Ernst & Young (EY) - Big 4 Cybersecurity Consulting

Analysis of EY’s cybersecurity practice and their 5th year comprehensive red team assessment approach.

Table of contents

  1. Overview
    1. Company Information
  2. Why EY for 5th Year Red Team?
    1. The “5th Year Assessment” Strategy
    2. Regulatory & Compliance Benefits
  3. EY Red Team Services
    1. Comprehensive Assessment Scope
    2. Team Composition
  4. Deliverables
    1. Executive Report
  5. Why Big 4 for Major Assessments?
    1. Advantages of EY/Big 4
    2. EY Unique Capabilities
  6. Pricing & Engagement Model
    1. Red Team Assessment Pricing
  7. Integration with Cursor Security
    1. Testing Cursor + Azure AI Foundry Stack
  8. Resources & Links
  9. Conclusion

Overview

Ernst & Young (EY) is one of the “Big Four” accounting and professional services firms with a substantial global cybersecurity practice. EY Cybersecurity provides strategic security consulting, red team assessments, compliance services, and C-suite advisory.

Company Information

   
Company Ernst & Young Global Limited
Founded 1989 (merger of Ernst & Whinney and Arthur Young)
Headquarters London, UK
Global Presence 700+ offices, 150 countries
Website https://www.ey.com/cybersecurity
Status Private partnership
Cybersecurity Practice 8,000+ security professionals globally
Notable Trusted advisor to F500 companies, regulators, boards

Why EY for 5th Year Red Team?

The “5th Year Assessment” Strategy

Regulatory & Governance Driver:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

Multi-Year Security Validation Strategy:

Years 1-4: Internal + Boutique Testing
├── Internal security team conducts quarterly tests
├── Black Hills InfoSec: Specialized technical pentests
├── Mandiant: On-demand IR and threat intelligence
└── Cost-effective, frequent testing

Year 5: Comprehensive External Red Team
├── Ernst & Young: Full-scope red team assessment
├── Multi-disciplinary team (technical + business)
├── Board-level reporting
└── Regulatory credibility

Why Year 5 Specifically?
✅ Insurance sector regulatory expectation
✅ Demonstrates due diligence to underwriters
✅ Board of Directors oversight requirement
✅ Cyber insurance policy requirement (some carriers)
✅ SOC 2 Type II enhancement
✅ Validates 4 years of security investments

Regulatory & Compliance Benefits

Why Big 4 for Critical Assessments:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

EY Brand Value:
├── Regulatory Credibility
│   ├── Insurance regulators know EY
│   ├── Auditors trust EY findings
│   ├── Board members comfortable with EY
│   └── Cyber insurers accept EY reports
│
├── Professional Standards
│   ├── ISO/IEC 17020 accredited
│   ├── CREST certified testers
│   ├── OSCE/OSCP certified team
│   └── Documented methodologies
│
├── Global Reach
│   ├── Test across multiple regions
│   ├── Compliance expertise worldwide
│   └── Coordinated global assessments
│
└── Comprehensive Scope
    ├── Technical testing
    ├── Physical security
    ├── Social engineering
    ├── Process review
    └── Executive strategy

Result: Report is "defensible" to regulators, auditors, board

EY Red Team Services

Comprehensive Assessment Scope

EY Red Team for Cursor Environment (8-12 weeks):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

phase_1_reconnaissance: "Weeks 1-2"
activities:
  - osint_intelligence_gathering
  - employee_profiling (LinkedIn, social media)
  - technology_stack_identification
  - azure_resource_enumeration
  - third_party_relationship_mapping
  - supply_chain_analysis
  
deliverable: "Reconnaissance report"

phase_2_external_attack: "Weeks 3-4"
activities:
  - phishing_campaign (executive targets)
  - exploit_public_facing_apps
  - credential_stuffing_attempts
  - ssl_tls_attacks
  - dns_hijacking_attempts
  - email_compromise
  
deliverable: "External penetration report"

phase_3_internal_access: "Weeks 5-7"
activities:
  - lateral_movement
  - privilege_escalation
  - active_directory_attacks
  - azure_ad_compromise
  - key_vault_access_attempts
  - azure_openai_unauthorized_use
  
deliverable: "Internal pentest report"

phase_4_persistence_exfiltration: "Weeks 8-9"
activities:
  - establish_persistence
  - evade_detection (CrowdStrike, Chronicle)
  - data_exfiltration_simulation
  - c2_channel_setup
  - cover_tracks
  
deliverable: "Advanced threat simulation report"

phase_5_physical_social: "Weeks 10-11"
activities:
  - physical_security_assessment
  - badge_cloning_attempts
  - tailgating
  - dumpster_diving (with permission)
  - pretexting_helpdesk
  - impersonation
  
deliverable: "Physical & social engineering report"

phase_6_reporting: "Week 12"
activities:
  - technical_report_writing
  - executive_summary_creation
  - board_presentation_deck
  - remediation_roadmap
  - regulatory_compliance_mapping
  - c_suite_briefing
  
deliverable: "Comprehensive red team assessment report"

