Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems

Project Overview

This capstone project represents the culminating assessment for this textbook. You will conduct a comprehensive, full-scope penetration test against MedSecure Health Systems, a fictional mid-size healthcare technology company whose infrastructure you have encountered in running examples throughout this book. This engagement draws upon every skill domain covered in the preceding chapters: reconnaissance, scanning, vulnerability assessment, exploitation, post-exploitation, web application testing, social engineering, wireless security, cloud security, and professional reporting.

Unlike isolated lab exercises that test a single skill in a controlled environment, this capstone demands that you synthesize multiple techniques, make real-time decisions about attack paths, manage scope constraints, and deliver a professional-grade report that both executives and engineers can act upon. You will experience the full lifecycle of a penetration testing engagement, from the initial scoping call through final remediation verification recommendations.

MedSecure Health Systems processes protected health information (PHI) for over 200,000 patients across three regional clinics. Their environment blends modern cloud infrastructure with legacy medical devices — a scenario depressingly common in healthcare and one that creates layered security challenges. Your task is to identify how an adversary could compromise patient data, disrupt clinical operations, or pivot through the network to reach high-value targets.

Estimated Duration: 40–60 hours across 3–4 weeks.

Learning Objectives

Upon completing this capstone, you will be able to:

  1. Scope and authorize a penetration test engagement by drafting rules of engagement, defining boundaries, and establishing communication protocols.
  2. Conduct passive and active reconnaissance to enumerate an organization's external attack surface, correlating findings from multiple data sources.
  3. Perform systematic vulnerability assessment across network, web application, and cloud environments, distinguishing between theoretical and exploitable vulnerabilities.
  4. Execute exploitation against multiple vulnerability classes while maintaining operational security and respecting scope limitations.
  5. Perform post-exploitation activities including privilege escalation, lateral movement, credential harvesting, and data access demonstration — all with appropriate evidence collection.
  6. Produce a professional penetration test report containing an executive summary, risk-rated findings, technical evidence, and prioritized remediation guidance.
  7. Navigate the ethical and legal complexities of testing healthcare infrastructure, including HIPAA considerations and patient safety constraints.

Scenario Description

About MedSecure Health Systems

MedSecure Health Systems is a healthcare technology company headquartered in Portland, Oregon, providing electronic health record (EHR) management, patient portal services, and telehealth infrastructure for three regional clinic networks. The company was founded in 2011 and has grown through acquisition, resulting in a heterogeneous environment that reflects organic technical debt.

MedSecure's CISO, Dr. Priya Vasquez, has engaged your firm to conduct a full-scope penetration test ahead of their annual HIPAA security risk assessment. A recent ransomware attack against a peer organization has escalated board-level concern about security posture. Dr. Vasquez wants an honest, thorough evaluation — "Don't hold back. I need to know what a motivated attacker could actually do."

The MedSecure Environment

The following infrastructure description represents what you would learn through the scoping process and initial documentation review. In a real engagement, some of this information would come from the client; the rest you would discover through reconnaissance.

Corporate Network (medsecure.local)

  • Domain: Active Directory forest medsecure.local running Windows Server 2019 domain controllers (two DCs in Portland HQ, one in each satellite clinic).
  • Workstations: Approximately 450 Windows 10/11 endpoints joined to the domain, managed via Group Policy and Microsoft Endpoint Manager.
  • Email: Microsoft 365 (Exchange Online) with hybrid configuration; on-premises Exchange 2016 server maintained for legacy integrations.
  • File Services: Windows file server hosting department shares, including an HR share, a Finance share, and a Clinical Data share with access controls based on AD group membership.
  • VPN: Cisco AnyConnect VPN for remote employees, authenticating against Active Directory with optional MFA (not universally enforced).

