Insights & Outcomes – 3Tenets Consulting

Avg. Critical Findings Per Engagement

45%+

Avg. Critical Risk Reduction Post-Remediation

100%

Senior-Led — No Junior-Only Delivery

1 Day

Avg. Follow-Up After Scoping Call

Post-Secondary Education Web Application Penetration Testing & Vulnerability Assessment

30+ Web Applications Tested. Every Critical Finding Remediated Before the Academic Year.

A large Canadian college with a sprawling portfolio of student-facing and administrative web applications needed comprehensive security coverage across its entire digital estate — not a sample. With sensitive student data, financial systems, and third-party integrations all in scope, the institution required senior-led execution at scale without compromising depth or defensibility.

30+ web applications assessed end-to-end — manual testing across authentication, authorization, business logic, and API security layers for every application in scope

Critical and high-severity vulnerabilities identified across multiple systems — including access control flaws in student record portals that scanners had not detected

Prioritized remediation roadmap delivered per application — findings structured for both the IT security team and senior leadership, with severity ratings, exploit context, and fix guidance

OWASP Top 10 aligned throughout — every finding mapped to recognized vulnerability classes, producing documentation usable for governance reporting and future audit cycles

“

Most vendors would have tested five applications and called it representative coverage. 3Tenets tested everything in scope — and found things in systems we considered lower risk that turned out to be our most significant exposures. The depth was unlike anything we'd seen from previous engagements.

Information Security Manager

Large Canadian College

Frameworks Applied

OWASP Top 10 OWASP ASVS MITRE ATT&CK CVSS Scoring NIST SP 800-115

K–12 Education Full Threat Risk Assessment

Full TRA Gave a Large School Division the Risk Clarity Their Board Had Been Asking For

A large Canadian school division — responsible for thousands of students, staff, and sensitive personal data — needed a comprehensive Threat Risk Assessment that could support board-level risk governance, inform security investment decisions, and stand up to external scrutiny. Previous assessments had been too surface-level to drive real action.

Full asset-based threat modeling completed — covering infrastructure, third-party systems, student data flows, and administrative access across the division

Prioritized risk register delivered — likelihood and impact scored across all identified threats, with treatment options documented for each risk so leadership had clear choices, not just findings

Board-ready executive summary produced — non-technical narrative translating risk findings into governance language, enabling trustees to make informed decisions on security investment

“

Our trustees had been asking for a clear picture of our security risks for two years. What 3Tenets delivered wasn't just a risk list — it was a decision-making tool. For the first time, we could walk into a board meeting and explain our risk posture with confidence.

Director of Technology

Large Canadian School Division

Municipal Government Penetration Testing • NIST Assessment • Full TRA

One Integrated Engagement. Three Deliverables. A Complete Security Posture Picture.

A Canadian town needed penetration testing, a NIST CSF 2.0 maturity assessment, and a full Threat Risk Assessment — and needed them to tell a coherent story rather than exist as three disconnected reports. With council scrutiny on IT spending and a procurement approval deadline in sight, there was no room for a generic, checkbox-driven approach.

All three workstreams delivered as a unified program — findings from the pentest directly informed the TRA risk register, and the NIST assessment provided the maturity baseline for remediation sequencing

Active vulnerabilities surfaced through testing — not just theoretical risks, but real exploitable paths in the town's network and public-facing systems, confirmed with evidence

Procurement-ready documentation produced — the combined output satisfied council approval requirements and gave the CAO defensible documentation for the public record

“

We'd had vendors propose running these as three separate engagements over 18 months. 3Tenets understood that a municipality our size needed this done as one coordinated program — and the integrated output was far more useful than three standalone reports would have been.

Director, Information Security

Canadian Town, Ontario

Healthcare Executive Tabletop Exercise

Executive Tabletop Revealed the Real Crisis Was Decision Authority, Not the Incident Response Plan

A regulated Canadian healthcare institution engaged 3Tenets to facilitate a senior leadership tabletop exercise covering cybersecurity incident response, communications protocols, and disaster recovery. Leadership expected the exercise to validate plans already in place. What it found was more valuable — and more urgent.

