PULSAR hosting: €10–20/month (VPS or Azure Container Apps) — or on the client's existing infrastructure
- ASTRAL: no additional cost (Azure DevOps pipelines within E3/Microsoft Partner allocation)
Retained capability (post-180 days, quarterly):
- Monthly ASTRAL drift review and PULSAR health check
- Quarterly BloodHound + Elysium run + housekeeping cycle
- Estimated: 3–5 consultant days per quarter
Consultant Notes
The CISO handover opportunity: The CTO mentioned they want something to hand over when they hire a CISO. Structure the Day 180 deliverables explicitly as a CISO onboarding package: the backlog, the ASTRAL history, the PULSAR event summary, the module completion packages, and the retained scope. A new CISO who inherits a cleaned AD, enforced MFA, running detection, and a maintained backlog is in a position to build — not to firefight.
Managing the NIS2 timeline pressure: The questionnaire is due in 90 days. The Day 90 deliverables are specifically designed to produce the four evidence items (diagnostic, ASTRAL, PULSAR, MFA enforcement) needed to answer the questionnaire. Do not let the regulatory deadline distort the sequence — the diagnostic first, then module work. A questionnaire answered with ASTRAL drift logs and CA sign-in evidence is stronger than one answered with a Word document and good intentions.
The two-domain AD: The acquisition-created second domain adds complexity to Module 6. Scope it explicitly in the kickoff: which domain gets the KRBTGT rotation first? Are there forest-level trusts? BloodHound collection needs to cover both. Add 5–7 days to the Module 6 estimate if the trust relationship is poorly documented.
SAP credentials (P1-016): This finding is outside the standard M365/AD scope. It requires SAP admin access and coordination with the ERP team (who may not report to Ondřej). Flag it as an explicit dependency at kickoff — it will slip past Day 90 without an owner from the ERP side.
Contractors: 80 contractors at any given time means the offboarding process is a permanent operational concern, not a one-time fix. The contractor provisioning and offboarding procedure (B-105) must name an owner in HR, not just IT. If HR does not send a termination notification, IT cannot offboard. This is a process dependency that the engagement alone cannot fix — it requires a management conversation.
This sample engagement is based on composite real-world findings from mid-market AD+M365 environments. All company names and individual details are fictional.
Related: Brownhat Diagnostic · Module Menu · Findings Backlog · NIS2 Mapping · Risk Register Example