A Pentest Wednesday® Story

Insurance companies don’t just protect homes, cars, and livelihoods. They safeguard enormous amounts of personal and financial data — making them prime targets for adversaries. The National Insurance Crime Bureau projects a 49% surge in identity theft-related insurance fraud in 2025, while synthetic identity fraud already costs the life insurance sector an estimated $30 billion annually, accounting for up to 85% of all cases.

For one large U.S.-based insurer, the wake-up call came not from regulators or an incident — but from their own development environment. When identities are the new perimeter and fraud is measured in billions, security leaders need proof that all environments can withstand a live attack.

That’s the idea behind Pentest Wednesday — a way of describing how organizations move from assumptions and paperwork to continuous validation and measurable risk reduction. For this insurer, it began with a single test of their development environment — and it reframed how they viewed identity security, developer environments, and third-party risk.

The Problem

Large insurers operate at a scale where identity and data protection become existential challenges. With hundreds of offices, thousands of employees and agents, and services that span multiple lines of business, the attack surface is enormous.

Each line of business carries its own sensitive data:

Auto Insurance: driver’s licenses, vehicle registrations, accident reports, telematics data

Home Insurance: property records, mortgage details, appraisals, photos

Life Insurance: social security numbers, medical histories, beneficiaries

Farm Insurance: agricultural business data, land ownership, equipment valuations

Commercial Insurance: financial statements, business continuity plans, payroll info

Together, these datasets represent a comprehensive profile of policyholders’ lives and livelihoods — a goldmine for attackers.

Compliance frameworks may demand evidence of control effectiveness, but too often the proof comes in the form of paperwork. Audits can be passed, dashboards can show green, and questionnaires can be filed — yet none of it validates whether defenses will hold against a live attacker.

In this sector, the weakest link is almost always identity. Credentials can be stolen, weak, reused, or overprivileged. Third-party access expands exposure even further, as insurers often depend on vendors and contractors for claims, IT, and application development. It’s a systemic problem: adversaries don’t need to “hack in” when they can simply log in.

For insurers of this scale, the result is a dangerous gap between what leaders believe about their defenses and what is actually true in practice.

AHA Moment

Dev wasn’t a sandbox. It was a staging ground for attackers.

How NodeZero Exposed the Path from Dev to Prod

Step 1: Cracked Credentials

• Over 3 days, 16 hours, NodeZero cracked 266 valid accounts
• 146 users shared identical passwords
• 2 backup accounts using shared creds exposed business continuity systems

Note: Attackers routinely run password-cracking campaigns in the background for weeks. Within days, NodeZero had harvested enough credentials to open the door.

Step 2: LSADump

• Non-expiring service accounts uncovered in 15 minutes, 30 seconds
• Some passwords unchanged since 2021

Step 3: ActiveMQ Exploit

• Unpatched service exploited in 10 hours, 16 minutes
• NodeZero dropped a remote access tool (RAT) by 10 hours, 33 minutes

NodeZero Attack Path of ActiveMQ Exploitation -> Domain Compromise

Step 4: Privilege Escalation

• RAT used to compromise a service account with Domain Admin privileges
• Open VPN ports in Dev created additional remote access exposure

Step 5: Prod Exposure

• Domain Admin rights enabled lateral movement into production
• Executive credentials were also cracked and valid, underscoring how high the stakes were

Not visible in scanners: Weaknesses like SMB Signing Not Required enabled NTLM relay and MITM attacks that traditional vuln scanners would have missed.

NodeZero Attack Path of SMB Signing Not Required -> Host Compromise

The insurer’s security strategy transformed from reactive monitoring to proactive validation. Key steps included:

• Password policies overhauled — weak and reused credentials eliminated
• Privileged accounts locked down — reducing lateral movement blast radius
• More than 100 NodeZero Tripwires™ deployed — canary tokens to detect unauthorized access attempts early
• Single Sign-On (SSO) rolled out — strengthening authentication and reducing the attack surface
• Vulnerability Management Hub adopted — consolidating findings into a single pane of glass
• EDR effectiveness testing expanded — proving coverage across Dev and Prod
• Insider threat simulations and AI-powered MCP integrations explored — automating reporting and improving executive visibility
• Backup and recovery gaps addressed — ensuring resilience beyond detection
• Precision operations replaced broad pentests — validating specific risks, fixes, and controls

This is where Identity Security Validation comes in. NodeZero doesn’t just find weak passwords or misconfigured accounts — it executes real credential-based attacks to prove how adversaries could harvest identities, escalate privileges, and move laterally across hybrid environments.

• It reveals what logs and monitoring miss, such as credential reuse, dormant privileges, and access path drift.
  
• It validates under real-world pressure, safely emulating identity-based attacks in Active Directory and cloud identity systems.
  
• It operationalizes ITDR by making identity risk measurable — enabling scheduled tests, retests of fixes, and tracked exposure reduction over time.

For this insurer, the outcome was clear: by validating identity defenses through NodeZero, security leaders could finally prove which controls worked, which didn’t, and how quickly attackers could turn Dev into a doorway to Prod.

Ready to Prove It?

Insurance thrives on trust. Policyholders depend on their carriers not only to cover losses but also to safeguard their personal data. Identity is the new perimeter — and third-party vendors are the new frontier of exposure.

Whether you manage policyholder systems, claims applications, or third-party vendors, your Dev and Prod environments may be more connected than you think. Pentest Wednesday gives you the evidence to close those paths before attackers exploit them.

Each week, I’ll be sharing new stories from the field — real-world examples of how organizations are using Pentest Wednesday to turn assumptions into evidence, and uncertainty into confidence.