From Theory to Practice: How We Proved Our Expertise on a Real Project
The XRAY CyberSecurity team is proud to announce the successful completion of our first penetration testing project under the Business Cyber Diagnostics Programme.
Cyber Diagnostics Programme: An Initiative for Ukrainian Business
The Business Cyber Diagnostics Programme, implemented with the support of the Ministry of Digital Transformation and backed by the USAID project “Cybersecurity of Critical Infrastructure of Ukraine”, aims to help 500 Ukrainian companies receive free digital infrastructure diagnostic services.
“Modern warfare is taking place not only on the battlefield, but also in cyberspace,” emphasised Deputy Prime Minister Mykhailo Fedorov during the programme launch.
This initiative is particularly relevant in conditions where Ukrainian enterprises face unprecedented cyber threats as a result of the full-scale war.
First Success in the Programme – Ours. Real Results for Real Business
The first project under the Programme, implemented by XRAY CyberSecurity, demonstrated the high effectiveness of our approach.
We performed a penetration test for the publishing house and online book sales service “Nash Format”: we conducted testing, simulating potential cyber attacks on the company’s digital infrastructure with the aim of gaining access to confidential data and IT infrastructure.
We worked through risks both from the user side – online shop customers, and from the back-office side – employees and administrators.
“Our company is a seller of book products in Ukraine. And the law of digital business is this – the faster a company develops, the more likely it is to face hacker attacks”, says Oleh Khavruk, CIO of the “Nash Format” online bookshop.
“The owner of ‘Nash Format’ does everything to ensure that customer data of the online bookshop is stored securely and malicious actors cannot harm them. We decided to prepare for overcoming possible attacks, even if they never happen”.
Work Results: What the Client Received
Detailed Technical Report
The client received a detailed technical report with a complete description of the tested infrastructure and a catalogue of identified vulnerabilities, classified by criticality level. The document included a detailed description of each vulnerability with an explanation of potential business impact and step-by-step exploitation scenarios with corresponding technical documentation.
Practical Recommendations with Prioritisation
Special attention was paid to practical recommendations with clear prioritisation of measures – from urgent actions to eliminate critical vulnerabilities to long-term strategic recommendations for cybersecurity system development.
Educational Component and Executive Report
The educational component included explanations of attack methods used and recommendations for increasing staff awareness of cyber threats. Additionally, the client received an “Executive Report” describing findings, current protection status, and recommendations in business language for the company’s top management.
Client Feedback: Fast, Quality, Professional
“The work was conducted quickly and with quality – both the programme organisers and the cyber diagnostics specialists from XRAY CyberSecurity worked effectively”, notes Oleh Khavruk.
“As a result of the collaboration, we received useful professional observations – XRAY CyberSecurity professionally highlighted vulnerable areas, which enables us to improve the quality of our services“.
Long-term Results After Collaboration with XRAY CyberSecurity:
“Despite the fact that collaboration with XRAY CyberSecurity has concluded, we have begun strengthening cybersecurity within the framework of administrative and technical solutions. The company’s IT department recently deepened its expertise and will handle primary protection and implementation of a range of security procedures”, continues the CIO.
“Moreover, together with the website developer, we are already eliminating potential threats identified during the pentest, and we plan to conduct penetration audits at least once a year”.
Path to Verification: Professionalism Confirmed Documentarily
The verification process for participation in the Programme was extremely thorough and included preparation of a detailed Capability Declaration describing the company’s experience, personnel qualifications, and available certificates. XRAY CyberSecurity not only demonstrated the availability of necessary international certificates (including OSEP, OSCP+), but also provided evidence of successful penetration testing, which was confirmed by feedback from the company’s previous clients and ultimately confirmed the ability to ensure high-quality services.
Penetration Testing: The Art of Ethical Hacking
Penetration testing is a controlled simulation of a cyber attack that allows identification of vulnerabilities in information systems before real malicious actors can exploit them. This is a complex multi-stage process that requires deep technical knowledge and experience.
XRAY CyberSecurity Testing Methodology
The testing process begins with careful reconnaissance and information gathering about the target system through open sources (OSINT). Our experts analyse the system architecture and identify potential attack vectors, which allows for maximum effective planning of further testing.
The next stage includes network scanning to identify active hosts, open ports, and running services. The team uses both automated tools and manual methods for detailed analysis of each identified service for the presence of vulnerabilities.
The most complex stage is exploitation of identified vulnerabilities, where our ethical hackers attempt to use discovered weaknesses to gain unauthorised access to the system. After obtaining initial access, experts explore possibilities for privilege escalation and lateral movement in the network. All actions are carefully documented for subsequent analysis and preparation of a detailed report describing identified vulnerabilities, attack methods used, and recommendations for problem resolution.
Why Penetration Testing is Critically Important for Ukrainian Business
Realities of Cyber Threats in War Conditions
Russian aggression against Ukraine is not limited to physical attacks – cyberspace has become an additional front of military operations. Ukrainian enterprises face targeted attacks from APT groups working in the interests of hostile intelligence services, hacktivist campaigns to discredit Ukraine, financially motivated attacks, and attacks on critical infrastructure that can paralyse the work of entire industries.
Statistics That Make You Think
According to international research, up to 40% of small and medium business leaders worldwide do not have an approved action plan in case of a cyber attack. In Ukrainian realities, this proportion may be even higher, given the complex security situation, martial law, and limited resources.
Meanwhile, average recovery costs after a successful cyber attack for small businesses range from $25,000 to $250,000, excluding reputational damage and long-term consequences such as customer loss or reduced trust.
XRAY CyberSecurity continues to conduct testing for other companies within this business cyber diagnostics programme. Stay ahead of cyber threats with us!
