SBC News Continent 8 Technologies: Vulnerability Assessment and Penetration Testing - insights and use cases

Continent 8 Technologies: Vulnerability Assessment and Penetration Testing – insights and use cases

What is Vulnerability Assessment and Pentesting? VAPT is defined as a comprehensive set of cybersecurity services that helps organisations identify, assess and mitigate vulnerabilities in their IT infrastructure, applications and networks.

Periodic Vulnerability Assessments scan to detect exploitable vulnerabilities in customer networks and infrastructure and record them in a register, prioritising remedial work and demonstrating continuous improvement. Penetration Tests use identified vulnerabilities to further exploit and gain access, testing the efficacy of preventative security measures, procedures and technology.

Having established what VAPT entails, the question arises: why is it often viewed as the optimal cybersecurity starting point for the igaming and online sports betting industry?

In this SBC News cybersecurity feature, Craig Lusher, Product Principal of Secure Solutions at Continent 8 Technologies, explores why VAPT serves as the foundational step in an organisation’s journey toward regulatory compliance and cybersecurity, while providing practical applications through real-world insights and deployments.

SBC News: We defined what VAPT is at the beginning of the feature. Can you tell us about the benefits behind this cybersecurity service?

Craig Lusher: A VAPT service serves two main objectives: ensuring regulatory compliance and demonstrating security due diligence.

First, from a regulatory perspective, regulation in various jurisdictions mandates a VAPT on a regular basis. It is therefore imperative for compliance concerning data protection, privacy and adherence with international security standards such as ISO 27001, PCI DSS 4.0 and GDPR. 

Second, VAPT aims to establish what we term a ‘hardened security posture’ by identifying and rectifying weaknesses, thereby fortifying the environment.

SBCN: Can you provide some additional information on what a ‘hardened security posture’ would look like? 

CL: Yes, certainly.

A hardened security posture combines multiple layers of protection that follow security best practices that can adapt to new threats and organisational changes. It starts with core technical controls – network segmentation, access management and encryption – backed by active defense systems like web application and API protection, intrusion detection and security monitoring.

What makes it ‘hardened’ is its dynamic nature. Security controls evolve continuously based on threat intelligence and system changes, supported by regular testing and updates. This is governed through clear policies and responsibilities, with documented procedures for incident response and risk management.

The key elements work together: technical controls prevent attacks, monitoring systems detect threats, regular assessments find vulnerabilities and governance ensures consistent implementation. This creates a robust defence where multiple safeguards protect assets even if one measure fails.

Success comes through measurable improvements in security metrics and the organisation’s demonstrated ability to prevent, detect and respond to threats effectively.

By integrating these strategies, you can create a robust framework that not only protects your IT infrastructure but also enhances trust and loyalty among your customers.

SBCN: I understand that you have some recent use cases that you would like to share. Can you walk us through the regulatory compliance and/or cybersecurity challenges your customer was facing and how your services helped resolve them? 

CL: Certainly. Our first example involves ODDSworks, a customer of ours that operates as an aggregator platform, focusing on providing gaming content and interactive technologies for regulated and real-money gaming markets.

Located in Pennsylvania, U.S., the Pennsylvania Gaming Control Board, or PGCB, mandates that igaming organisations perform an annual security audit and VAPT service. ODDSworks engaged Continent 8 to implement our Compliance Audit and VAPT services, ensuring they adhere to the state’s regulatory compliance and cybersecurity standards.

Following the completion of these services, we delivered a detailed report and remediation strategy, providing risk mitigation strategies, particularly around third-party developer compliance alignment recommendations with PGCB’s audit and VAPT standards.

In the U.S., each jurisdiction maintains its own set of regulatory compliance and cybersecurity standards. The PGCB is recognised as a leader in regulation and cybersecurity advocacy, establishing a benchmark for the industry.

SBCN: Thank you for sharing that use case, especially of having to be aware of the different requirements between jurisdictions. 

CL: Indeed. VAPT assessments serve a dual purpose in this context. VAPT services can also be beneficial for those seeking a deeper insight into their cybersecurity posture.

Our second customer, Alea, for example, is a global aggregator platform based in Spain, where the regulatory compliance requirements within this jurisdiction are approached differently, but the customer wants to consistently ensure that they are offering a secure API to clients with access to over 15,000 games from more than 150 providers on their platform.

Alea sought to protect their code and services from vulnerabilities such as broken authentications, cross-site scripting (XSS), data exposure and SQL injection to put them in the best position to support their over 17,000 requests per second. 

Following the VAPT service and assessment, we again delivered a comprehensive report to the customer, outlining the findings, including identified vulnerabilities, successful exploits and risk levels, along with recommendations for remediation and risk mitigation strategies. Like ODDSworks, no critical issues were found.

SBCN: Again, another interesting case study, with the customer’s own proactive approach to cybersecurity vigilance and maintenance. Do you have any final thoughts or best-practice recommendations for those exploring or evaluating a VAPT service?

CL: Yes, we would recommend undergoing an annual VAPT service. By doing so, organisations can demonstrate to the regulator their commitment to ensuring the security of their systems and protecting player data. The assessment helps organisations stay ahead of the evolving cyber threat landscape and continuously improve their security posture​.

It is important to note that VAPT services are merely the initial phase in enhancing your cybersecurity strategy. To achieve comprehensive, multi-layered protection for your organisation, it is advisable to integrate VAPT with additional cybersecurity measures.

These measures may include Compliance Audits, Intrusion Detection Systems/Intrusion Prevention Systems, Multi-factor Authentication, Managed Security Operations Center and Security Incident and Event Management solutions, among others.

Implementing such a robust cybersecurity framework will optimally position your organisation to defend against a wide array of threats, ensuring the protection of data, endpoints, applications and network infrastructure.

For more information on Continent 8’s VAPT and cybersecurity services, please visit Continent 8 Technologies

Check Also

James King, Flows

Flows Omni: A fresh approach to bridging land-based and online gaming

Operators across a range of jurisdictions, from established regions such as the US to the …

iGate graphic

iGATE: How Retention Plays a Role in Creating High-Converting Platforms

Styliana Kalogreadou, iGATE’s Head of B2B, argues that player retention is not just a lofty …

Kazakhstan flag

Data, Regulation and Innovation: How RISK is “Transforming iGaming in Kazakhstan”

Yuriy Kralyuk, Head of Kazakhstan Region at RISK, outlines the opportunities to be found in …