Real Findings. Real Impact.

SecurityBox doesn't produce theoretical risk reports. These are real-world findings from production environments — critical threats that previous assessments missed, detected by the platform within hours of deployment.

The Finding That Three Pen Tests Missed.

A mid-western manufacturing company had invested in annual penetration tests and quarterly vulnerability assessments for years. None of them found what SecurityBox-Network detected in under sixty minutes.

Environment Profile

Industry Manufacturing

Region Midwest US

User Accounts 204

Hosts Under Management 244

Active Directory Age 22 years

Deployment Model SecurityBox-Network

Prior Security Assessments

External Pen Test — Firm A MISSED

2023 · Perimeter-focused · Found 2 medium-severity CVEs

Internal Vulnerability Assessment — Firm B MISSED

2024 · Scanner-based · Reported patching gaps only

Internal Pen Test — Firm A MISSED

2025 · Network-focused · No AD attack path analysis

Quarterly Vulnerability Scan — MSP MISSED

Ongoing · Automated Nessus · No identity layer analysis

Combined spend on prior assessments: $85,000+ over 3 years

58 Minutes After Deployment.

The SecurityBox-Network appliance was connected to a SPAN port on the core switch at 9:14 AM. By 10:12 AM, the platform had identified a critical attack path that would give any attacker complete control of the entire domain — all 244 systems, all 204 user accounts, every file, every database, every backup.

Finding Classification

Keys to the Kingdom

MITRE ATT&CK: T1558.003 — Kerberoasting

Attack Path — Any Employee to Total Domain Compromise

Phishing Email

Any employee clicks a link. Attacker gains standard user access.

Skill: Low · Time: Minutes

Request Kerberos Ticket

From compromised workstation, request service ticket for the privileged account. Looks like normal Windows authentication.

No alerts generated

Crack Offline

Take the ticket offline. Crack the password hash using modern GPUs — millions of guesses per second. No lockout triggered.

Invisible to all monitoring

Total Domain Compromise

Attacker returns with valid Domain Admin credentials. Ransomware, data theft, complete operational shutdown.

Impact: TOTAL

Privilege Level

Triple Admin

Domain Admin + Enterprise Admin + Schema Admin

Who Could Exploit

Any User

Any authenticated account on the domain

Blast Radius

244 Systems

Every computer, server, and domain controller

A single service account held the highest privileges in the entire organization and was exposed to Kerberoasting — an attack technique that requires no special tools, generates no alerts, and can be executed by anyone with a compromised workstation. The path from "employee clicks phishing link" to "attacker owns everything" was hours, not weeks.

Why Three Firms Never Found It.

This wasn't a failure of competence. It was a failure of methodology. Traditional assessments are designed to find a different class of problem.

Capability Pen Test Vuln Scan SecurityBox

AD attack path mapping Not in scope Not capable Automatic

Kerberoasting exposure Sometimes No Always detected

Privilege chain analysis No No Continuous

Identity layer risk scoring No No Per-host

Business impact translation Technical only CVE list Executive-ready

Operational disruption Scheduled downtime Network load Zero impact

Time to first finding 2-4 weeks 1-2 days 58 minutes

Pen tests look for exploitable vulnerabilities from the outside in. Vulnerability scanners match CVEs against installed software. Neither analyzes the identity layer for attack path exposure — the exact class of risk that leads to total domain compromise in 74% of real-world breaches.

That Was Just the First Hour.

Within the first week, SecurityBox's continuous assessment revealed the full scope of accumulated risk in a 22-year-old Active Directory environment.

Critical

High

Medium

Low

CRITICAL

Kerberoastable Triple-Privileged Service Account

Domain Admin + Enterprise Admin + Schema Admin exposed to offline password cracking by any authenticated user

HIGH

5 Service Accounts with Domain Admin Privileges

Backup, monitoring, storage, vendor, and deployment accounts — each an independent path to domain compromise

HIGH

Vendor Account with Schema Admin Rights

Managed services provider could make irreversible changes to Active Directory structure — a breach at the MSP = your breach

HIGH

89 Accounts with Non-Expiring Passwords (44%)

Including 8 highly privileged accounts — any credential stolen at any point in the domain's 22-year history may still be valid

Fixed in Under an Hour.

The critical finding — the one that would have given an attacker complete control of the entire organization — was remediated the same morning it was discovered.

9:14 AM

SecurityBox-Network Connected

Appliance connected to SPAN port on core switch. Passive ingestion begins.

9:31 AM

Active Directory Enumeration Complete

Read-only LDAP analysis. 204 users, 244 hosts, 10 Domain Admins, 6 Kerberoastable accounts identified.

10:12 AM

CRITICAL — Attack Path Identified

Agentic AI correlates Kerberoastable SPN with triple-admin privileges. Attack path mapped and scored. Notification sent.

10:28 AM

Executive Briefing Delivered

Business-risk translation provided to IT Director. Attack path, blast radius, and recommended fix explained in plain language.

11:05 AM

Critical Finding Remediated

SPN removed from privileged account. Password changed to 28-character random string. Attack path eliminated.

11:09 AM

SecurityBox Confirms Remediation

Platform re-assesses. Attack path no longer viable. Host risk scores recalculated. Critical finding closed.

58 min

Time to Detection

< 2 hrs

Time to Remediation

$4.47M

Avg Manufacturing Breach Cost Avoided

From Critical to Controlled. In 30 Days.

The critical finding was just the beginning. Over the first month, SecurityBox guided the organization through a structured remediation that transformed their security posture.

Day 1 — Critical Risk Eliminated COMPLETE

Kerberoastable triple-admin account secured. SPN removed. Password rotated. Attack path closed.

Week 1-2 — High Risks Reduced COMPLETE

5 service accounts removed from Domain Admins. Vendor account downgraded. Dedicated admin groups created with least-privilege access.

Week 2-4 — Sustainable Controls Established COMPLETE

Group Managed Service Accounts deployed for top 10 services. Password lifecycle policies implemented. Vendor JIT access configured.

Day 30 — Sustained Low-Risk Posture ACTIVE

0 critical findings. 0 high findings. Continuous monitoring detects configuration drift. Weekly risk trend reports show sustained improvement.

Day 0 — Before SecurityBox

HIGH

1 critical · 4 high · 3 medium · 2 low

Day 30 — With SecurityBox

LOW

0 critical · 0 high · 1 medium · 2 low

This Isn't Unusual.

The manufacturing sector is one of the most targeted industries — and one of the least prepared for identity-layer attacks.

More Results.

Additional findings from SecurityBox deployments across industries.

Detecting Browser-Impersonating Malware

How SecurityBox detected advanced malware mimicking Safari TLS fingerprints using JA4 analysis, NDR-EDR correlation, and AI quorum consensus.

Read the full case study →

What Is Your Environment Hiding?

Every organization thinks they know their risk posture — until SecurityBox shows them what their existing tools missed. No contract required. 30-Day Guarantee — no findings, no charge.

See Pricing