Team Composition

EY Red Team for Enterprise Assessment:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Team Structure:
├── Engagement Partner (Partner-level)
│   └── Overall accountability, board presentations
│
├── Engagement Manager (Senior Manager)
│   └── Day-to-day management, client relationship
│
├── Technical Lead (Senior Consultant)
│   └── Technical direction, methodology
│
├── Senior Penetration Testers (3-4)
│   ├── Network security specialist
│   ├── Web application specialist
│   ├── Cloud security specialist (Azure focus)
│   └── Physical security specialist
│
├── Junior Testers (2-3)
│   └── Support, documentation, tool operation
│
├── Social Engineer (Specialist)
│   └── Phishing, pretexting, vishing
│
└── Report Writer (Consultant)
    └── Documentation, executive summaries

Total: 10-12 person team
Billable hours: 1,000-1,500 hours
Cost: $200K-350K

Deliverables

Executive Report

Board-Level Reporting:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

# EY Red Team Assessment - Executive Summary

## Assessment Overview
- Engagement: 12 weeks
- Team: 11 EY professionals
- Scope: Complete Cursor + Azure AI Foundry environment
- Methodology: MITRE ATT&CK, OWASP, NIST

## Key Findings (Executive Level)

### Overall Security Posture: STRONG ⭐⭐⭐⭐ (4/5)

**Strengths**:
✅ Azure private endpoints effectively secured
✅ Key Vault RBAC properly configured
✅ CrowdStrike detected 95% of our actions
✅ Purview DLP blocked data exfiltration
✅ Incident response activated appropriately

**Critical Findings** (2):
1. API keys found in log files (REMEDIATED during assessment)
2. Weak Okta MFA on 5 admin accounts (REMEDIATED)

**High Findings** (7):
- Details in technical report

**Medium Findings** (15):
- Details in technical report

## Business Impact

**Risk Without Remediation**:
├── Critical findings: $10M potential impact
├── High findings: $2M potential impact
└── Total risk: $12M

**With Recommended Remediations**:
├── Cost to fix: $150K (labor)
├── Timeframe: 90 days
└── Residual risk: <$500K

**ROI**: 80x return on remediation investment

## Regulatory Implications

✅ Demonstrates due diligence to insurance regulators
✅ Satisfies cyber insurance requirements
✅ Supports SOC 2 Type II certification
✅ Validates security investments to board

## Recommendations

1. Implement all critical and high findings (90 days)
2. Continue Mandiant retainer (essential)
3. Increase frequency of internal testing
4. Enhance security awareness training
5. Consider next red team in 3 years (vs 5)

## Conclusion

Your security program is mature and effective. The identified gaps are addressable and typical for organizations of your size. EY recommends continued investment in security tooling and training.

---
**Prepared by**: Ernst & Young LLP Cybersecurity Practice
**Date**: October 2025
**Classification**: CONFIDENTIAL - Management Use Only

Why Big 4 for Major Assessments?

Advantages of EY/Big 4

vs. Boutique Firms (BHIS):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Technical Quality:
├── EY: ⭐⭐⭐⭐ (very good, sometimes academic)
└── BHIS: ⭐⭐⭐⭐⭐ (excellent, practical)

Business Acumen:
├── EY: ⭐⭐⭐⭐⭐ (exceptional)
└── BHIS: ⭐⭐⭐ (good, limited resources)

Regulatory Credibility:
├── EY: ⭐⭐⭐⭐⭐ (gold standard)
└── BHIS: ⭐⭐⭐ (respected but not as established)

Board-Level Reporting:
├── EY: ⭐⭐⭐⭐⭐ (specialized in executive communication)
└── BHIS: ⭐⭐⭐ (technical focus)

Cost:
├── EY: $$$$$ ($200K-350K)
└── BHIS: $$ ($25K-75K)

Global Reach:
├── EY: ⭐⭐⭐⭐⭐ (700+ offices worldwide)
└── BHIS: ⭐ (US-focused, ~50 people)

When to Use Each:

