Under the Hoodie: 2018

Lessons from a Season of Penetration Testing

Read the Report

Back rooms. Black metal. Two shadowy figures furiously hacking away on the same keyboard at the same time. Thanks to its seemingly sinister objective – breaking into enterprise networks – penetration testing is often considered a dark art. But people just need to get to know it better.

We first launched “Under the Hoodie” in 2017 to demystify the practice of penetration testing by surveying those in the field on what they see during client engagements—all to determine countermeasures you can take to best detect and prevent the truly sinister folks from breaching your network. We’ve renewed this approach in 2018 to continue providing visibility into this often occult niche of information security.

To dive into this year's findings, read the executive summary and the full report, watch the on-demand webcast, and check out the pen tester video testimonials below. To see a visual overview of our research, view our infographic

On-Demand Webcast

Hear what Rapid7 experts had to say on our key findings and what they mean for your organization.

Watch Now

Executive Summary

This paper presents the results of 268 engagements (251 of which involved live, production network tests), conducted from early September of 2017 through mid-June of 2018. Fifty-nine percent of all penetration tests performed in the survey period were externally based, where the targets tend to be internet-facing vectors such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure. External penetration tests make sense for most organizations, given the preponderance of internet-based attackers. However, we always advocate for a penetration test that includes an internal component in order to understand the impact of a compromise and to quantify the gaps in an organization’s defense-in depth strategy.

The three broad categories of compromise Rapid7 penetration testers pursue are software vulnerabilities, network misconfigurations, and network credentials. We found:

  • Overall, Rapid7 penetration testers were able to exploit at least one in-production vulnerability in 84% of all engagements. That figure rises to 96% of all internally-based penetration tests.
  • In a similar vein, penetration testers were able to abuse at least one network misconfiguration at a slightly lower rate of 80%, but among internal assessments, a misconfiguration was leveraged in the investigator’s favor 96% of the time.
  • Finally, at least one credential was captured in 53% of all engagements, and 86% of the time when looking purely at internal engagements.

Read "Under the Hoodie: 2018, Lessons From a Season of Penetration Testing" for more of our research findings and to hear first-hand stories from our pen testers.


Under the Hoodie Videos: True Stories from Rapid7 Pen Testers

Each year, Rapid7 pen testers complete hundreds of internally and externally based assessments. We've collected just a few stories to give you some true insight into what goes on beneath the hoodie.

The Bank Job

This real-life story of social engineering owes its success to holes—some figurative, and some big enough to walk through. Find out how our makeshift MacGyver bypassed a bank’s security checkpoints to make a devious deposit that helped him hack from the parking lot.

The Bank JobRemote ControlOne Man’s Junk Is Another Man’s TreasureYou Had Me Before HelloHack Thy NeighborPicked Off on the KickoffPwned You Twice