Web Infrastructure

  • Patient Portal: portal.medsecure.example.com — A custom web application built on Python/Django, hosted on Ubuntu 22.04 servers behind an Nginx reverse proxy. This portal allows patients to view lab results, schedule appointments, message providers, and pay bills. Handles PHI directly.
  • Corporate Website: www.medsecure.example.com — WordPress site hosted on a separate Ubuntu 20.04 server. Marketing content, career postings, provider directories.
  • Telehealth Platform: telehealth.medsecure.example.com — WebRTC-based video conferencing integrated with the patient portal. Runs on Node.js backend.
  • API Gateway: api.medsecure.example.com — RESTful API serving the patient portal and mobile applications. Django REST Framework with JWT authentication.

Cloud Environment (AWS)

  • Primary Region: us-west-2 (Oregon).
  • Services in Use: EC2 (web servers), RDS (PostgreSQL databases for patient portal), S3 (document storage including patient records, radiology images), Lambda (automated reporting functions), CloudFront (CDN for static assets), IAM (role-based access for developers and operations).
  • CI/CD Pipeline: GitHub Actions deploying to AWS via assumed IAM roles.
  • Logging: CloudTrail enabled but logs shipped to a separate security account with limited review cadence.

Legacy Medical Devices

  • Imaging Systems: Three GE PACS (Picture Archiving and Communication System) servers running Windows Server 2012 R2 — cannot be patched without vendor approval due to FDA 510(k) certification constraints.
  • Infusion Pumps: Network-connected Alaris infusion pumps on a "segmented" VLAN (the quality of segmentation is something you should evaluate).
  • Biomedical Network: Flat network segment containing various diagnostic equipment, some communicating via HL7 MLLP (Minimal Lower Layer Protocol) without encryption.

Mobile Application

  • MedSecure Patient App: Available on iOS and Android. Communicates with api.medsecure.example.com. Supports biometric authentication, push notifications, and document upload.

Physical Locations

  • Portland HQ: Main office with server room, 200 employees.
  • Satellite Clinic A (Salem): 80 employees, connected via site-to-site VPN.
  • Satellite Clinic B (Eugene): 70 employees, connected via site-to-site VPN.

Scope and Rules of Engagement

In-Scope Assets

Asset Category Targets Notes
External Network All public-facing IP ranges owned by MedSecure (provided in engagement) Full testing authorized
Web Applications portal.medsecure.example.com, www.medsecure.example.com, telehealth.medsecure.example.com, api.medsecure.example.com Authenticated and unauthenticated testing
Internal Network 10.10.0.0/16 (corporate), 10.20.0.0/16 (clinical) Accessible via VPN credentials provided at engagement start
Active Directory medsecure.local domain and all joined systems Includes domain enumeration, privilege escalation attempts
Cloud (AWS) Account ID provided; us-west-2 resources Read-only AWS credentials provided for initial access; exploitation of misconfigurations authorized
Wireless Corporate and guest wireless networks at Portland HQ On-site testing only during authorized window
Social Engineering Email phishing (up to 50 targets), phone pretexting (up to 10 calls) No physical intrusion; targeting list pre-approved by HR
Mobile Application MedSecure Patient App (latest version) Static and dynamic analysis authorized

Out-of-Scope Assets

Asset Reason
Third-party SaaS (Salesforce, Workday, etc.) Not owned by MedSecure
Production patient database (write operations) Patient safety — read demonstration only with synthetic test records
Medical devices (active exploitation) Patient safety — passive scanning and vulnerability identification only; no exploitation of infusion pumps or imaging systems
Physical penetration testing Not included in this engagement
Denial-of-service attacks Risk to clinical operations
Satellite clinic networks (active exploitation) Limited to Portland HQ unless pivot demonstrates reachability (then document but do not exploit)

Testing Windows

  • External Testing: 24/7 authorized throughout the engagement period.
  • Internal Network Testing: Monday–Friday, 7:00 PM – 6:00 AM Pacific, and weekends. No testing during peak clinical hours (8:00 AM – 5:00 PM weekdays) without explicit approval.
  • Social Engineering: Monday–Friday, 9:00 AM – 5:00 PM Pacific (business hours only).
  • Wireless Testing: Scheduled on-site visit, coordinated 48 hours in advance.

