Network Intelligence

Red Team Assessment That Exposed What Your SOC Missed. A Security Review That No One Detected

Executive Summary

The Security Reality — In Plain Terms
This assessment tested whether a determined adversary could breach LEADING
PHARMACEUTICAL MANUFACTURER’ physical locations, gain access to the internal
network, and exfiltrate sensitive data — without being detected. The answer was yes, on
every count.

“Over five days in June 2025, the Network Intelligence red team  walked through the doors of four LEADING PHARMACEUTICAL  MANUFACTURER facilities — a data centre, a manufacturing
operations hub, and two corporate headquarters — using forged ID cards, social engineering, and physical access control blind spots. Not one alert was raised. Once inside the network, the team obtained full administrator-level access, accessed over 24,000 internal file repositories containing employee PII, and exfiltrated 29MB of sensitive data to an external server. The Security Operations Centre detected one of eight attacks. Everything else went unnoticed.”

— Network Intelligence Assessment Lead, Red Team Engagement Summary, June 2025

 

 

 

 

THREE – DOMAIN RISK OVERVIEW

Physical Security

C R I T I C A L

  • All 4 facilities breached — zero detections
  • Server rooms and operations centres accessed unescorted
  • Forged IDs and social engineering bypassed all controls
  • Visitor verification protocols completely failed
  • Physical network equipment found unlocked and unmonitored

Identity & Endpoint Security

C R I T I C A L

  • Full domain administrator access achieved
  • Endpoint security solutions bypassed
  • Corporate data exfiltrated without restriction
  • 24,894 file repositories exposed
  • Employee PII and encryption keys accessible

Security Operations Centre

I N A D E Q U A T E

  • Only 1 of 8 attacks detected (12.5%)
  • Industry minimum benchmark: 85%
  • No alerts on physical breach activity
  • Data theft and escalation missed
  • 87.5% gap vs industry standard

S E C U R I T Y   F I N D I N G S

8 Findings — Business Risk Summary

All findings are presented in business terms for executive review. Full technical
specifications, evidence, and remediation guidance are available in the accompanying
technical assessment report.

# Domain Business Risk Severity SOC Alert?
01 Endpoint Endpoint security controls bypassed

Antivirus and endpoint detection
solutions were rendered ineffective,
allowing attacker tools to run freely on
corporate devices without triggering
any security alert.

HIGH ✗ None
02 Active Directory Full administrator takeover possible

A misconfigured internal certificate
authority allows any authenticated
user to obtain credentials granting
complete control over all systems,
accounts, and data in the LEADING
PHARMACEUTICAL
MANUFACTURER IT environment.

HIGH ✗ None
03 Network Egress No restrictions on outbound data

Any internal user or attacker can freely
transfer data to external internet
destinations. No firewall controls
restrict outbound traffic, enabling
unrestricted data exfiltration.

 

HIGH ✗ None
04 Data Protection 29MB data exfiltrated undetected

A simulated data theft of 29MB of
internal documents completed
successfully in a single session. No
data loss prevention technology
flagged or blocked the transfer.

HIGH ✗ None
05 Data Exposure 24,894 repositories exposed

331 repositories were writable by any
internal user, containing Aadhaar
numbers, PAN cards, bank
statements, salary slips, and device
encryption recovery keys —
constituting a reportable breach under
PDPB 2023.

HIGH ✗ None
06 SOC Security Operations Centre
missed 7 of 8 attacksThe SOC was fully operational
throughout the engagement. It
detected only one low-sophistication
technique — a routine network scan.
Advanced attacks including data theft,
privilege escalation, and physical
breaches generated zero alerts.
HIGH ⚠ Partial
07 Active Directory Complete organisational IT
structure visible to any
employee
Any authenticated user can
enumerate all employee accounts,
security groups, and department
structures — providing attackers with
a comprehensive map for targeted
social engineering or lateral
movement.
MEDIUM ✗ None
08 Info Disclosure Server versions publicly visible

Web servers and remote access
services broadcast their exact
software version numbers, allowing
external parties to identify and target
known security vulnerabilities without
further investigation.

LOW ✗ None

 

 

DETECTION GAP ANALYSIS

The SOC Could Not See the Attack

LEADING PHARMACEUTICAL MANUFACTURER’ Security Operations Centre was fully
operational and staffed throughout the five-day assessment. Despite this, seven of eight
attack scenarios completed without generating a single meaningful security alert or
response.

12.5%

LEADING PHARMACEUTICAL
MANUFACTURER — Actual
Detection Rate
1 out of 8 attacks detected (network scan only)

85%+

Industry Minimum Benchmark
Best-in-class SOC targets ≥ 95%
detection rate

At the current 12.5% detection rate, a real attacker could maintain persistent, undetected access to LEADING PHARMACEUTICAL  MANUFACTURER’ environment for weeks or months — monitoring executive communications, exfiltrating intellectual property, and preparing a destructive or ransomware attack  — without the SOC raising a single alert.

