Industries · State & local government

Services stay up. Nobody ever notices.

When government security works, it is invisible: 911 answers, water flows, payroll lands. The job is keeping it that way, with every route to the services tested before someone hostile finds one.

The service board

Everything stays up. Nobody ever knows.

Six services, one quarter. Testing found the ransomware route into the utility network and closed it before anyone outside the room knew it existed.

wk 01wk 13911 dispatchemergencyUpWater & utilitiesoperationsUpRansomware path found · utility network — closedCourts & recordsjusticeUpPayroll & benefitsadministrationUpTransitmobilityUpResident servicesportal · paymentsUp
One route to the water system. Found in testing, closed quietlySix for six, all quarter. Not one unplanned outage
The problem

What state & local government is up against.

Hover or select any one to see what it means.

Ransomware’s steady target

Cities, counties, school districts and hospitals are hit week after week. The data is sensitive, the services are essential, and the defenses are thin.

A fraction of the budget

The team defending a whole county is often a handful of people, and the salaries that would hold off a real attacker are exactly what the private sector outbids.

Services that can’t go dark

Benefits, courts, permits, 911: people can’t opt out and can’t wait. Much of it runs on systems that predate modern security and can’t simply be replaced.

Elections and public trust

Election and records systems carry a target far bigger than their size. For nation-states and hacktivists, the prize is confidence, not just data.

Shared services, shared risk

Counties, municipalities and school systems lean on shared IT, MSPs and federated logins, so one foothold can reach far more than one department.

The problem

Ransomware’s steady target

A crew doesn’t need a zero-day to take a county offline. A phished clerk and a flat network will do. SLED gets hit so often not because it’s valuable in dollars, but because it’s reachable and it can’t afford downtime. We come in the way they do and show you where the line actually breaks.

  • Real ransomware intrusion paths, end to end
  • Segmentation and containment under pressure
  • Backups and recovery tested against the clock
Ransomware readiness →
The problem

A fraction of the budget

When one person covers security for a dozen departments, the work backs up: scans go unread, the legacy app has no owner, and “we’ll get to it” becomes the plan. We bring senior depth you can’t keep on payroll and point it at what would actually hurt first.

  • Senior testers without the senior headcount
  • Prioritized by impact, not by line item
  • Findings a stretched team can actually work
Get more from current spend →
The problem

Services that can’t go dark

The system that issues benefits or dispatches responders can’t be patched on a whim and absolutely cannot go down. So the question isn’t “is it modern.” It’s how an attacker reaches it and what they touch on the way. We test the legacy core and the modern wrappers around it, and tell you which compensating controls actually hold.

  • Legacy and end-of-life systems in scope
  • Reachability and blast-radius analysis
  • Every compensating control actually exercised
Penetration testing →
The problem

Elections and public trust

You don’t have to change a vote to do damage; casting doubt is enough. Election infrastructure, voter records and the public-facing sites around them draw attention most estates never see. We test them the way an adversary chasing headlines would, and show where trust could be undermined.

  • Public-facing and records systems tested
  • Full adversary spectrum, nation-state to hacktivist
  • Findings mapped to who would actually use them
Red team engagements →
The problem

Shared services, shared risk

The MSP that manages a dozen towns is a single door into all of them, and attackers know it. Shared services and federated identity are efficient, and a bridge for an intruder. We test the trust relationships: vendor connections, shared platforms, and the logins that quietly cross organizations.

  • MSP and shared-service access paths
  • Federated identity and trust abuse
  • Vendor connections treated as live entry points
Supply chain risk →
How an attacker gets in

Every route converges on the services a community cannot do without.

EntryFootholdPivotEscalateObjectivePhishinga clerkStolen credscredential dumpExposed VPNremote accessPublic portalcitizen-facingMSP / vendorshared servicesStaff workstationendpointCounty networkflat · trustedDMZ / appperimeterLateral movementhost to hostStateRAMP cloud / M365SaaSShared servicescross-departmentDomain adminActive DirectoryPrivileged accesssysadminCitizen dataPIICourt & police recordsCJIServices ransomedshut the city downPersistencelong dwellthe route taken this runother possible routesloop back to go again

What you get: every path to those services, mapped and ranked by what actually reaches them.

Ransomware readiness →
The mandates you answer to

The bar the mandates set, and how we test to it.

CJIS, StateRAMP, Pub 1075: the mandates set the floor. The real bar is whether the services stay up.

CJIS

FBI security policy for any system touching criminal-justice information.

We test whether CJI is reachable from where an attacker actually starts.

StateRAMP

Cloud sold to state and local government carries authorization requirements, penetration testing included.

We test to the bar the authorization expects, before the assessor asks.

IRS Pub 1075

Federal Tax Information protected to Publication 1075 safeguards.

We test whether FTI is reachable, and show exactly where.

Compliance & risk alignment →
Proof against real adversaries
15

years against real adversaries.

Ransomware crews, patient nation-states: the operators who test your services have spent careers against both.

See the case studies →
Book a 30-min call