Emergency Contacts

Role Name Phone When to Call
Primary Point of Contact Dr. Priya Vasquez (CISO) (503) 555-0142 Daily status updates, scope questions
Technical Contact Marcus Chen (Sr. Security Engineer) (503) 555-0187 Technical issues, credential problems, IDS/IPS interference
Emergency Contact James Park (VP of IT) (503) 555-0103 System instability, unintended impact, critical finding requiring immediate action
Legal Contact Sandra Okafor (General Counsel) (503) 555-0199 Legal questions, law enforcement contact, breach discovery

Critical Finding Protocol

If you discover evidence of an active compromise (indicators that a real attacker is already present), stop testing immediately, document your findings, and contact Dr. Vasquez and James Park within 30 minutes. Do not attempt to remediate or interact with the attacker's infrastructure.

Phase-by-Phase Walkthrough

Phase 1: Pre-Engagement (Estimated: 4–6 hours)

Objective: Establish the administrative and legal foundation for the engagement.

Activities:

  1. Review the Statement of Work (SOW): Read the provided scope document carefully. Identify any ambiguities — for example, does "all public-facing IP ranges" include the CDN endpoints? Prepare a list of clarifying questions for the kickoff call.

  2. Draft the Rules of Engagement (RoE): Using the scope information above, produce a formal RoE document. This should include: - Engagement timeline with milestones - Authorized testing techniques per asset category - Communication protocols (frequency of check-ins, escalation paths) - Evidence handling procedures (encryption requirements for captured PHI, even synthetic) - Data destruction policy post-engagement

  3. Obtain Authorization: Draft the authorization letter (sometimes called the "get out of jail free" letter) that Dr. Vasquez and MedSecure's CEO would sign. This document explicitly authorizes the testing activities described in the RoE.

  4. Prepare Your Environment: - Set up your testing VM (Kali Linux or similar) with all required tools. - Configure a secure evidence repository with encryption at rest. - Establish VPN connectivity using the provided credentials. - Verify that your testing IP addresses are documented and shared with Marcus Chen so that legitimate testing traffic is not confused with a real attack.

Hints and Guidance: - The pre-engagement phase is where many real-world engagements go wrong. An incomplete scope leads to missed assets; a vague RoE leads to disputes about what was authorized. Treat this phase with the same rigor you would apply to exploitation. - Consider HIPAA implications explicitly. How will you handle any PHI you encounter during testing? Your RoE should address this. - Remember that MedSecure's legacy medical devices require special handling. Your RoE should explicitly document the passive-only approach to these systems and explain why.

Ethical Reminder: Authorization is not a formality — it is the legal and ethical foundation of everything that follows. Without proper authorization, every technique described in this project is illegal. Ensure your authorization documents are thorough, signed, and stored securely.

Phase 2: Reconnaissance (Estimated: 6–8 hours)

Objective: Map MedSecure's external attack surface and gather intelligence that informs later phases.

Activities:

Passive Reconnaissance:

  1. OSINT Gathering: - Enumerate subdomains using certificate transparency logs (crt.sh), DNS brute-forcing, and search engine dorking. - Search for MedSecure employees on LinkedIn, noting job titles, technologies mentioned in job postings, and recent hires (who may not yet have full security awareness training). - Check GitHub, GitLab, and Bitbucket for MedSecure repositories or employee commits that may leak credentials, internal hostnames, or configuration details. - Search breach databases (Have I Been Pwned, DeHashed) for MedSecure employee email addresses. - Review the corporate website for technology stack indicators (meta tags, JavaScript libraries, error pages). - Examine job postings for technology clues ("Experience with Django REST Framework and PostgreSQL required").

