Penetration testing (pen-testing) is often still seen as the way to gather feedback on your organization’s security and determine what’s working and what’s not. However, security teams, especially the defensive side, often don’t take the limitations put on pen-testing into account.
In this chapter, I explain my take on attack simulations versus pen-testing and how to run attack simulations that better reflect the realities of the attacks we all face.
Pen-testing is sometimes perceived as simulating an attack, but they’re not the same. Whereas pen-testing is most often used to enumerate a list of vulnerabilities, attack simulations focus on providing insights into an attacker’s decision-making process as they move through your environment.
With pen-testing, you typically get a big list of vulnerabilities in a report, and most security teams face the reality that the high-priority issues will get fixed but the rest will be ignored. Having been a pen-tester for six years, I know that the data you get from pen-testing is incredibly useful. You learn about a number of issues that are useful to address and where your patching policies might not be functioning as intended.
However, a pen-test typically doesn’t connect the dots the way the name suggests. For example, it won’t tell you how attackers will actually operate against you. A better term for pen-testing ...