Universidade do Porto is a leading institution in higher education and research. Its digital footprint reflects that scale: web applications, software systems, data repositories, and the unavoidable shadow IT that accompanies a federation of faculties, labs, and student services. Huge. Dynamic. Exposed.

José Augusto Silva, Head of InfoSec at U.Porto, leads the team responsible for keeping all of it safe.

The three gaps José needed to close

Visibility. New assets, misconfigurations, and unauthorised access points kept appearing across the academic landscape. Mapping the surface manually wasn't sustainable.

Validation. The threats ranged from opportunistic script kiddies to state-aligned hacktivists and financially motivated cybercriminals. Knowing that vulnerabilities existed was easy. Knowing which ones an actual attacker could exploit: that was the hard part.

Velocity. A black-box pentest once a year couldn't keep up with an environment that evolved week by week.

See, test, act, at university scale

U.Porto deployed Ethiack's platform to bring the entire external attack surface under continuous, AI-powered pentesting. Hackian, our agentic AI pentester, runs against U.Porto's exposure 24/7, validating which findings are exploitable and prioritising them by real risk, not severity score.

Inside seven months, José's team brought 1,000 critical assets under continuous testing within a broader landscape of 5,000, with prioritised, validated findings flowing into the InfoSec team's daily workflow.

The shift was structural. U.Porto stopped consuming snapshots and started running an offensive security programme that compounds.

Want to see what's exploitable across your own attack surface? Start a 30-day trial →