My First Cybersecurity Writeup – VAPT Experience

Suraj Pun Magar — Fri, 29 May 2026 06:45:09 +0000

Overview

This is my first real-world cybersecurity VAPT experience inside an enterprise insurance company environment.

I worked across network infrastructure, web applications, internal devices, and physical security — and learned how professional security assessments are actually performed beyond labs and CTFs.

Introduction

I am a cybersecurity enthusiast focused on SOC operations, web application penetration testing, and vulnerability assessment.

In this engagement, I worked on assessing the security posture of an insurance company across its network infrastructure, devices, web applications, and physical security controls.

This was my first real-world experience working in an enterprise environment, and initially I was not fully confident about the workflow. However, with the guidance and support of my senior, I was able to understand the process step by step and actively contribute to the assessment.

Objective

Identify security vulnerabilities across network, web, and internal systems
Assess exposure of critical assets
Analyze potential attack paths in the environment
Evaluate basic physical security controls

Scope of Work

Network infrastructure assessment
Web application security testing
Device-level security review
Basic physical security evaluation

Tools Used

Nessus (vulnerability scanning)
Burp Suite (web application testing & request interception)
Nmap (network discovery & port scanning)
GVM / OpenVAS (vulnerability assessment)
OWASP ZAP (automated web scanning)
Wireshark (packet analysis & traffic inspection)

Approach / Methodology

Performed network discovery using Nmap to identify active hosts and open ports
Conducted vulnerability scanning using Nessus and GVM to detect known security issues
Analyzed web application behavior using Burp Suite and OWASP ZAP
Intercepted and inspected HTTP/HTTPS traffic to understand request/response flow
Used Wireshark to analyze packet-level communication and detect anomalies
Evaluated system exposure across internal devices and services
Observed physical security controls and basic access handling practices

Key Learning

Network services may expose unnecessary open ports if not properly secured
Web applications can contain weak input validation and insecure endpoints
Automated tools help in detection, but manual analysis is critical for accuracy
Understanding request/response flow is essential for web and API testing
Packet-level analysis provides deep visibility into system communication
Security must be implemented across all layers: network, application, and physical

Challenges Faced

This was my first enterprise-level VAPT experience, so initially I was not fully clear about the workflow
I had difficulty understanding how to connect different stages of testing together
Interpreting large scan outputs from Nessus and GVM required guidance
Differentiating false positives from real vulnerabilities was challenging
Mapping network structure from scan results took time

With continuous support from my senior, I was able to understand the process and improve my practical skills during the engagement.

Conclusion

This VAPT exercise on an insurance company environment was my first real-world enterprise security experience.

It helped me understand how structured vulnerability assessments are performed in professional environments.

More importantly, it improved my practical skills in network scanning, web application testing, and traffic analysis, while also teaching me how to work under guidance in real security operations.

Cybersecurity is not only about tools — it is about understanding systems, risks, and attacker mindset.

DEV Community: Suraj Pun Magar