VPN Security Review
VPN gateways are the primary initial access vector for ransomware. Misconfigured authentication, split tunnelling enabled for convenience, and legacy protocols left on for backwards compatibility: these are the gaps threat actors find first. We review your Cisco AnyConnect, GlobalProtect, Citrix ADC, or FortiGate deployment against current attack techniques. From £2,500 for a single gateway.
Beyond Vendor Defaults
Built-in Features
- Defaults prioritise connectivity over security
- MFA bypass for service accounts not tested
- No adversarial authentication testing
- Split tunnelling risk not contextualised
- Not accepted as independent audit evidence
CREST-Accredited Assessment
- Black box portal + white box config review
- MFA bypass and service account testing
- IKEv1, weak cipher, and legacy protocol audit
- Post-connect authorisation validation
- Compliance-mapped report for insurers and auditors
The Ransomware Gateway
INITIAL ACCESS VIA VPN/RDP
Of ransomware attacks start with compromised VPN or RDP credentials. VPN gateways are the primary target for initial access operations against UK organisations.
CVE-TO-EXPLOIT WINDOW
Critical SSL VPN vulnerabilities (Citrix Bleed, Fortinet CVE-2024-21762) are weaponised within hours of public disclosure. Patching alone is insufficient without configuration hardening.
INSURER RED FLAG
Single-factor authentication on VPN gateways is now classified as negligent by most UK cyber insurers, and is the configuration most commonly exploited in ransomware initial access.
Controls
When to Commission a VPN Review
Most VPN security reviews are triggered by an insurer questionnaire, a CVE disclosure, or a compliance deadline. If any of these scenarios describe your situation, an independent review provides the evidence you need.
Cyber Insurance Questionnaire
Your insurer has asked whether VPN gateways have been independently assessed in the last 12 months. The honest answer is never. Single-factor VPN authentication is now classified as negligent by most UK cyber insurers.
Post-CVE Disclosure Mandate
After a critical SSL VPN CVE disclosure (Citrix Bleed, Fortinet, Ivanti), your CISO has mandated independent assessment of all VPN gateways. You need testing within weeks, not months, and the scope must cover both the vulnerability and the broader configuration.
Compliance Audit Deadline
ISO 27001 Annex A.8.20, PCI DSS Requirement 2, or Cyber Essentials Plus certification requires documented evidence of network security controls including independent VPN review. The audit is approaching and the evidence pack is incomplete.
ZTNA Migration Validation
You are migrating from traditional VPN to Zero Trust (Zscaler, Prisma Access, Cloudflare Access) but running both in parallel during transition. You need verification that the legacy VPN pathways have been properly decommissioned and ZTNA policies enforce the intended access model.
Inherited VPN Infrastructure
You have inherited a VPN estate from a predecessor team or offboarded MSP. The configuration was deployed during the remote work transition and never hardened. MFA enforcement is patchy, split tunnelling was enabled for convenience, and nobody can confirm the baseline.
Board Accountability
The Cyber Security and Resilience Bill introduces fines up to £17M or 4% of turnover for inadequate network security controls. The board needs demonstrable evidence that remote access infrastructure has been independently assessed.
What We Typically Find
Across every VPN estate we review, the same misconfigurations appear. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
Service account bypasses MFA via RADIUS fallback
A service account used for automated monitoring has MFA exempted in the RADIUS configuration. The account has full VPN access and its credentials are stored in a shared password vault. An attacker with access to the vault credential can authenticate to the VPN without any second factor.
IKEv1 Aggressive Mode enables offline PSK cracking
The IPsec VPN is configured with IKEv1 Aggressive Mode, which transmits the hashed pre-shared key in cleartext during the initial handshake. An attacker on the network path can capture this hash and crack the PSK offline using GPU-accelerated tools. The PSK has not been rotated since initial deployment.
SSL VPN portal running firmware with known RCE CVE
The SSL VPN portal is running a firmware version vulnerable to a known remote code execution exploit with publicly available proof-of-concept code. Exploitation requires no authentication and grants the attacker shell access to the VPN appliance, enabling credential harvesting of all connected sessions.
Split tunnelling active on all user profiles
Split tunnelling is enabled for all VPN connection profiles. Corporate traffic routes through the VPN tunnel, but all other traffic exits directly from the user's local network. A compromised remote device bridges the corporate network to the user's home network, providing lateral movement from untrusted environments.
VPN portal discloses software version and internal hostname
The SSL VPN login portal returns the appliance firmware version and internal hostname in HTTP response headers and error pages. Attackers use version disclosure to identify specific CVEs applicable to the deployment and target exploits accordingly.
All VPN users land in the same network zone post-connect
Every authenticated VPN user, regardless of role or department, receives the same network access: full Layer 3 connectivity to the production server subnet. No post-authentication authorisation policies restrict access based on user group, device posture, or business function.
Most VPN gateways we review have at least one Critical and three or more High findings on first independent assessment.