  2. DNS and Infrastructure Analysis: - Perform DNS enumeration: A, AAAA, MX, TXT, NS, SOA records. - Identify email security posture: SPF, DKIM, DMARC records. - Map IP ranges and ASN ownership. - Check for DNS zone transfer vulnerabilities.

Active Reconnaissance:

  1. Network Scanning: - Conduct port scans of external-facing IP ranges (TCP SYN scan of top 1000 ports initially; expand as needed). - Perform service enumeration and banner grabbing on discovered ports. - Identify web servers, mail servers, VPN endpoints, and any unexpected services.

  2. Web Application Fingerprinting: - Identify web server versions, frameworks, and CMS platforms. - Enumerate directories and files using wordlist-based scanning. - Review robots.txt, sitemap.xml, and other metadata files. - Check for exposed administrative interfaces, development endpoints, or API documentation.

Deliverable: Reconnaissance Report documenting all discovered assets, with a network diagram showing external-facing infrastructure.

Hints and Guidance: - Pay special attention to the WordPress corporate site — CMS installations frequently have plugin vulnerabilities, exposed admin panels, and information disclosure issues. - The CI/CD pipeline (GitHub Actions to AWS) is a goldmine for reconnaissance. Developer commits sometimes contain hardcoded credentials, internal URLs, or infrastructure-as-code that reveals the entire AWS architecture. - Don't overlook email security. Weak or missing DMARC policies directly enable the social engineering phase. - Document everything methodically. Reconnaissance findings that seem unimportant now may become critical pivot points later.

Phase 3: Vulnerability Assessment (Estimated: 6–8 hours)

Objective: Systematically identify vulnerabilities across the discovered attack surface, distinguishing between theoretical weaknesses and practically exploitable issues.

Activities:

  1. Automated Scanning: - Run authenticated and unauthenticated vulnerability scans against internal and external networks using tools such as Nessus, OpenVAS, or Qualys. - Perform web application vulnerability scanning using Burp Suite Professional, OWASP ZAP, or Nikto against all in-scope web applications. - Scan the AWS environment using tools like ScoutSuite, Prowler, or Pacu for cloud-specific misconfigurations. - Run a static analysis scan against the mobile application (decompile APK/IPA and review).

  2. Manual Verification: - Validate automated findings to eliminate false positives. A vulnerability scanner reporting MS17-010 on a Windows Server 2019 host is almost certainly a false positive; a scanner reporting a missing security header on the patient portal is real but may be low-severity. - Manually test for logic vulnerabilities that automated tools miss: insecure direct object references (IDOR) in the patient portal, broken access controls in the API, race conditions in the payment flow. - Check Active Directory for common misconfigurations: Kerberoastable service accounts, AS-REP roastable accounts, unconstrained delegation, GPP password exposure. - Evaluate network segmentation between corporate and clinical VLANs. Can a compromised corporate workstation reach the biomedical network?

  3. Vulnerability Correlation and Prioritization: - Map vulnerabilities to potential attack chains. A medium-severity SQL injection combined with a low-severity information disclosure may create a critical attack path. - Prioritize based on exploitability, impact, and relevance to MedSecure's threat model (healthcare-specific threats: ransomware, PHI theft, clinical system disruption).

Deliverable: Vulnerability Matrix containing all identified vulnerabilities with CVSS scores, affected assets, exploitability assessment, and potential business impact.

Hints and Guidance: - The legacy PACS servers running Windows Server 2012 R2 will almost certainly have numerous unpatched vulnerabilities. Remember: you can identify and document these but cannot actively exploit medical devices per the RoE. This constraint is realistic — healthcare penetration testers frequently encounter this limitation. - Look beyond CVEs. The most impactful findings in healthcare penetration tests are often configuration issues: default credentials on medical devices, unencrypted HL7 traffic, overly permissive S3 buckets containing patient documents, service accounts with domain admin privileges. - Active Directory misconfigurations deserve deep attention. Kerberoasting, AS-REP roasting, and abuse of delegation are among the most commonly exploited paths in real-world healthcare breaches.

