Your transformation is almost complete
Part 2 Sideloading – By default, everything is possible This
We know that identifying and prioritising risk puts us in the driver’s seat, and we know that the deployment of risk-based controls avoids wasted time and money, putting resources and budgets where they are most needed. But designing and deploying controls are only the first two parts of a successful cyber strategy and there is a third facet to be considered: Verification.
Controls must be verified to confirm they’re effective, resilient, and they continue to deliver as your risk identification and prioritisation matures. Without continuous (or at least frequent) verification, controls that worked in the past may later be found to offer little more than a false sense of security.
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
For over 25 years, dotSec has worked closely with a wide range of corporate and government organisations, providing pen tests that target:
What makes dotSec’s pen tests unique?
Surprise!
dotSec’s pen testers don’t just do pen testing!
dotSec’s pen testers rotate through roles including EDR and SIEM analyst, and they assist with the support and maintenance of systems that dotSec has built, including an Identity and Access Management (IAM) system for utilities, cryptographic messaging infrastructure for federal government, and various security services for a national regulator.
Our pen testers have experienced the challenges of designing, deploying and maintaining these systems for over a decade, and so they are uniquely experienced to provide you with pen tests that do not just drop a laundry-list of problems in your lap.
Instead, our reports will allow you to verify the effectiveness of your security controls, providing you with prioritised risk-management strategies that are practical and reasonable to implement. And in many cases, we can provide implementation guidance as well!
We assist organizations in assessing and improving their resilience to social engineering attacks through controlled simulation exercises, with a focus on phishing and related threats.
Simulations mimic real-world attack techniques including MFA-resistant phishing, credential harvesting portals, and push-notification fatigue attacks, while also covering broader vectors such as smishing (SMS-based phishing) and vishing (voice-based social engineering).
Phishing remains the most frequent form of social engineering, but attackers increasingly diversify their methods to bypass technical safeguards and target human vulnerabilities. Controlled simulations allow organisations to test user readiness against a range of social engineering techniques, providing a clear view of risks that technical defences alone cannot mitigate.
As well as verifying the effectiveness of your social engineering and security-awareness training controls, social engineering exercises will also help you to comply with requirements from recognised frameworks and standards such as ISO/IEC 27001 (A.6.3), PCI DSS (12.6), and the Australian Information Security Manual (ISM) user education controls.
Scenarios are tailored to the organisation’s operating environment and threat profile, ensuring relevance and realism. Testing is conducted in a structured manner to avoid operational disruption, while providing measurable insight into user behaviour and organisational exposure.
Following each campaign, we deliver a comprehensive report detailing behavioural outcomes, response rates, and risk-based recommendations for improvement.
The approach reinforces positive behaviours — particularly the prompt reporting of suspicious activity — and helps cultivate a security-aware culture without attributing blame.
Adversary emulation exercises are intended to allow an organisation to monitor the effectiveness of its incident detection, containment, response and recovery policies, procedures and mechanisms.
Adversary emulation exercises generally take one of two forms:
Adversary emulation exercises are intended for organisations that:
If those points do not describe your organisation, then don’t waste your time and money on an adversary emulation exercise. Instead, go back and addressing the other risk control and effectiveness tasks, before returning to adversary emulation another time.
If on the other hand your MDR and MSIEM infrastructure is tested and in order, and pen tests just aren’t doing it for you any more, then give us a call and let us be your most feared (but helpful!) adversaries.
Many organisations face challenges with configuring Microsoft 365, Azure, and Windows systems securely and consistently. In particular, it can be difficult to understand which hardening guides and baselines to use, and how best to use them.
Don’t just take our word for it: The Microsoft Digital Defence Report 2023 noted that, “More than 80% of organizations compromised had not fully deployed Conditional Access or phishing-resistant MFA. And the Verizon Data Breach Investigations Report (DBIR) 2025 noted, “an increase in 34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches compared to last year’s report.“
At dotSec, we specialise in identifying and addressing these challenges with precision and expertise, helping to reduce the risks associated with inconsistent vulnerability and configuration management, and resulting compliance issues.
Firstly, we conduct a comprehensive assessment of your Microsoft 365, Azure, and Windows systems using industry-standard frameworks like the CIS benchmarks, meticulously reviewing your configurations to identify security gaps and ensure your systems align with best practices. We utilize various tools and methodologies, such as Prowler, the Microsoft Azure administration portal, Azure CLI and powershell to provide a thorough analysis.
Once the assessment is complete, we provide clear, actionable remediation strategies tailored to your organisation’s needs. Our approach ensures that configurations are tested in a development environment before being rolled out, minimising disruptions to your operations.
We can also assist in testing secure configurations, whether it’s through manual adjustments or leveraging tools like Intune for Windows systems in a replica/development environment.
Any testing work would of course be done in accordance with the client’s change-control procedures, in order to reduce any risks associated with recommended hardening changes.
Security frameworks and standards exist to provide a common point of reference, allowing an organisation to be confident of its own security maturity while also being able to demonstrate that maturity to a client, partner, insurer or other third party. In a study conducted by DotSec and Momentum Media, 70 per cent of surveyed law firms were either unsure if that they complied with no well-accepted standard or framework such as such as ISO/IEC 27001:2022 or the CIS Critical Controls.
An organisation that fails to comply with a well-accepted, national or international standard or framework will almost certainly fail to have a holistic set of cyber security policies, procedures and controls in place. This, in turn, makes the attacker’s job unnecessarily easy, and may also open the organisation up to accusations of failure to meet best practices, especially in the event of a security breach
Part 2 Sideloading – By default, everything is possible This
Internet shortcuts and DLL highjacking TL; DR DLL hijacking over