Training & Certification
Request a Proposal
User Behavior Analytics
By Compliance Requirement
Find a Partner
About Our Research
Meet the Team
National Exposure Index
Quarterly Threat Report
Under the Hoodie
Events & Webcasts
Training & Certification
IT & Security Fundamentals
News & Press Releases
Back rooms. Black metal. Two shadowy figures furiously hacking away on the same keyboard at the same time. Thanks to its seemingly sinister objective – breaking into enterprise networks – penetration testing is often considered a dark art. But people just need to get to know it better.
We first launched “Under the Hoodie” in 2017 to demystify the practice of penetration testing by surveying those in the field on what they see during client engagements—all to determine countermeasures you can take to best detect and prevent the truly sinister folks from breaching your network. We’ve renewed this approach in 2018 to continue providing visibility into this often occult niche of information security.
To dive into this year's findings, read the executive summary and the full report, watch the on-demand webcast, and check out the pen tester video testimonials below. To see a visual overview of our research, view our infographic.
Hear what Rapid7 experts had to say on our key findings and what they mean for your organization.
This paper presents the results of 268 engagements (251 of which involved live, production network tests), conducted from early September of 2017 through mid-June of 2018. Fifty-nine percent of all penetration tests performed in the survey period were externally based, where the targets tend to be internet-facing vectors such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure. External penetration tests make sense for most organizations, given the preponderance of internet-based attackers. However, we always advocate for a penetration test that includes an internal component in order to understand the impact of a compromise and to quantify the gaps in an organization’s defense-in depth strategy.
The three broad categories of compromise Rapid7 penetration testers pursue are software vulnerabilities, network misconfigurations, and network credentials. We found:
Read "Under the Hoodie: 2018, Lessons From a Season of Penetration Testing" for more of our research findings and to hear first-hand stories from our pen testers.
Each year, Rapid7 pen testers complete hundreds of internally and externally based assessments. We've collected just a few stories to give you some true insight into what goes on beneath the hoodie.
This real-life story of social engineering owes its success to holes—some figurative, and some big enough to walk through. Find out how our makeshift MacGyver bypassed a bank’s security checkpoints to make a devious deposit that helped him hack from the parking lot.
Our latest Under the Hoodie research shows that pen testers captured credentials in 53% of all engagements and 86% of internal engagements. Rapid7 InsightIDR leverages advanced user and attacker behavior analytics to detect intruders earlier in the attack chain so you can respond before critical data is compromised.
In the 250+ engagements for Under the Hoodie: 2018, Rapid7 penetration testers were able to exploit at least one in-production vulnerability in 96% of all internally-based pen tests. Rapid7 InsightVM leverages analytics and endpoint technology to discover vulnerabilities in real time and prioritize them using more than just CVSS.