Phase 4: Exploitation (Estimated: 10–14 hours)

Objective: Demonstrate actual compromise of systems and data by exploiting identified vulnerabilities, documenting each step with evidence.

Activities:

Network Exploitation:

  1. External-to-Internal Pivot: - Attempt to gain initial access through external-facing services. Consider:

    • Exploiting vulnerabilities in the WordPress site to gain a web shell.
    • Leveraging discovered credentials from OSINT or breach data against the VPN or Outlook Web Access.
    • Exploiting API vulnerabilities in api.medsecure.example.com to gain code execution on the backend.
    • Document the initial foothold with screenshots, timestamps, and exact commands used.

  2. Internal Network Exploitation: - From the initial foothold, enumerate the internal network. - Attempt to exploit vulnerabilities identified during assessment:

    • Kerberoast service accounts and crack their password hashes offline.
    • Exploit misconfigured network shares to access sensitive data.
    • Leverage unpatched internal services for additional footholds.
    • Test network segmentation by attempting to reach clinical network assets from the corporate network.

Web Application Exploitation:

  1. Patient Portal Attacks: - Exploit identified web vulnerabilities (SQLi, XSS, IDOR, authentication bypass, etc.). - Demonstrate access to patient records using synthetic test data. Do not access, modify, or exfiltrate real patient data. - Test API endpoints for authorization flaws — can a standard patient user access another patient's records by manipulating API calls? - Attempt to escalate from patient-level access to provider-level or administrative access.

  2. Cloud Exploitation: - Exploit AWS misconfigurations:

    • Overly permissive S3 bucket policies allowing public read or list access.
    • IAM role assumption chains that escalate privileges.
    • Lambda function environment variables containing secrets.
    • EC2 instance metadata service (IMDS) exploitation from a compromised web server.
    • Document any data accessible through cloud misconfigurations, particularly patient documents in S3.

Social Engineering:

  1. Phishing Campaign: - Design and execute a phishing campaign targeting the pre-approved employee list (up to 50 targets). - Craft a pretext relevant to MedSecure (HIPAA training reminder, benefits enrollment, IT system update). - Track click rates, credential submission rates, and report rates. - If credentials are captured, attempt to use them to access MedSecure systems (VPN, email, internal applications).

Hints and Guidance: - Chain your exploits. The value of a full-scope pentest is demonstrating realistic attack chains, not listing individual vulnerabilities in isolation. For example: phishing email leads to credential capture, which leads to VPN access, which leads to internal enumeration, which leads to Kerberoasting, which leads to domain admin. - Maintain meticulous logs. Every command, every tool, every timestamp. If you cannot reproduce an exploit from your notes, you cannot report it credibly. - Operate within the testing windows. If you gain a foothold at 6:55 PM on a Friday, you can maintain persistence but should not conduct noisy exploitation activities outside the authorized window without approval. - If you discover that network segmentation between the corporate and clinical networks is inadequate, document the path but do not exploit medical devices. A screenshot showing that you can ping or reach the PACS server from a compromised corporate workstation is sufficient to demonstrate the risk.

Ethical Reminder: Exploitation must be proportionate. If you can demonstrate that SQL injection allows reading patient records by extracting one synthetic record, you do not need to dump the entire database. The goal is to prove the vulnerability exists and demonstrate its impact, not to cause unnecessary harm or data exposure.

Phase 5: Post-Exploitation (Estimated: 6–8 hours)

Objective: Demonstrate what an attacker could accomplish after initial compromise, focusing on lateral movement, privilege escalation, persistence, and access to high-value data.