Decision authority gaps exposed — no clear owner for critical containment calls during the scenario; multiple executives assumed someone else held authority to act

Documented RTO vs. clinical reality gap confirmed — disaster recovery plan assumed a 4-hour system recovery; exercise revealed actual clinical workflow dependencies required a minimum of 12

External communications plan untested — no pre-approved messaging framework existed for simultaneous patient, regulator, and media notification under breach conditions

14 prioritized recommendations delivered across IR, communications, and disaster recovery — each with assigned owner, effort estimate, and 30/60/90-day implementation timeline

“

We walked in thinking we had a reasonable plan. We walked out knowing exactly where it would have failed us — and with a clear path to fix it. That's the value of an exercise designed to stress-test, not just validate.

Director of Technology

Regulated Canadian Healthcare Institution

Higher Education & Research AI & LLM Security Research — Mitacs Partnership

74% Prompt Injection Success Rate. Found Before a Healthcare AI Reached Clinical Use.

In partnership with the University of Guelph's School of Computer Science under the Mitacs program, 3Tenets served as industry partner on a research engagement to security-test a locally-hosted Llama 3 medical AI agent built with Ollama. The model was designed to simulate a healthcare chatbot handling sensitive patient queries. Before any clinical consideration, the research team needed rigorous adversarial validation — and a framework the institution could carry forward for future AI deployments.

74% attack success rate confirmed via NVIDIA Garak — using the HijackHateHumans probe, 18 injection attempts were executed against the model; 8 resulted in critical compliance failures, demonstrating the model's susceptibility to malicious prompt override in a healthcare context

4 distinct attack classes validated — Direct Command Override, Casual Instruction Injection, Conversational Diversion, and Emergency Stop Commands all achieved high success rates, bypassing the model's safety behaviours across different prompt styles

Full OWASP LLM Top 10 evaluation framework applied — findings mapped to recognized AI vulnerability classifications, producing research-grade documentation suitable for academic publication and institutional AI governance

Actionable defence framework delivered to the university — recommendations included API gateway instruction filtering, mandatory safety prefixes, output validation layers, and model fine-tuning on injection resistance — giving the institution a repeatable security posture for future AI deployments

“

The Garak scan results were eye-opening. A 74% attack success rate on a model we intended for healthcare use made clear that AI security testing can't be an afterthought. 3Tenets brought the industry expertise that turned our academic research into something with real-world defensibility — the kind of rigour that matters when patient data is involved.

Dr. Wenjing Zhang, Assistant Professor

School of Computer Science, University of Guelph

Perspective

Security Decisions That Hold Up

Observations from the field — what separates assessments that drive action from ones that collect dust.

Governance

Why Most Security Reports Fail at the Board Level

Executive teams don't lack information — they lack context. The difference between a report that drives budget approval and one that gets filed away comes down to risk translation, not technical depth.

AI Security

The RAG Security Problem Nobody Is Talking About

Retrieval-Augmented Generation pipelines introduce data access patterns that traditional application security testing wasn't designed to catch. Here's what to look for before you go live.

Procurement

How Canadian Municipalities Can Use OECM to Streamline Security Procurement

The OECM framework eliminates most of the friction in public sector security procurement — but most IT directors don't know how to use it effectively for consulting engagements.

Penetration Testing

What Enterprise Customers Actually Want From a Vendor Pentest Report

Enterprise security teams reviewing vendor pentest reports are looking for specific things. Most reports fail on the same three dimensions — and it has nothing to do with finding count.

Privacy

PHIPA PIAs in 2025: What's Changed and What Vendors Keep Getting Wrong

Updated guidance from the IPC and increased enforcement activity have raised the bar for what a defensible PHIPA PIA needs to cover. Most templates in circulation are already out of date.

Cyber Insurance

The Cyber Insurance Questionnaire Has Become a Security Audit — Treat It That Way

Underwriters are no longer accepting self-attestation at face value. Here's what they're actually evaluating, and how to prepare your documentation so it tells a coherent risk story.

Ready to see what defensible security looks like for your organization?

In a 30-minute scoping call, we'll tell you exactly what we'd assess, how we'd approach it, and what you'd receive — no obligation, no sales pressure.

Book a Scoping Call Explore Services

What Defensible SecurityActually Looks Like.