O'Reilly logo

Building a Modern Security Program by Rebecca Huehls, Zane Lackey

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 5. Obtaining Better Feedback by Shifting from Penetration Testing to Attack Simulations

Penetration testing (pen-testing) is often still seen as the way to gather feedback on your organization’s security and determine what’s working and what’s not. However, security teams, especially the defensive side, often don’t take the limitations put on pen-testing into account.

In this chapter, I explain my take on attack simulations versus pen-testing and how to run attack simulations that better reflect the realities of the attacks we all face.

Attack Simulations versus Pen-Testing

Pen-testing is sometimes perceived as simulating an attack, but they’re not the same. Whereas pen-testing is most often used to enumerate a list of vulnerabilities, attack simulations focus on providing insights into an attacker’s decision-making process as they move through your environment.

With pen-testing, you typically get a big list of vulnerabilities in a report, and most security teams face the reality that the high-priority issues will get fixed but the rest will be ignored. Having been a pen-tester for six years, I know that the data you get from pen-testing is incredibly useful. You learn about a number of issues that are useful to address and where your patching policies might not be functioning as intended.

However, a pen-test typically doesn’t connect the dots the way the name suggests. For example, it won’t tell you how attackers will actually operate against you. A better term for pen-testing ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required