Activities:

  1. Privilege Escalation: - From each foothold, attempt to escalate privileges to SYSTEM/root on the compromised host. - On Windows systems: check for unquoted service paths, writable service binaries, SeImpersonate/SeAssignPrimaryToken privileges, cached credentials, and local admin password reuse. - On Linux systems: check for SUID binaries, sudo misconfigurations, kernel vulnerabilities, writable cron jobs, and credential files. - In Active Directory: escalate from domain user to domain admin through documented attack paths (Kerberoasting, delegation abuse, ACL manipulation, GPO abuse).

  2. Lateral Movement: - Demonstrate the ability to move between systems using harvested credentials, pass-the-hash, pass-the-ticket, or other techniques. - Map out what an attacker with domain admin access can reach. Can they access:

    • The HR file share (containing employee SSNs and benefits data)?
    • The Clinical Data share (containing patient treatment information)?
    • The Finance share (containing payment card or billing data)?
    • The domain controllers themselves?
    • Attempt to pivot from the corporate network to the clinical network. Document the path even if exploitation of clinical devices is out of scope.

  3. Data Access Demonstration: - Identify and document access to sensitive data categories:

    • PHI (Protected Health Information): Patient records, lab results, prescriptions. Use synthetic data to demonstrate access; document the path and permissions that allowed it.
    • PII (Personally Identifiable Information): Employee records, SSNs, addresses.
    • Financial Data: Billing records, payment card data, insurance information.
    • Intellectual Property: Proprietary algorithms, business strategies, contracts.
    • Demonstrate data exfiltration capability without actually exfiltrating large volumes. Show that you can read sensitive files, query sensitive database tables, or download from S3 buckets.

  4. Persistence Mechanisms (Documentation Only): - Identify persistence mechanisms that a real attacker might establish: scheduled tasks, startup scripts, new service accounts, SSH keys, web shells, or Golden Ticket attacks. - Document how these would be established without actually implementing long-term persistence. In a real engagement, you might implement a lightweight persistence mechanism with client approval; for this capstone, documenting the technique and its feasibility is sufficient.

  5. Evidence Collection: - Capture screenshots of every significant access point. - Record hashes (not plaintext) of compromised accounts. - Create an attack chain diagram showing the complete path from initial access to highest-impact compromise. - Note timestamps for all activities.

Hints and Guidance: - The attack chain visualization is one of the most valuable deliverables for the client. A diagram showing: "Phishing email -> Credential capture -> VPN access -> Kerberoasting -> Domain Admin -> Clinical network access -> PHI exposure" tells a story that executives can understand and act upon. - Post-exploitation is where healthcare-specific knowledge matters. A domain admin compromise in a hospital means potential access to medical devices, clinical decision support systems, and life-critical infrastructure. Even if you cannot exploit these directly, articulating this risk in your report is essential. - Clean up after yourself. Remove any web shells, test accounts, or artifacts you created during testing. Document the cleanup process.

Ethical Reminder: Post-exploitation activities carry the highest risk of unintended impact. Proceed carefully and methodically. If you encounter real patient data during your testing, do not capture or store it. Document the access path, note that real data was accessible, and use synthetic records for evidence screenshots. If you encounter evidence of a real breach in progress, invoke the Critical Finding Protocol immediately.

Phase 6: Reporting (Estimated: 8–12 hours)

Objective: Produce a comprehensive, professional penetration test report that communicates findings effectively to both executive and technical audiences.

Report Structure:

  1. Executive Summary (1–2 pages): - Overall risk rating for MedSecure (Critical/High/Medium/Low). - Summary of the most significant findings in business terms: "An attacker could access patient health records for all 200,000 patients within 48 hours of initial compromise." - Key statistics: total vulnerabilities found by severity, percentage of systems compromised, time from initial access to domain admin. - Top three recommended actions, prioritized by risk reduction impact. - No technical jargon. Write this for the board of directors.

  2. Engagement Overview (1–2 pages): - Scope summary, testing timeline, methodology description, and tools used. - Any limitations encountered (IDS blocking, time constraints, scope restrictions).

