Parent Firm Discovers Unsecured Subsidiary Network During Routine Penetration Testing

The Challenge

During a scheduled penetration test, a mid-sized Canadian manufacturing group (using a generic name for confidentiality) learned that one of its subsidiaries operated an unsecured and unmonitored network segment. The environment had been left outside central IT governance after a merger.

The red team identified open VPN endpoints, legacy Windows Server 2012 hosts, and unpatched applications that still trusted the parent company’s directory. These weaknesses created lateral movement paths into shared repositories containing supplier contracts and employee data.

The parent firm’s SOC had no visibility into the subsidiary environment. There was no IDS, no SIEM integration, and no confirmed timeline for how long the exposure had existed. The company faced immediate containment requirements, potential privacy risk under PIPEDA, and delays to a pending commercial agreement. Senior leaders also confronted a governance gap in post-merger integration and accountability.

Our Solution

We were engaged as the Cybersecurity and Privacy Risk Advisory partner to stabilise the situation and close governance gaps.

  • Containment and forensics. Isolated affected subnets, disabled exposed VPN endpoints, acquired forensic artefacts, and reviewed logs for indicators of compromise.
  • Security integration audit. Mapped assets across all subsidiaries, identified shadow IT, and documented inherited technical risks.
  • Policy and compliance uplift. Updated post-acquisition security controls and privacy processes aligned to PIPEDA, NIST CSF, and ITSG-33.
  • SOC expansion. Implemented centralised logging, IDS/IPS, and MFA across subsidiary environments and onboarded to a unified SIEM.
  • Training and accountability. Delivered executive and IT workshops on integration risk, role clarity, and decision rights.
  • Independent validation. Commissioned a third-party retest to verify remediation and confirm closure of critical findings.

The Value

Within six months the client achieved measurable improvements:

  • 100% of subsidiary networks brought under central SOC visibility.
  • 87% reduction in critical vulnerabilities, verified by third-party retesting.
  • 60% improvement in mean time to detect and respond, based on SIEM metrics.
  • Reduced regulatory exposure and stronger evidentiary posture for PIPEDA safeguards.
  • Reinstated partner confidence and reauthorised deferred contracts valued at approximately $1.2M.

Implementation Roadmap

Phase 1: Discovery and Containment (Weeks 1–2) Phase 2: Governance and Policy Update (Weeks 3–6) Phase 3: SOC and Control Uplift (Weeks 7–12) Phase 4: Validation and Enablement (Weeks 13–24)

  • Isolate subsidiary networks.
  • Disable exposed VPN endpoints.
  • Perform rapid forensic triage and log correlation.
  • Complete asset inventory across all subsidiaries.
  • Standardise post-acquisition integration requirements.
  • Update privacy, access, and change control procedures to align with PIPEDA and ITSG-33.
  • Centralise logging to SIEM and enable use cases for lateral movement and data exfiltration.
  • Deploy IDS/IPS, enforce MFA, and patch or decommission legacy servers.
  • Conduct independent red-team retest and close residual findings.
  • Run role-based training and tabletop exercises.
  • Deliver an executive outcomes report with metrics and lessons learned.