  • BHIS: Quarterly technical pentests, security team training
  • EY: Annual/bi-annual comprehensive assessment, board reporting, regulatory requirements

EY Unique Capabilities

1. Multi-Disciplinary Teams:

1
2
3
4
5
6
7
8
9
10
11
12

EY Red Team:
├── Technical Specialists (hackers)
├── Risk Consultants (business analysts)
├── Compliance Experts (regulations)
├── Industry Specialists (insurance sector)
├── Legal Advisors (breach implications)
└── Executive Communication (board presentations)

BHIS Team:
└── Technical Specialists (hackers)

Difference: EY provides complete picture, not just technical findings

2. Industry-Specific Intelligence:

1
2
3
4
5
6
7
8

EY Insurance Sector Expertise:
├── Common attack patterns in insurance
├── Regulatory landscape (NAIC, state insurance depts)
├── Peer benchmarking (compare to other insurers)
├── Industry threat actors
└── Compliance frameworks (SOC 2, PCI-DSS for payments)

Value: Recommendations aligned with industry practices

3. Global Coordination:

1
2
3
4
5
6
7

Multi-Region Assessment:
├── US operations: EY Americas team
├── European subsidiaries: EY EMEA team
├── Asia-Pacific offices: EY APAC team
└── Coordinated global red team exercise

Benefit: Test cross-region security controls

Pricing & Engagement Model

Red Team Assessment Pricing

Comprehensive Engagement (12 weeks):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

EY Red Team Pricing Breakdown:
├── Engagement Partner: 40 hours × $800/hr = $32K
├── Manager: 200 hours × $450/hr = $90K
├── Senior Consultants (3): 600 hours × $300/hr = $180K
├── Consultants (4): 800 hours × $200/hr = $160K
├── Expenses: $15K
└── Total: $477K

Deliverables:
├── Technical report (100+ pages)
├── Executive summary (10 pages)
├── Board presentation (30 slides)
├── Remediation roadmap (timeline + costs)
├── Regulatory compliance mapping
├── Retest (after 90 days remediation)

Optional Add-Ons:
├── Remediation support: +$50K-100K
├── Security program assessment: +$75K-150K
├── Compliance consulting: +$40K-80K

Why So Expensive?:

  • Senior expertise (Partners, Directors, Senior Managers)
  • Comprehensive scope (technical + business + compliance)
  • Board-quality reporting
  • Global firm reputation
  • Insurance/regulatory requirements
  • Extensive documentation

ROI Justification:

1
2
3
4
5
6
7
8

Value Delivered:
├── Regulatory compliance: $500K+ (avoid fines)
├── Cyber insurance premium: -10% ($50K/year savings)
├── Board confidence: Priceless
├── Prevent one breach: $4M+
└── 5-year amortized cost: $95K/year

Result: Even at $477K, ROI is 10-40x

Integration with Cursor Security

Testing Cursor + Azure AI Foundry Stack

EY Red Team Approach:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Objective: "Can sophisticated attacker misuse Azure AI resources?"

Attack Scenarios:
1. External Attacker
   ├── No inside knowledge
   ├── OSINT only
   ├── Goal: Unauthorized Azure OpenAI access
   └── Time: 6 weeks

2. Malicious Insider
   ├── Standard developer account
   ├── Goal: Exfiltrate API keys + customer data
   └── Time: 2 weeks

3. Supply Chain Compromise
   ├── Compromised npm package
   ├── Goal: Steal credentials from developer workstations
   └── Time: 4 weeks

4. Physical + Social Engineering
   ├── Tailgating, badge cloning
   ├── Phishing, vishing, pretexting
   ├── Goal: Obtain VPN access + credentials
   └── Time: 3 weeks

Success Criteria (for EY):
✅ Document every path to Azure OpenAI access
✅ Quantify business impact of each path
✅ Test detection effectiveness
✅ Validate incident response

Resources & Links

Conclusion

For Cursor Security Architecture:

Ernst & Young provides comprehensive, board-level red team assessments that satisfy regulatory requirements, demonstrate due diligence, and provide strategic security insights. Their 5th year engagement validates security investments and provides executive confidence.

Key Value Props:

  1. ✅ Regulatory credibility (insurance sector)
  2. ✅ Board-quality reporting
  3. ✅ Comprehensive scope (technical + business + physical)
  4. ✅ Global expertise and reach
  5. ✅ Demonstrates due diligence

Recommendation: Use for major milestone assessments (Year 5, pre-IPO, post-merger, regulatory requirement). Not for quarterly testing (too expensive).

Last Updated: October 10, 2025
Review Status: Executive Level