Every engagement starts with what we found.
Three anonymised case files from our own engagements: the exact vulnerability, what we deployed to close it, and the outcome measured afterward. Filter by your industry to see the closest match.
Case file 01 · Legal
Seven ways in, found before an attacker found them first
A CRA on a practice that believed it was “covered” surfaced seven distinct entry points in under a fortnight — closed inside a six-week Shield onboarding, with no gap left for their insurer to flag at renewal.
Vulnerability found
- A VPN appliance exposed directly to the internet, unpatched for a known vulnerability.
- Multi-factor authentication available but not enforced on partner email accounts.
- Shared administrator credentials on the practice management system.
- An unmonitored guest Wi-Fi network bridged onto the internal network.
- Stale user accounts left active for staff who had departed months earlier.
- No email security layer beyond default mailbox filtering.
- Backups that ran nightly but had never been test-restored, with no offline copy.
Fixed
- Replaced the exposed VPN with a hardened, monitored remote-access gateway.
- Enforced multi-factor authentication firm-wide, with no exceptions for partners.
- Eliminated shared logins and implemented individual, audited administrator access.
- Segmented guest Wi-Fi from the internal network entirely.
- Formalised an offboarding process tied to HR, closing the stale-account gap for good.
- Deployed a dedicated email security layer and enterprise EDR on every endpoint.
- Implemented tested, immutable, offline-capable backups on a monitored schedule.
Outcome
- Zero successful breaches in the fourteen months since the engagement began.
- Cyber insurance renewed with no additional conditions for the first time.
- MFA coverage moved from partial to 100% of accounts within the first month.
- All seven findings closed inside the six-week onboarding window.
“Our previous provider told us we were fine. GMAN IT found seven ways in within a fortnight. We sleep differently now.”
— Managing Partner, Carlton Lane Legal
A 40-person Melbourne family and commercial law practice. CRA + Shield onboarding completed in 6 weeks. Reference available by request during your assessment.
Get the full case-study PDF
The unredacted teardown — every finding, every fix, the full timeline — sent to your inbox.
Case file 02 · Financial & Accounting
A $40,000 invoice fraud attempt, stopped before the funds moved
A compromised supplier mailbox nearly redirected a routine $40,000 payment. Fortress's email-anomaly detection and a callback-verification policy caught it with zero financial loss.
Vulnerability found
- A supplier's mailbox had been compromised upstream and was being monitored by an attacker for live invoice threads.
- No dedicated email security layer — default filtering does not flag a message from a previously-trusted sender.
- No mandatory out-of-band verification process for bank-detail changes on payments.
- No log visibility into a mailbox forwarding rule the attacker had quietly planted to monitor the thread.
Fixed
- Deployed dedicated email security with sender-anomaly detection layered over default filtering.
- Implemented a mandatory callback-verification policy for any bank-detail change, using independently-sourced contact numbers.
- Enabled SIEM log monitoring across mailbox rules and forwarding behaviour, not just inbound spam.
- Ran vCISO-led staff training on business-email-compromise red flags for the finance team.
Outcome
- The fraudulent $40,000 transfer was flagged and held before it left the account.
- Zero financial loss to the firm or its client.
- The forwarding rule was traced and removed within hours of detection.
- No further business-email-compromise attempt has succeeded against the firm since.
“We were a $40,000 invoice away from a payment-redirection fraud. GMAN IT caught it before the funds moved.”
— Finance Director, Hargreave & Co. Advisory
A mid-sized Melbourne financial advisory and accounting firm. Detected and contained same business day. Reference available by request during your assessment.
Get the full case-study PDF
The unredacted teardown — every finding, every fix, the full timeline — sent to your inbox.
Case file 03 · Manufacturing
A ransomware dropper contained before it reached the production line
A flat network had IT and operational-technology systems on the same segment when a phishing email delivered ransomware. Segmentation completed months earlier meant the production line never went down.
Vulnerability found
- IT and operational-technology (shop-floor control) systems shared a single, unsegmented network.
- Legacy Windows machines on the production floor had not received security updates in years.
- No dedicated email security layer to stop the phishing email that delivered the ransomware dropper.
- No incident-response plan specific to protecting production continuity during a security event.
Fixed
- Segmented the network into isolated IT and OT zones, with monitored traffic between them.
- Deployed enterprise EDR fleet-wide and patched or replaced legacy shop-floor systems where feasible.
- Layered dedicated email security ahead of the phishing vector that had previously reached staff inboxes.
- Rehearsed an incident-response plan built specifically around keeping production running during containment.
Outcome
- The ransomware dropper was detected and contained on the office network segment within minutes.
- The production line recorded zero hours of downtime throughout the incident.
- The segmentation completed months earlier is the specific control that kept the incident from reaching operational technology.
- No ransom was paid; no data was encrypted on either segment.
“Quiet, precise, and always a step ahead. They feel less like a vendor and more like part of the firm.”
— Operations Manager, Foundry Works Manufacturing
A regional Victorian precision-manufacturing business running a live production line. Contained in under fifteen minutes. Reference available by request during your assessment.
Get the full case-study PDF
The unredacted teardown — every finding, every fix, the full timeline — sent to your inbox.
The pattern never changes: found first, closed fast, proven afterward.
Every case file above started as a Cyber Readiness Assessment. None of the businesses in them knew their exposure until we showed them, in writing, exactly where it was.
Your case file starts with an assessment. Not a guess.
The Cyber Readiness Assessment finds your own vulnerabilities in ten business days — credited toward your first year if you go further with us.