International Airport

International airport: Continuous monitoring stopped a critical systems takeover

3 months, 1200+ assets, 128 person-days - critical vulnerabilities were found within hours and remediated rapidly.

3
Months monitoring
1200+
Assets tracked
128
Person-days
4
Security engineers
Industry Transportation & Critical Infrastructure
Region Europe
Service Continuous Attack Surface Monitoring
Outcome Critical systems takeover prevented

Engagement Overview

A major international airport (client anonymised) asked us to run a three-month continuous monitoring programme across more than 1200 external assets - IP ranges, subdomains, web apps, remote access services and exposed OT gateways.

Scope

Asset discovery & monitoring for 1200+ IPs/subdomains, covering critical OT interfaces.

Duration

3 months (12 weeks): 4 weeks recon & mapping, 6 weeks attack sprints, 2 weeks fix verification.

Outcome

5 critical, 12 high and 17 medium findings - including SQL injection, RCE and exposed backups.

Impact

Prevented compromise of building management and flight operations APIs, blocked full LDAP exposure.

Continuous beats snapshot

Permanent monitoring, manual validation and targeted red-team sprints surfaced new exposures within hours - not at the next annual pentest.

Starting Point & Objectives

The airport runs complex digital ecosystems: passenger portals, logistics systems, building automation, airline integrations. New services go live frequently, often operated by third parties. Leadership wanted a live situational picture, not a quarterly snapshot.

  • Know the attack surface: Build and maintain an authoritative inventory of publicly exposed systems.
  • Spot misconfigurations early: From open backups to weak credentials and forgotten debug endpoints.
  • Go in depth: 128 person-days reserved for manual exploitation and lateral movement simulation.
  • Operational response: Prioritised tickets, playbooks and retests within 48 hours of each finding.

As critical infrastructure, the programme needed to satisfy stringent regulatory requirements. Every action was logged, reproducible and aligned with the internal CSIRT process.

Engagement Setup

Asset intelligence

Passive DNS, certificate transparency, ASN sweeps and cloud provider APIs kept the inventory fresh.

Monitoring stack

Custom sensors combined with Nuclei/Nmap feeds, log scrapers and honey-token monitoring.

Manual depth

Weekly deep dives by four senior testers focusing on RCE, auth bypass and data exfiltration paths.

Communication

Critical alerts in near real time, weekly situation reports, monthly executive briefings with the CISO and OT leadership.

Monitoring & Testing Strategy

We combined always-on attack surface surveillance with recurring manual intensive testing.

Phase 1: Baseline

Asset discovery, risk clustering (public web, remote access, OT, third-party) and criticality-based prioritisation.

Phase 2: Continuous scanning

Automated checks for CVEs, misconfigurations, newly exposed services and credential leaks.

Phase 3: Threat hunts

Targeted exploitation (SQLi, RCE, auth bypass) including lateral movement simulations in isolated lab environments.

Phase 4: Remediation support

Immediate proof-of-concepts, fix recommendations, retests and after-action reviews with operator teams.

Every critical exploit was cleared with the CISO before execution and reproduced safely to avoid impact on live flight operations.

Results at a Glance

We documented 34 actionable findings. 5 were labelled critical with direct implications for operational continuity.

5 Critical
12 High
17 Medium
Time to mitigation

Critical issues were reported within 36 hours on average and fixed inside five days - thanks to direct collaboration with airport IT, OT and third-party providers.

Technical Highlights

SQL injection in cargo portal

Manipulating tracking parameters exposed flight and cargo schedules stored in a backend database.

RCE on an OT gateway

Misconfigured reverse proxy plus insecure firmware update workflow granted shell access to building automation.

Weak passwords & backups

Multiple VPN/RDP endpoints still used vendor defaults; unsecured backup archives leaked configuration files.

LDAP exposure via binary analysis

Reverse engineering a publicly downloadable client binary revealed hardcoded secrets, enabling unauthenticated access to the LDAP API.

Stored XSS in passenger portal

Widgets accepted HTML/JS payloads, allowing session theft and social engineering.

Critical infrastructure at stake

Combining the OT RCE with LDAP access enabled full control over building systems (access control, energy, passenger flows). Exploit paths were demonstrated responsibly and closed immediately.

Timeline & Collaboration

Month 1: Baseline & quick wins

Asset inventory, immediate shutdown of exposed backups, rollout of alerting playbooks.

Month 2: In-depth exploitation

Validating SQLi/RCE/XSS, reverse engineering binaries, red-team scenarios against OT environments.

Month 3: Hardening & retests

Retesting all critical findings, strengthening authentication, OT tabletop exercise with operations leadership.

Business Impact

Operational continuity

Critical systems stayed online; potential disruptions to flight operations were prevented.

Regulatory confidence

Documentation aligned with EU NIS2 and national aviation security requirements.

Supply chain accountability

Managed service providers were integrated into remediation workflows and SLA updates.

Security culture

IT, OT and DevOps teams now operate with shared playbooks; security awareness improved measurably.

“We never expected that a single binary would open the door to our LDAP. Continuous monitoring keeps us honest about how fast the attack surface changes.”
Head of Information Security (anonymised) International airport

Recommendations & Next Steps

Continuous security is an operating model, not a one-off project. Together we defined a roadmap for lasting resilience.

Key recommendations

  • Asset lifecycle: Auto-register and monitor every new subdomain or cloud resource.
  • Secret management: Prohibit hardcoded credentials, enforce vaulting and automated secret scanning.
  • Authentication hardening: Enforce strong MFA for remote access, run credential hygiene audits, introduce just-in-time OT access.
  • Binary assurance: Subject publicly distributed clients/tools to reverse engineering and security review.
  • Threat simulation: Run quarterly red-team exercises aligned with CSIRT and operations leadership.
Need continuous visibility?

We blend asset monitoring, threat hunting and manual exploitation to protect critical infrastructure. Talk to us about a tailored programme.

Back to overview
We're here for you

Ready for continuous visibility?

Have questions about our services? We'd be happy to advise you and create a customized offer.

Quick Response

We'll get back to you within 24 hours

Privacy

Your data will be treated confidentially

Personal Consultation

Direct contact with our experts

Contact DSecured