Asset selection in VESTA: the starting point for true cyber resilience

The VESTA Project is based on a clear premise: cybersecurity resilience stems from strategic decision-making, not mere evidence gathering. Amid evolving threats, NIS2 enforcement, and growing technological complexity, Tarlogic Security positions VESTA as a structured, European answer. Asset selection serves as the backbone of the project.

This approach sets priorities and transforms security exercises into sustainable improvements for critical organizations.
VESTA —adVanced pEntesting Services for proTection of essentiAl entities—— is a European project promoted by Tarlogic and funded through CYSSDE’s Open Call 2 for Penetration Testing and Vulnerability Assessment.

Its objective is clear: to help essential entities, especially in the financial and energy sectors, become more resilient to increasingly complex threats in the NIS2 era.

To achieve this, the project provides 115 penetration testing and vulnerability assessment services for systems, applications, networks, cloud, web environments, and even emerging technologies such as artificial intelligence.

Testing begins with a strategic question: which assets should be analyzed first? The selection of assets in VESTA is central to this decision.

Choosing well matters (a lot)

Not all assets are equal. Not all of them support the business. Not all of them expose the same risk. That is why the project does not propose «analyzing everything», but rather promotes selecting assets in VESTA using a clear, repeatable methodology that is highly focused on real impact.

This approach results in decisions and actions that deliver measurable improvements.

The objective is to prioritize assets whose exploitation would most significantly impact business continuity, information security, or regulatory compliance, giving participants a clear view of actual risks.

Key criteria in asset selection

We take the following main criteria into account during vulnerability assessment tests:

Business criticality

This criterion assesses the potential impact of exploiting a vulnerability on the organization’s critical processes.

Some assets enable essential services, transactions, or processes; others do not.

Priority is given to assets whose issues could cause disruptions, financial losses, or legal consequences.

Level of exposure

We review whether assets are externally exposed, internally accessible, or require privileged access.

Externally exposed assets are vulnerable to broad attacks; internal or privileged assets may enable deeper compromises.

Assessing exposure tailors tests to each asset’s actual risk.

Type of technology

VESTA addresses web, mobile, network, traditional systems, cloud, and AI technologies.

Each presents specific attack vectors, configurations, and risks. Asset selection accounts for this technological diversity to ensure comprehensive coverage tailored to entities’ real environments, avoiding generic approaches that do not reflect their operational complexity.

Data sensitivity

Handling sensitive information needs prioritization.

Financial data, personal information, credentials, trade secrets, or strategic information significantly increases the risk of a security breach.

Within the VESTA framework, this criterion enables the identification of assets whose compromise could lead to high-impact incidents from a legal, regulatory, or privacy perspective.

Interdependencies with other systems

Assets often depend on each other; secondary systems may provide entry to critical systems.

Therefore, the relationships among systems, data flows, and integrations are analyzed to evaluate how exploiting one asset can have a cascading effect on the rest of the technological ecosystem.

Much more than pentesting

In VESTA, asset selection is not just a technical step; it is a strategic commitment to securing critical resources.

It is a decision to protect what really matters, with tests aligned with reference frameworks such as MITRE ATT&CK, OWASP, NIST, or CIS Controls, but always grounded in each entity’s reality.

The systematic application of these criteria enables Tarlogic to design realistic test scenarios that yield practical results.

Resilience results from applying the right criteria, drawing on experience, and making informed choices from the outset. In VESTA, it begins with selecting high-impact assets so every analysis drives improvement and every recommendation strengthens security.