top of page

Government Pentest Case Study...
Start to Finish

We want to be extremely transparent to our clients and potential clients.  We want you to know everything that you need to know so that you can have clear expectations before you engage with Emagined.  Here's an example of exactly what you can expect. Or, if you want to learn more about all of our pentest services click the button below.

Scope.  Plan.  Schedule. Deliver.

Government Building

Case Study:
Client Background Info

  • 1,000 employees

  • Structured and unstructured data

  • Servers, workstations

  • Network devices

  • Mobile systems

  • Firewalls

  • Virtual private networks

  • Other systems prevalent in an enterprise environment.

  • Internal development of web-facing functions with reliance on third-party vendors for some functions.

  • Confidential data that includes PII, HIPAA, criminal justice, and payment card information.


The following case study provides:

  • An overview of the Emagined Engagement workflow

  • The Penetration Testing Scope (Internal & External)

  • An estimated number of hours required to complete all deliverables for this sample client.

  • Sample work and corresponding deliverables

1. Scope

  • Meet

  • Requirements

  • Statement of work (with pricing)

  • Contracts


Our objective at the start of all engagements is to understand the client's requirements so that a statement of work (SOW) can be provided. We find that being able to provide a clear and concise SOW with all pricing aspects early in the engagement allows the client to make informed decisions during their vendor selection process.  We typically deliver an SOW within two days of requirements gathering.


  • Meetings ( 1 day )

  • Requirements gathering ( Same day )

  • SOW delivery ( 2 days ) 

  • SOW Review / Negotiation ( depends on client )

  • Contract Signatures ( 1 day )


  • Internal & External Pentest Scope (see sample of below)

  • Statement of Work (with pricing)

  • Signed Contracts

SAMPLE:  Internal & External Penetration Testing Scope

​After meeting with the potential client and discussing their environment and their needs, the following scope was outlined and used to create a Statement of Work.

  1. Internal Penetration Testing

Internal testing is performed on assets and networks owned by the sample client. Internal systems are used to conduct business internal to the organization.


Internal Application Testing:

  •  Internal Application 

    • Web application

    • Test environment

    • Hosted locally

    • Authenticated and unauthenticated

  • Internal Application 

    • Thick Client

    • Test environment 

    • Hosted locally

    • Authenticated and unauthenticated

    • Contains PII Data

  • Industrial Control System -Regulating water for a community of 20,000 users

    • The SCADA environment consists of a water treatment plant 

    • 3 Human Machine Interfaces (HMI); one at each of public works, the treatment plant and maintenance facility. 

    • There are 15 remote sites with 2 Programmable logic controllers per site connecting back to public works over the internet using site-to-site VPN’s.  

  • Configuration and design review of a Firewall 

    • Configuration review of the rules on one firewall

    • Design review of: 3 subnets, Business network, Guest network

  • Internal Network Penetration Testing: the scope is limited to 500 internal IPs and includes a sample from the following:

    • 1,000 Workstations 

    • 75 Servers Windows and Linux (Virtual and Physical)

    • 10 Servers Windows and Linux (Cloud Hosted)

    • 50 Multifunction Printers

    • VLANs: management(IT), end user(business), VOIP, SCADA

    • 2 AD Domains


2. External Penetration testing

External testing is performed on applications and services owned by the client. External applications are those that are accessible by the public or select clientele by way of the Internet.

  • External Website Testing: clients public website (e.g.

    • Production environment

    • Hosted locally

    • Unauthenticated

  • External Application 1

    • Mobile application (iOS and Android)

    • Production environment

    • Hosted by vendor

    • Authenticated only

  • External Application 2

    • Web Application

    • Test environment

    • Hosted in the cloud

    • Authenticated and unauthenticated

2.  Work Plan

  • Identify Resources

  • Client Success Plan

Beginning the engagement, we assign a Senior Project Manager to oversee all of our penetration testing engagements. For our project with this client, our VP of Projects took on the Senior PM role. He then brought in a lead Penetration Tester to manage the technical execution of the testing.

In our planning meetings, we collaborated with the client's project team to define the scope and boundaries of the engagement. We discussed which applications, networks, systems, and services would be included based on their priorities, risks, and budget. Additionally, application demos were held for testers to understand the function, roles, and any nuances of the applications.