 

 

 

 

BUSINESS IMPACT

What a Real Attack Could Mean for LEADING

PHARMACEUTICAL MANUFACTURER

The assessment demonstrated realistic, exploitable attack paths. The following scenarios
represent the probable business consequences if the same capabilities were used by a
real threat actor.

 1 

  Manufacture Operation Disruption
  Unescorted physical access to server rooms, manufacturing operations centres, and network equipment areas allows an adversary to tamper with or disable critical systems — disrupting              production lines, planting persistent surveillance hardware, or sabotaging batch management and quality control infrastructure.

 2

Complete IT Environment Takeover
The identified certificate authority misconfiguration allows any network user to escalate to Domain Administrator — granting complete, unrestricted control over all systems, user accounts,  emails, internal applications, and data across the LEADING PHARMACEUTICAL MANUFACTURER IT environment.

 3

 Mass Employee Data Breach
 Aadhaar numbers, PAN cards, bank account details, and salary information for LEADING PHARMACEUTICAL MANUFACTURER employees are accessible to any internal user. This constitutes a   reportable personal data breach under India’s Digital Personal Data Protection Act 2023 (PDPB 2023).

 4

 Device Encryption Bypassed Organisation Wide
 Encryption recovery keys stored in open file repositories allow a threat actor to decrypt any corporate laptop or server. Full-disk encryption — a key data protection control — can be bypassed   across the entire device fleet without physical access to the devices.

 5

 Persistence Silent Surveillance
 A 12.5% SOC detection rate means an attacker could maintain continuous, undetected presence — monitoring executive communications, tracking business strategy, exfiltrating intellectual   property, and preparing a larger disruptive or ransomware attack with zero warning.

 6

 Regulatory & Legal Liability
 Exposed personal data without adequate protection controls creates direct legal exposure under PDPB 2023, the IT Act 2000 (Section 43A), and CDSCO / GXP data integrity requirements.   Failure to remediate following a formal assessment could be treated as aggravating circumstances.

 

 

REGULATORY & COMPLIANCE EXPOSURE

Immediate Legal and Regulatory Risk

The findings of this assessment create exposure across multiple Indian regulatory
frameworks. Remediation is both a security imperative and a compliance obligation.

Digital Personal Data Protection Act
2023

The exposure of employee Aadhaar numbers, PAN cards, bank account data, and salary records in 331 open file
repositories constitutes a breach of data fiduciary obligations. PDPB 2023 requires organisations to implement appropriate technical and organisational measures to protect personal data.

IT Act 2000 — Section 43A

Section 43A requires corporate bodies handling sensitive personal data to implement and maintain reasonable security practices. The absence of data loss prevention controls, unrestricted network egress, and open file access are direct gaps against this standard. Compensation liability applies.

CDSCO & GxP Compliance Obligations

As a pharmaceutical manufacturer, LEADING PHARMACEUTICAL MANUFACTURER is subject to CDSCO
cybersecurity and data integrity requirements, as well as GxP guidelines governing electronic records and computerised systems. Physical access to manufacturing and quality systems without detection represents a direct gap in mandated infrastructure protection requirements.

ISO 27001 / Information Security

Multiple ISO 27001 control domains have identified gaps: physical and environmental security (A.7), network security (A.8), access control, incident management (A.5), and security monitoring (A.8.16). The current posture would not satisfy an ISO 27001 surveillance or certification audit.

 

 

REMEDIATION ROADMAP

Priority Actions for Leadership

Structured for executive decision-making and resource allocation. Full technical
implementation specifications are provided in the accompanying detailed technical report.

 
 

IMMEDIATE PRIORITY

Critical Security Gaps

  • Audit and remediate certificate authority — close full administrator takeover risk
  • Restrict all outbound data transfers — enforce egress firewall policy
  • Remove employee PII from open file repositories —enforce least-privilege access
  • Migrate device encryption keys to secure, managed storage
  • Implement mandatory visitor verification at all facilities — no email- only confirmation
  • Deploy emergency SOC detection rules for data exfiltration and privilege escalation

 

SHORT – TERM

Detection & Controls

  • Deploy Data Loss Prevention (DLP) solution with real- time transfer monitoring
  • Physical security audit at all four assessed locations — close all access control gaps
  • Upgrade SOC detection rules for advanced attack patterns
  • Implement centralised visitor management with mandatory photo ID verification
  • Security awareness training for all staff — social engineering recognition
  • Deploy alerts for abnormal file access and account activity patterns

 

STRATEGIC

Security Maturity

  • Deploy User & Entity Behaviour Analytics (UEBA) for insider threat detection
  • Implement Zero Trust Network Architecture — eliminate implicit internal trust
  • Quarterly physical red team exercises across
  • all facilities Annual purple team exercise to validate SOC detection against real attack scenarios
  • Deploy security orchestration (SOAR) to automate response and reduce attacker dwell time
  • Target: SOC detection rate ≥ 85% within 12 months

 

 

 

 

Top