Table of Contents
With over 1,000 employees, 27 sites across France, and critical platforms used by the French government, the Bureau de Recherches Géologiques et Minières (BRGM) plays a central role in public geoscience.
Its strategic digital services — risk mapping, groundwater monitoring, and geological data management — require a high level of security and regulatory compliance.
By adopting a multi-operation approach combining Pentest-as-a-Service (PtaaS) and Bug Bounty through the Yogosha platform, BRGM was able to certify its critical applications, detect vulnerabilities not found in traditional audits, and strengthen collaboration between internal teams and external security experts.
In total, 116 vulnerabilities were identified, including 9 critical ones.
The Challenge: Certifying and Protecting Critical Applications in a Regulated Environment
BRGM manages critical applications related to soil analysis, groundwater monitoring, and geohazard data. These applications require maximum security, but one-off pentests could not continuously cover the full attack surface.
The main challenge was to ensure regulatory compliance for these applications through a structured software accreditation process, as required by state authorities.
Each application had to be validated according to its sensitivity level, with clear deliverables, documented tests, and proof of robustness against risks.
« Our priority was to implement a process to certify all applications, especially those connected to government services. »
— Julien Delaruelle, Deputy CISO, BRGM
BRGM faced several constraints:
- A growing number of applications to audit
- Varying levels of criticality requiring tailored approaches
- The need for usable deliverables for certification, without overloading internal teams
- Strong requirements for traceability, reversibility, and transparency
Traditional pentests could not fully address these needs — particularly in terms of frequency, depth, and the ability to engage technical teams in a continuous improvement process.
The Solution: A Multi-Operation Security Strategy with Yogosha
To meet this challenge, BRGM deployed a tiered security strategy aligned with each application’s sensitivity level — combining Pentest-as-a-Service and private Bug Bounty.
This dual approach ensures both on-demand testing and continuous assessment, with structured deliverables that meet certification requirements.
1. Pentest-as-a-Service for Standard Applications
With Yogosha’s PtaaS, BRGM can:
- Launch tests in under 48 hours
- Monitor campaigns in real time via the Yogosha platform
- Deliver structured reports to certification bodies
- Maintain a test frequency aligned with project cycles
« PtaaS allows us to certify applications with a solid level of assurance, without overloading our teams. »
— Julien Delaruelle, Deputy CISO, BRGM
2. Bug Bounty for Critical Applications
For exposed or highly strategic services, BRGM uses a private Bug Bounty program to engage a large community of skilled researchers able to:
- Identify critical vulnerabilities 24/7
- Cover an evolving attack surface
- Go deeper than traditional audits
« The researchers go all the way with each operation. They find vulnerabilities that traditional audits simply don’t uncover. »
— Julien Delaruelle, Deputy CISO, BRGM
The Results: Stronger Resilience and Engaged Teams
Thanks to this approach:
- 116 vulnerabilities were detected, including 9 critical
- Technical teams received clear, actionable reports
- Collaboration with the researcher community became a driver for internal skill development
- Communication between teams and researchers became constructive
- The overall security posture of critical applications was significantly strengthened
« When a technical team acknowledges that a researcher found something they hadn’t thought of — that’s when you truly see the value of this approach. »
— Julien Delaruelle, Deputy CISO, BRGM
Secure Your Critical Applications with Yogosha
BRGM’s experience demonstrates that a multi-operation strategy is a powerful way to combine compliance, continuous security, and resource optimization.
Whether you’re a public organization or a regulated entity, this model allows you to test your systems on demand and continuously, without slowing down your teams.
It’s the most effective way to uncover elusive vulnerabilities that traditional testing misses.
Contact us to assess your attack surface and design a customized testing program for your organization.
