Everything is 1337! Everyone hacks everything with no sweat, all networks are taken down by cyber magic… or maybe not….

Let’s look at some business realities, shall we?

Scenario Misconception/Myth Likely Reality Likelihood of getting root/admin
Black Box External Infrastructure Penetration test The testing team will gain root access and gain corporate network access If this was the case, threat actors would already be in your network, and you would be having an incident right now!

You are going to likely gain a greater understanding of sensitive information disclosure through OSINT (including breached credentials etc.), discover assets you weren’t aware of, find misconfigurations and unpatched software vulnerabilities.

External Web Application Test The testing team will bypass authentication, shell your web application, and gain SYSTEM/Root access Quality issues, misconfigurations, debug logging, weak headers, poor TLS, and a range of vulnerabilities may be found. In the very rare scenario where shell access is obtained the test will likely be stopped (if it’s a production site) None/Low
Black box API Test where no documentation is provided to, the tester A tester will be able to work out how to use the API with zero documentation, will understand the business logic and will be able to find weaknesses. You have picked the least effective, efficient, and suitable method for testing APIs and controls. None/Low
Internal Network Penetration Test That from any network position you can get access to everything! If you haven’t done any defensive investments and the testers are deployed into a subnet/vlan with end user devices the tester will likely get to domain admin within a few hours.

If you are testing via a VPN the range of effectiveness may vary dramatically.

Two week “Red team” Development of 0days, exploiting business logic flaws, guaranteed access by phishing and bypass all controls like cyber ninjas! Get physical access, install implant, conduct internal penetration test, or use a fast forward to assume breach. High
Reporting A tester with 2 days will not only be able to run every test under the sun they will also be able to write a report that is worth of a place inside the TATE behind defended glass. You will get a vuln scan and you will get high level generic guidance N/A


This isn’t tongue in cheek. This is what I see in the community and my experience working with organisations.

Largely there are major issues in the penetration testing space such as:

  • Organisations/People not understanding what a pentest is
  • Organisations choosing black box over white box for no logcal reason
  • Organisations demanding testing in unrealistic timeframes
  • Organisations not doing the groundwork
  • Treating it as “a test” – it’s not, it’s testing the controls!
  • Organisations setting scopes that are either way too narrow or way too broad

I’ve written before about pen testing:

This topic I don’t think is going away anytime soon, when thinking about security investments I would advise that people realise there are way more options than black box penetration tests. Consider design reviews, security modelling, data flow modelling, risk modelling, control testing, monitoring, and response testing etc. The pen test is a tool, but It’s often misunderstood and often deployed incorrectly.