What We Test
Ransomware groups specifically target VPN gateways for initial access. We assess your remote access infrastructure against the techniques they use, from credential stuffing against the login portal to IKEv1 aggressive mode pre-shared key extraction. Assessment covers all major VPN platforms and includes compliance mapping for Cyber Essentials Plus, ISO 27001 A.8.20, and PCI DSS Requirement 2.
Authentication Strength
We verify MFA enforcement across all account types, including service accounts, admin accounts, and break-glass users frequently excluded from MFA policy. We test for authentication downgrade attacks, RADIUS configuration weaknesses, and timing oracle attacks used to enumerate valid usernames without triggering account lockout.
Split Tunnelling
We identify whether split tunnelling is enabled and document the access consequence: a compromised remote device with split tunnelling active bridges your corporate network to whatever the user's home network contains. We also test for Local LAN Access settings that are frequently enabled by default and overlooked in post-deployment reviews.
Legacy Protocols
We identify support for deprecated encryption suites (3DES, RC4, DES), weak Diffie-Hellman groups, and IKEv1 Aggressive Mode which allows offline PSK cracking. These are not theoretical: IKEv1 Aggressive Mode is actively used in VPN credential attacks observed in the wild.
Portal Exposure
We check the web portal for OWASP Top 10 vulnerabilities, including session hijacking, information disclosure, and clientless VPN injection. Version disclosure vulnerabilities in SSL VPN portals have been used in critical exploits including Citrix Bleed (CVE-2023-4966) and Fortinet FortiOS (CVE-2024-21762).
Post-Connect Access
We validate authorisation policies. Does a 'Sales' user get full network access, or are they restricted to just the CRM subnet? Post-connect access controls are frequently misconfigured in environments where VPN deployment was rushed during the remote work transition and never revisited.
ZTNA Policy Validation
For organisations using Zscaler Private Access, Palo Alto Prisma Access, or Cloudflare Access, we verify that conditional access policies enforce the intended access model, and that legacy VPN pathways have not been left open alongside the ZTNA deployment.
VPN Platforms We Assess
We assess all major VPN and ZTNA platforms. Our consultants have hands-on experience with each vendor's authentication model, not generic methodology applied to unknown platforms.
Cisco AnyConnect
ASA/FTD-based SSL VPN, SAML/RADIUS authentication, posture assessment
Palo Alto GlobalProtect
PAN-OS gateway, HIP checks, split tunnelling policy, Prisma Access
Citrix ADC / NetScaler
Citrix Gateway, clientless VPN, Citrix Bleed (CVE-2023-4966) testing
Fortinet FortiGate
SSL VPN, IPsec VPN, FortiClient EMS, CVE-2024-21762 assessment
SonicWall
SSL VPN portal, NetExtender, SMA appliance configuration
Ivanti Connect Secure
Pulse Secure / Ivanti, CVE-2024-21887 assessment, integrity checking
Zscaler Private Access
ZTNA conditional access, application segmentation, legacy VPN coexistence
Palo Alto Prisma Access
Cloud-delivered security, GlobalProtect integration, policy validation
Assessment Workflow
From portal enumeration to a compliance-ready report. A hybrid black box + white box assessment lifecycle.
Portal Enumeration
We map all external VPN entry points (Cisco AnyConnect, GlobalProtect, Citrix ADC, FortiGate, SonicWall, Ivanti) and fingerprint software versions against current CVE advisories. Version disclosure vulnerabilities in SSL VPN portals have been used in critical exploits including Citrix Bleed (CVE-2023-4966) and Fortinet FortiOS (CVE-2024-21762).
Authentication Testing
We attempt to identify valid usernames via timing attacks and test for weak password policies or lack of account lockout throttling. Credential stuffing, MFA bypass attempts, portal vulnerability assessment, and session hijacking tests are performed from an external attacker perspective.
Configuration Audit
VPN configurations accumulate risk over time: exception policies for executives, service accounts added without MFA, and vendor-default settings left unchanged for backwards compatibility. We assess the live configuration against current hardening benchmarks, not just the original build documentation.
Risk Report
We deliver a clear report detailing exactly how an attacker could compromise your remote access and the specific settings to fix it. Reports are mapped to Cyber Essentials Plus, ISO 27001 A.8.20, and PCI DSS Requirement 2, and are suitable for presenting to auditors, insurers, or the board.
What You Receive
Every VPN security review includes the following deliverables, formatted for technical remediation teams, compliance stakeholders, and insurer submission.
Reports are delivered in PDF format. Single-gateway reviews typically complete within 2-3 business days.
Detect Credential Attacks in Real Time.
A VPN security review is a point-in-time assessment. Credential attacks happen continuously. Feed assessment findings directly into detection rules that alert on authentication anomalies, MFA bypass attempts, and VPN configuration changes as they occur.
