Written by Jordan Hardy

Artes Group strengthens security posture through red teaming with Toreon

Artes Group is a construction consortium that includes various sister companies covering all key domains, from civil engineering, hydraulic engineering to petrochemistry, buildings and restoration. The group prides itself on challenging construction assignments and unique construction sites, requiring both creativity and ingenuity. Its many realizations and yards include the famous Brussels Palace of Justice, The Oosterweel Link, landmark bridges, train stations and many more.

Heavily relying on IT to support its complex projects, Artes Group wanted an assessment to validate its investments in cyber security and identify any significant gaps in its security posture. Feeling that traditional security audits no longer shed enough light on their risks, the company chose to have its systems ethically tested and selected Toreon for a red team engagement.

IT as a backbone for a diverse construction group

Artes Group’s internal IT department supports all group entities and sister companies, respecting their unique needs and identities. From workstation provisioning and support for tender calculation to financial systems and technology for logistics coordination and yard collaboration, the IT team is responsible for a wide range of services.

Bjorn Lagace, IT manager at Artes Group: “Each construction yard is like a small company… sometimes up to more than 100 people need to work together seamlessly on one project. And it’s our job to provide and support technology that enables them to do their job.”

Despite being a relatively small team, the IT department led by Bjorn combines system engineering, application expertise, and service desk operations. The team is forward-looking, investing in training and exploring the practical use of modern technology like AI to improve business effectiveness. Their work over the past years has significantly strengthened the company’s IT foundation.

From best-practice security to resilience testing

After years of building and refining their IT landscape, Artes Group reached a point where deeper insights were needed to steer their long-term cybersecurity roadmap. Traditional audits had helped but felt incomplete. “Although you learn from audits, you’re left with the feeling that they’ve overlooked something. That’s why we decided to put ourselves really to the test by having ourselves ethically hacked,” Bjorn Lagace explained.

Artes Group wanted to simulate realistic attack scenarios that would challenge both their cloud and on-premise environments. The goal: identify blind spots, validate strengths, and gain tangible input for strategic planning. In short, they wanted to measure their resilience, not just check compliance boxes.

A red teaming partner offering expertise, transparency and cultural fit

Artes Group approached several specialized companies to propose this red team engagement, leading to a shortlist of three. The final choice fell on Toreon, which ultimately stood out because of their transparent communication, demonstrated expertise, well-substantiated and correctly priced proposal, and a detailed explanation of the work they would perform.

Bjorn Lagace: “The maturity of Toreon’s consultants played a decisive role. Their professionalism convinced us we had found the right partner. Toreon’s approach resonated with our own mindset: ambitious, practical, and grounded. This cultural fit helped guide our choice.”

Purpose-built testing backed by structured, transparent communication

Toreon kicked off the assignment by thoroughly reviewing Artes Group’s environment and tailoring the test scenarios accordingly. They focused efforts only where meaningful improvements could be uncovered, adjusting the scope based on Artes Group’s infrastructure and business realities.

Communication and planning proved to be key strengths in the approach. Every step was prepared, communicated, and executed with discipline while remaining flexible to Artes Group’s availability. Agreements were clear, timelines were respected, and expectations were consistently managed.

“All findings were documented in reports that were both detailed and accessible. Toreon explained how each incident was discovered, why it mattered, and how it could be remediated. During follow-up sessions, Toreon consultants explored the reports in depth. This transparent dialogue contributed strongly to a positive collaboration and outcome,” Bjorn Lagace clarified.

Actionable results with rapid follow-through

Toreon’s method categorizes incidents and risks based on severity. Artes Group and Toreon agreed in advance that any critical incident would trigger immediate contact. During the exercise, two critical findings were uncovered in connection with one of Artes Group’s external partners. These were escalated right away and swiftly resolved, issues Artes Group acknowledges would have been difficult to detect themselves. Beyond the few critical issues, all other observations were neatly categorized, documented, and explained.

Strategic value through insight, planning and partner alignment

The ethical hacking exercise yielded a level of visibility far exceeding that of traditional audits. It provided Artes Group with a facts-based foundation to refine both short- and long-term security plans. It also surfaced lessons about supplier management. With some incidents tied to partners, Artes Group initiated constructive conversations with two of them – supported by the documentation Toreon had provided.“The exercise helped us engage in dialogue with our partners and support them. If a supplier has a problem, we also have a problem,” Bjorn Lagace added.

Ethical hacking as an essential complement to traditional audits

For Artes Group, the read teaming engagement led by Toreon demonstrated the tangible value of testing, not just implementing, security measures. It reinforced the idea that resilience requires putting systems, processes, as well as people to the test.

As Bjorn Lagace put it: “To measure is to know. You can only be sure by testing, and what better way to do that than through ethical hacking? A cybersecurity audit alone is not waterproof. Therefore, I advise every company to do a red teaming exercise at some point.”

By deliberately allowing themselves to be attacked under controlled conditions, Artes Group achieved a realistic assessment of their readiness and gained insights that traditional audits could not provide. The collaboration with Toreon resulted in improved plans, better partner engagement, and a stronger overall security posture.