  3. Technical Findings (bulk of the report): Each finding should include: - Title: Descriptive name (e.g., "Kerberoastable Service Account with Domain Admin Privileges"). - Severity: Critical, High, Medium, Low, or Informational, with CVSS 3.1 base score. - Affected Asset(s): Specific hosts, URLs, or services. - Description: What the vulnerability is and why it matters. - Evidence: Screenshots, command output, and request/response pairs demonstrating the vulnerability. Redact any sensitive data. - Impact: What an attacker could achieve by exploiting this vulnerability, specific to MedSecure's context. - Remediation: Specific, actionable steps to fix the issue, with short-term mitigations and long-term solutions. - References: CVE numbers, CWE classifications, vendor advisories, and industry best practices.

  4. Attack Narrative: - A chronological walkthrough of the most significant attack chain, from initial access to maximum impact. This tells the "story" of the engagement and helps the client understand how individual vulnerabilities combine into a catastrophic attack path.

  5. Remediation Roadmap: - Prioritized remediation plan organized into Immediate (0–30 days), Short-Term (30–90 days), and Long-Term (90–365 days) actions. - Each recommendation mapped to the finding(s) it addresses. - Estimated effort level (Low/Medium/High) for each remediation action.

  6. Appendices: - Complete list of hosts scanned. - Raw scan outputs (sanitized). - Social engineering campaign results. - Network diagrams. - Methodology references (PTES, OWASP, NIST SP 800-115).

Hints and Guidance: - The report is the primary deliverable of a penetration test. A brilliant exploitation that is poorly documented has zero value to the client. Invest significant time in this phase. - Write the executive summary last, after all technical findings are documented. This ensures it accurately reflects the engagement's results. - Use consistent formatting and severity ratings. If you rate a SQL injection as "High" in one finding, apply the same standard to all SQL injection findings. - Include positive observations. If MedSecure's MFA implementation on the patient portal prevented credential stuffing, note that. Clients value knowing what is working well. - Remediation guidance should be specific to MedSecure's environment. "Apply patches" is unhelpful. "Upgrade WordPress to version X.Y.Z and remove the vulnerable Contact Form 7 plugin (version 5.3.2) — coordinate with the marketing team since the contact page depends on this plugin" is actionable.

Deliverables Checklist

You must submit the following deliverables at the conclusion of this project. Each deliverable is described with its expected content and quality standard.

# Deliverable Description Expected Length
1 Pre-Engagement Package Rules of Engagement document, authorization letter template, evidence handling procedures, and communication plan 5–8 pages
2 Reconnaissance Report All OSINT findings, DNS analysis, network scan results, and external attack surface map with network diagram 8–12 pages
3 Vulnerability Matrix Spreadsheet or table of all identified vulnerabilities with CVSS scores, affected assets, exploitability assessment, and validation status 3–5 pages (or spreadsheet)
4 Exploitation Evidence Package Organized collection of screenshots, command logs, and notes for each successful exploitation, with timestamps and attack chain documentation 10–15 pages
5 Final Penetration Test Report Complete professional report following the structure described in Phase 6, suitable for presentation to MedSecure's executive team 30–50 pages
6 Remediation Verification Plan Document describing how each finding can be re-tested to verify remediation effectiveness 3–5 pages
7 Debrief Presentation Slide deck (15–20 slides) summarizing findings for a mixed audience of executives and engineers 15–20 slides

Grading Rubric

Excellent (90–100%)

