I'm a very big believer in controlling what you can, forgetting what you can't, and not wasting mental energy on things that don't deserve it.

—JOSH CITRON

I feel a book that is focused on creating professional social engineers would not really be complete without this chapter. You can blend all the attacks, the psychology, the physiology, and the report-writing to achieve something, but without a M.A.P.P., a giant piece of the puzzle is missing. What is a M.A.P.P.? It stands for Mitigation and Prevention Plan.

Why do you need a mitigation and prevention plan? How do you help your company or your clients develop one? What can you mitigate and plan about social engineering attacks? I answer these questions in this chapter.

When I started gaining momentum with my clients, I realized something important. My goal needed to be something really odd: to be so good that I would eventually work myself out of a job. Yeah, you read that right. I needed to help my clients learn how to defend against SE attacks to the point that they eventually would not need me.

You know those pentesting companies that advertise that they always have a 100% success ratio? Well, how demoralizing is it for a customer to be writing you the check knowing they will never get better. Or that no matter how good they get, the social engineer still will always win? The message in that is there's no hope. Nothing they do will ever block all the holes in their security. Eventually you ...