The scoping process was key to aligning the specific assets, vulnerabilities, and security issues that the client wanted to target through testing. We tailored the engagement to focus on their highest value systems and most likely vectors.

Once the scope was finalized, a detailed Workplan that laid out the specifics of the testing was created. This included escalation procedures for any critical vulnerabilities identified, communication protocols, and an outline of the testing for each in-scope system.

With the Workplan as a guide, our team was prepared to partner closely with the client throughout the execution of the penetration test. The upfront planning ensured an efficient, focused, and value-driven engagement.

SAMPLE:  Workplan

Client Success Plan image.png

3.  Project Schedule

  • Resource Allocation

  • Client Success Plan

Once the scope was solidified, our team compiled a comprehensive project schedule outlining the timing, resources, and milestones for the penetration test. We estimated that the project would require approximately 175 hours in total to execute the agreed-upon scope fully.

The project schedule aligned with the Rules of Engagement and incorporated the client-specific deadlines, testing windows, and personnel contacts. We collaborated closely to schedule testing that maximized coverage while minimizing disruption to their business operations.

Our detailed project plan broke out the testing into stages for each application/system.  While some tasks overlapped on the calendar, the project management ensured clear responsibilities and efficient execution.

The project schedule also allotted time and resources to handle any emerging issues, vulnerabilities, or incidents during the active testing. Our team emphasized to the client that additional time may be needed to investigate and validate any critical findings before proceeding. Our goal was to partner closely with them throughout the execution of the project.

Overall, our upfront planning and collaborative scheduling laid the groundwork for an effective penetration testing engagement tailored to their unique needs and environment. The detailed project plan gave all stakeholders visibility into the timing, resources, and contingencies involved.

SAMPLE:  Project Schedule

Project Plan.jpg

4.  Deliverables

  • Clarity Portal

  • Reports

  • Debrief

  • Remediation

We leveraged our extensive experience working with thousands of pentest projects over the years to deliver reporting tailored to their requirements.  Additionally, we provided the client and any relevant stakeholder access to our Clarity client portal to review specific findings, remediation suggestions, and other available analyses.

Emagined has a vetted and comprehensive report template that meets the specific format, structure, and content details needed by our clients. Our Senior Project Manager collaborated with the client to make any necessary updates to the standard deliverable template for this project.

Throughout our engagements, we work closely with clients to ensure our report would include all pertinent information about the pen testing methodology, findings, analyses, and recommendations.

The draft report was first submitted for review to the client project team to confirm alignment with their standards and expectations before being shared with the ultimate stakeholders. This review process allowed for any refinements to be made if the project team requested any additional details on the testing, results, or follow-up actions.

The final report delivered contained the following core sections:

  • Executive Summary – Highlights of engagement, key findings, and recommendations

  • Engagement Objectives – Outline of testing scope and goals

  • Findings – Organized vulnerabilities and risks by application/system

  • Recommendations – Next steps for remediation and improving the security posture

  • Technical Appendices – Supplementary data to support findings


This standardized reporting approach ensured the client received a detailed deliverable providing valuable insights into their security risks and clear direction on strengthening protections.

SAMPLE:  Deliverables


  • Pricing can range anywhere from $170 to $300 per hour depending up on the expertise needed to meet client requirements. 

Emagined worked with the client for an additional four weeks to validate remediations and provide any additional value where needed.


  • Emagined provided robust planning, execution, and reporting tailored to the client's unique environment and security priorities.

  • The engagement was managed by a senior project manager who collaborated closely with the client's stakeholders to define the scope based on key assets, risks, and budget.

  • Detailed scheduling aligned test activities with minimal business disruption. Experienced penetration testers probed networks, applications, and systems for vulnerabilities.

  • Findings and recommendations were documented in a standardized report format approved by the client to provide them with actionable insights into strengthening security protections across their critical assets and data.


Through partnership and rigorous testing, Emagined delivered immediate value in hardening ABC Company against modern cyber threats.

“The effort, planning, pricing, and deliverables are exceptional and always predictably consistent across all of our projects with Emagined.”

State Govt Agency Director

bottom of page