  • Pre-Engagement: RoE is thorough, addresses HIPAA-specific concerns, includes clear testing windows and escalation procedures, and demonstrates mature professional judgment.
  • Reconnaissance: Comprehensive attack surface enumeration with creative OSINT techniques; findings are well-organized and clearly correlated. Network diagrams are accurate and detailed.
  • Vulnerability Assessment: All major vulnerability classes identified; false positives eliminated; manual testing supplements automated scanning; vulnerabilities are correlated into attack chains.
  • Exploitation: Multiple independent attack chains successfully demonstrated; exploitation is proportionate and well-documented; social engineering campaign is realistic and effective.
  • Post-Exploitation: Complete attack narrative from initial access to maximum impact; lateral movement paths documented; data access demonstrated responsibly with synthetic data; cleanup procedures documented.
  • Reporting: Executive summary is compelling and jargon-free; technical findings are precise with reproducible evidence; remediation guidance is specific and prioritized; report is professionally formatted with consistent severity ratings.
  • Ethics and Professionalism: All activities within scope; medical device constraints respected; PHI handling protocols followed; ethical reasoning articulated throughout.

Good (75–89%)

  • All phases completed with competent execution. Minor gaps in reconnaissance thoroughness or exploitation creativity. Report is professional but may lack the narrative polish or specific remediation guidance that distinguishes excellent work. Ethical considerations addressed but not deeply integrated.

Adequate (60–74%)

  • Core phases completed but with notable gaps. Reconnaissance may miss significant attack surface components. Exploitation limited to one or two attack chains with limited post-exploitation. Report meets minimum structural requirements but findings lack detail or evidence quality is inconsistent. Ethical considerations mentioned but not substantively addressed.

Below Expectations (Below 60%)

  • Significant phases missing or incomplete. Exploitation consists of running automated tools without manual validation. Report lacks executive summary or remediation guidance. Scope violations or ethical lapses (attempting to exploit medical devices, failing to handle PHI appropriately).

This capstone simulates a real engagement, and the ethical standards that apply to professional penetration testing apply here. Throughout this project, keep the following principles front and center:

  1. Authorization is paramount. In a real engagement, every technique you employ must be covered by your written authorization. If you encounter an ambiguous situation — a system that might be in scope but isn't explicitly listed — you stop and ask the client. You do not proceed and apologize later.

  2. Patient safety is non-negotiable. MedSecure's environment includes systems that support clinical care. The reason medical devices are out of scope for active exploitation is not that they are uninteresting — it is that disrupting them could harm patients. This constraint is realistic and reflects the highest ethical obligation of healthcare security professionals.

  3. Proportionality matters. Demonstrate vulnerabilities with the minimum necessary impact. You do not need to exfiltrate 200,000 patient records to prove SQL injection works. One synthetic record is sufficient evidence.

  4. Confidentiality endures. Everything you discover during this engagement — vulnerabilities, data, network architecture — is confidential. In a real engagement, this obligation persists indefinitely. In this capstone, treat all findings as confidential within your educational context.

  5. Professional integrity demands honesty. Report what you actually found, not what you wish you had found. If you could not exploit a particular vulnerability, say so. If network segmentation prevented lateral movement, that is a positive finding worth reporting. Inflating results is a serious ethical violation in professional penetration testing.

  6. HIPAA compliance is a legal requirement. If your testing encounters actual PHI (in a real engagement), you have legal obligations regarding its handling. Your RoE should address this. In this capstone, all patient data is synthetic, but you should treat it as if it were real and document your handling procedures accordingly.

Final Guidance

This project is designed to be challenging. A full-scope penetration test against a healthcare environment is one of the most complex engagements in our profession, requiring deep technical skills, situational awareness, ethical judgment, and communication ability. You will encounter moments where you are stuck, where tools fail, where attack paths dead-end. That is realistic. The measure of a skilled penetration tester is not whether every attack succeeds — it is how methodically you approach the problem, how honestly you document your results, and how effectively you communicate findings that help the client improve their security posture.

MedSecure Health Systems has entrusted you with access to their most sensitive systems. Honor that trust through professional conduct, thorough testing, and a report that genuinely helps them protect their patients.

Good luck.

This capstone project is designed for educational purposes in a controlled lab environment. All domain names, IP addresses, company names, and scenarios are fictional. Never apply penetration testing techniques against systems you do not have explicit written authorization to test.