Back rooms. Black metal. Two shadowy figures furiously hacking away on the same keyboard at the same time. Thanks to its seemingly sinister objective – breaking into enterprise networks – penetration testing is often considered a dark art. But people just need to get to know it better.
We first launched “Under the Hoodie” in 2017 to demystify the practice of penetration testing by surveying those in the field on what they see during client engagements—all to determine countermeasures you can take to best detect and prevent the truly sinister folks from breaching your network. We’ve renewed this approach in 2018 to continue providing visibility into this often occult niche of information security.
To dive into this year's findings, read the executive summary and the full report, watch the on-demand webcast, and check out the pen tester video testimonials below. To see a visual overview of our research, view our infographic.
This paper presents the results of 268 engagements (251 of which involved live, production network tests), conducted from early September of 2017 through mid-June of 2018. Fifty-nine percent of all penetration tests performed in the survey period were externally based, where the targets tend to be internet-facing vectors such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure. External penetration tests make sense for most organizations, given the preponderance of internet-based attackers. However, we always advocate for a penetration test that includes an internal component in order to understand the impact of a compromise and to quantify the gaps in an organization’s defense-in depth strategy.
The three broad categories of compromise Rapid7 penetration testers pursue are software vulnerabilities, network misconfigurations, and network credentials. We found:
Read "Under the Hoodie: 2018, Lessons From a Season of Penetration Testing" for more of our research findings and to hear first-hand stories from our pen testers.
Each year, Rapid7 pen testers complete hundreds of internally and externally based assessments. We've collected just a few stories to give you some true insight into what goes on beneath the hoodie.