Discuss Your RequirementsFirewall Configuration Review
Device-level hardening, industry standard benchmarks, and rulebase analysis
External Network Pentest
Validate your internet-facing perimeter beyond the VPN portal
Managed SOC
Monitor VPN authentication logs and detect credential attacks in real time
Configuration Reviews
Server, database, firewall, and endpoint hardening reviews
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
VPN security review pricing typically ranges from £2,500 to £8,000+ depending on gateway complexity and scope. Single VPN gateway reviews (Cisco AnyConnect, GlobalProtect, Citrix ADC) average £2,500-£4,500 including authentication testing, encryption audit, and split tunnelling analysis. Multi-gateway environments (2-4 VPN concentrators, multiple authentication methods) typically cost £4,500-£6,000. Enterprise reviews (5+ gateways, ZTNA integration, complex conditional access policies) typically cost £6,000-£8,000+. Pricing includes portal vulnerability assessment and MFA bypass testing. We provide fixed quotes after understanding your VPN infrastructure and authentication architecture.
The most frequently exploited VPN vulnerabilities observed in UK ransomware incidents are: (1) Credential-based attacks: password spraying and credential stuffing against the VPN portal login, exploiting weak or absent MFA; (2) Unpatched CVEs: critical SSL VPN vulnerabilities including Citrix Bleed (CVE-2023-4966), Fortinet FortiOS (CVE-2024-21762), and Ivanti Connect Secure (CVE-2024-21887) are often weaponised within hours of public disclosure; (3) IKEv1 Aggressive Mode: enables offline pre-shared key recovery in IPsec VPN configurations; (4) Split tunnelling abuse: compromised remote devices with split tunnelling active provide a bridgehead into the corporate network; (5) Service account MFA gaps: admin and service accounts frequently excluded from MFA enforcement policy. A VPN security review tests for all of these against your specific gateway configuration.
It is a hybrid engagement combining black box authentication testing with white box configuration review. The black box phase tests your VPN portal from an external attacker's perspective: credential stuffing, MFA bypass attempts, portal vulnerability assessment, and session hijacking tests. The white box phase reviews your backend configuration for insecure defaults, legacy protocol support, split tunnelling policy, and post-authentication access controls. This hybrid approach identifies both the vulnerabilities an attacker can reach without credentials, and the misconfiguration they would exploit after establishing access. A standalone penetration test without the configuration review will miss insecure settings that are not externally detectable. A configuration review without the authentication testing will miss vulnerabilities in the portal's attack surface.
Yes. Citrix NetScaler/ADC (now Citrix ADC) is one of the most frequently targeted VPN platforms in UK enterprise environments. We test for Citrix Bleed (CVE-2023-4966) and related session token disclosure vulnerabilities, clientless VPN injection, and gateway policy misconfigurations that permit unauthorised lateral movement. We also test Citrix Secure Private Access (ZTNA) deployments where organisations are running both the legacy ADC gateway and a newer ZTNA solution in parallel.
A VPN security review directly supports compliance with several frameworks: Cyber Essentials Plus requires independent assessment of boundary firewalls and internet gateways, including VPN configuration. Our review generates the evidence required for certification. ISO 27001 Annex A.8.20 (network security controls) requires documented assessment of network access controls, including remote access mechanisms. PCI DSS Requirement 2 mandates removal of vendor defaults and hardening of all system components, which includes VPN gateways used in cardholder data environments. NIS2 and the incoming Cyber Security and Resilience Bill require demonstrable network security controls for operators of essential services and regulated supply chain organisations. We provide a structured report mapped to the relevant framework controls, suitable for presenting to auditors, insurers, or the board.
A single-gateway VPN security review (one VPN platform, one authentication method) typically completes in 2-3 days: one day for external black box testing, one day for configuration review, and one day for report writing and quality assurance. Multi-gateway reviews (2-4 VPN concentrators) typically take 3-5 days. Enterprise engagements involving multiple VPN technologies and ZTNA integration are scoped individually but typically complete within 2 weeks. We can accommodate accelerated timelines for urgent requirements. If you are facing an insurer deadline or regulatory audit, contact us and we will scope accordingly.
Vendor-enabled security features do not guarantee secure deployment: (1) Default configurations prioritise connectivity over security. 'Enable Local LAN Access' is often left on, (2) MFA may be enforced for users but bypass mechanisms exist for 'System' or service accounts, (3) Split tunnelling decisions require business context that vendors cannot assess, (4) Legacy protocol support (IKEv1, weak ciphers) may be enabled for backward compatibility without review, (5) Post-authentication authorisation (what can users actually access?) requires adversarial testing, and (6) VPNs are the primary ransomware entry point. Attackers actively hunt for misconfigurations. External review provides the adversarial perspective and independent validation that vendor tooling cannot deliver.
We also audit ZTNA solutions (like Zscaler Private Access, Palo Alto Prisma Access, or Cloudflare Access), verifying that conditional access policies enforce the intended access model and that legacy VPN pathways have not been left open alongside the ZTNA deployment.
Ideally, yes. We request a test account to verify 'Post-Connect' authorisation rules: what a user can actually access once authenticated. This is the phase of the review that most often reveals over-permissioned access and segmentation failures.