Overview
This is my first real-world cybersecurity VAPT experience inside an enterprise insurance company environment.
I worked across network infrastructure, web applications, internal devices, and physical security — and learned how professional security assessments are actually performed beyond labs and CTFs.
Introduction
I am a cybersecurity enthusiast focused on SOC operations, web application penetration testing, and vulnerability assessment.
In this engagement, I worked on assessing the security posture of an insurance company across its network infrastructure, devices, web applications, and physical security controls.
This was my first real-world experience working in an enterprise environment, and initially I was not fully confident about the workflow. However, with the guidance and support of my senior, I was able to understand the process step by step and actively contribute to the assessment.
Objective
- Identify security vulnerabilities across network, web, and internal systems
- Assess exposure of critical assets
- Analyze potential attack paths in the environment
- Evaluate basic physical security controls
Scope of Work
- Network infrastructure assessment
- Web application security testing
- Device-level security review
- Basic physical security evaluation
Tools Used
- Nessus (vulnerability scanning)
- Burp Suite (web application testing & request interception)
- Nmap (network discovery & port scanning)
- GVM / OpenVAS (vulnerability assessment)
- OWASP ZAP (automated web scanning)
- Wireshark (packet analysis & traffic inspection)
Approach / Methodology
- Performed network discovery using Nmap to identify active hosts and open ports
- Conducted vulnerability scanning using Nessus and GVM to detect known security issues
- Analyzed web application behavior using Burp Suite and OWASP ZAP
- Intercepted and inspected HTTP/HTTPS traffic to understand request/response flow
- Used Wireshark to analyze packet-level communication and detect anomalies
- Evaluated system exposure across internal devices and services
- Observed physical security controls and basic access handling practices
Key Learning
- Network services may expose unnecessary open ports if not properly secured
- Web applications can contain weak input validation and insecure endpoints
- Automated tools help in detection, but manual analysis is critical for accuracy
- Understanding request/response flow is essential for web and API testing
- Packet-level analysis provides deep visibility into system communication
- Security must be implemented across all layers: network, application, and physical
Challenges Faced
- This was my first enterprise-level VAPT experience, so initially I was not fully clear about the workflow
- I had difficulty understanding how to connect different stages of testing together
- Interpreting large scan outputs from Nessus and GVM required guidance
- Differentiating false positives from real vulnerabilities was challenging
- Mapping network structure from scan results took time
With continuous support from my senior, I was able to understand the process and improve my practical skills during the engagement.
Conclusion
This VAPT exercise on an insurance company environment was my first real-world enterprise security experience.
It helped me understand how structured vulnerability assessments are performed in professional environments.
More importantly, it improved my practical skills in network scanning, web application testing, and traffic analysis, while also teaching me how to work under guidance in real security operations.
Cybersecurity is not only about tools — it is about understanding systems, risks, and attacker mindset.
Top comments (0)