Can you test all our Cisco platforms in one engagement?

Yes. The Comprehensive Cisco Validation at $12,000 CAD covers ASA, Firepower, Meraki and ISE as an integrated security stack. We test how these platforms work together, not just individually. The Standard assessment at $5,000 CAD focuses on one or two platforms depending on your environment. We recommend starting with whichever platform handles your perimeter defense and expanding from there.

Our Firepower is deployed but we are not sure if it is in enforcement mode. Can you check?

This is one of the most common issues we find. Cisco Firepower deployed in detection-only mode logs threats but does not block them. Many organizations deployed Firepower alongside ASA with the intention of switching to enforcement mode after tuning, but never completed the transition. Our validation tests whether Firepower actively blocks malicious traffic or just watches it pass through.

We use Meraki for branch offices. Is it worth testing?

Absolutely. Meraki's cloud-managed simplicity comes with permissive defaults that many organizations never tighten. Default firewall rules, open SSID configurations, minimal content filtering and group policy gaps create attack surfaces at every branch location. A single compromised branch can provide lateral access to your entire network through site-to-site VPN tunnels.

How do you test ISE posture compliance?

We connect devices with varying compliance states to your network and test whether ISE correctly enforces posture policies. We test with devices missing patches, running unauthorized software, lacking endpoint protection and using expired certificates. Many ISE deployments have posture policies defined but enforcement set to monitor-only, meaning non-compliant devices get full network access.

Cisco Security Validation

You Run Cisco. Does Your Configuration Actually Stop Attacks?

ASA. Firepower. Meraki. ISE. Four platforms. One independent validation.

Sherlock Forensics offers Cisco security validation starting at $5,000 CAD. We test whether your Cisco ASA, Firepower, Meraki and ISE deployments actually stop real attack techniques. Using our ShadowTap platform, we test ASA default configurations, verify Firepower is in enforcement mode, probe Meraki permissive defaults and validate ISE posture compliance. You receive a detailed report showing what your Cisco stack blocked, what it missed and specific remediation steps. Comprehensive validation covering all four platforms is available at $12,000 CAD.

Purchase Validation Book a Scoping Call

Common Misconfigurations

What We Find in Cisco Deployments

ASA Default Configurations

Cisco ASA appliances are often deployed with default access lists, permissive management access and legacy configurations carried forward through firmware upgrades. Default ASDM access, unchanged enable passwords and overly broad NAT rules create entry points. We test whether your ASA configuration has been hardened beyond the deployment defaults.

Firepower Not in Enforcement Mode

Cisco Firepower is frequently deployed in detection-only or passive mode alongside ASA. The intention is usually to tune Firepower before switching to inline enforcement, but many organizations never complete this transition. Your Firepower logs threats it observes but does not block them. We test whether Firepower is actively enforcing policies or just generating alerts nobody reads.

Meraki Permissive Defaults

Meraki's cloud-managed simplicity prioritizes ease of deployment over security. Default firewall rules allow all outbound traffic, wireless SSIDs often use basic PSK authentication, content filtering is minimal and group policies are rarely configured. Each branch running Meraki with defaults is an entry point to your wider network through site-to-site VPN.

ISE Posture Gaps

Cisco ISE enforces network access based on device posture, user identity and authorization policies. Many ISE deployments have posture policies defined but enforcement set to monitor-only. Non-compliant devices, unmanaged endpoints and BYOD devices receive full network access because ISE is watching but not acting. We test whether ISE actually quarantines non-compliant endpoints.

AnyConnect VPN Weaknesses

Cisco AnyConnect is deployed across millions of endpoints. Split tunneling configurations, weak authentication requirements, missing multi-factor authentication and permissive post-connect access policies create remote access vulnerabilities. We test whether a compromised AnyConnect session can pivot into sensitive network segments.

Cross-Platform Policy Gaps

Organizations running multiple Cisco platforms often have policy inconsistencies between them. ASA allows traffic that Firepower should inspect. Meraki site-to-site VPN bypasses ASA entirely. ISE grants network access to devices that ASA policies should restrict. We test the entire Cisco stack as an integrated system to find these gaps.

Stealthwatch and Telemetry Blind Spots

Cisco Stealthwatch relies on NetFlow telemetry from network infrastructure. Switches and routers that do not export NetFlow, encrypted traffic that cannot be analyzed and cloud workloads outside the telemetry path create detection blind spots. We map your Stealthwatch coverage and identify network segments where threats go undetected.

Our Process

What We Test

Internal Attack Simulation

We deploy ShadowTap on your internal network, simulating an attacker who has bypassed the perimeter. This tests your entire Cisco stack: ASA internal policies, Firepower detection, Meraki segmentation and ISE enforcement. Your firewall protects the front door. We test the windows, the basement and the hallway.

Multi-Platform Integration Testing

Cisco environments are only as strong as their weakest integration point. We test traffic flows that cross platform boundaries: traffic that passes through ASA to Firepower, Meraki VPN traffic that reaches the data center, endpoints that authenticate through ISE and connect to resources behind ASA. Integration gaps are where attackers find their path.

Evasion and Lateral Movement

We test whether your Cisco stack detects encrypted tunnels, DNS exfiltration, VLAN hopping, protocol tunneling and lateral movement techniques. These tests validate whether your security platforms work as an integrated defense or as isolated products that attackers can bypass one at a time.

Frequently Asked Questions

Cisco Validation FAQs

Can you test all our Cisco platforms in one engagement?: Yes. The Comprehensive Cisco Validation at $12,000 CAD covers ASA, Firepower, Meraki and ISE as an integrated stack. The Standard assessment at $5,000 CAD focuses on one or two platforms depending on your environment.
Our Firepower is deployed but we are not sure if it is in enforcement mode. Can you check?: This is one of the most common issues we find. Firepower in detection-only mode logs threats but does not block them. Our validation tests whether Firepower actively blocks malicious traffic or just watches it pass through.
We use Meraki for branch offices. Is it worth testing?: Absolutely. Meraki's cloud-managed simplicity comes with permissive defaults that many organizations never tighten. A single compromised branch can provide lateral access to your entire network through site-to-site VPN tunnels.
How do you test ISE posture compliance?: We connect devices with varying compliance states and test whether ISE correctly enforces posture policies. Many ISE deployments have enforcement set to monitor-only, meaning non-compliant devices get full network access.

Validate Your Investment

Four Cisco platforms. One question: do they actually stop attacks?

Standard Cisco Validation: $5,000 CAD. Comprehensive Validation covering ASA, Firepower, Meraki and ISE with ShadowTap internal testing: $12,000 CAD.

Purchase Validation

Ready to Test Your Cisco Stack?

Tell us about your Cisco deployment and we will scope a validation assessment. Free scoping call, fixed-price quote, testing typically completed within 5-10 business days.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: All Vendor Validations · ShadowTap Platform · NDR Validation