Under the Hoodie Under the Hoodie

Hoodies off. Shoes on. Step into the attacker mindset. And learn how to turn weaknesses into super strengths–with concrete data, actionable findings, and a few not-so-secret anecdotes.

Read the Report
hero figure

Real stories that help you securely advance.

Sometimes, you get the hard stuff right, like reliable intrusion detection. And sometimes, you miss the little things, like you leave your laptop in an unlocked car. Things like that happen (like, that really happened). Misconfigurations, missing controls, human error: the ever-growing attack surface means you need to be confident in your security posture. Or you can hire a team to break into your network to put your defenses to the test.

Since June 2019, our pen testers have performed 206 engagements. That’s 206 opportunities to study the art of pen testing. Or 206 real stories for us to animate into videos.

Grab some popcorn. We’re retelling a few of our favorite escapades.

hero figure
Playing Social Security Slots
Thanks for Sharing Your Wi-Fi
Ain't No Fence High Enough
I Know...Everything.
Playing Social Security Slots
Thanks for Sharing Your Wi-Fi
Ain't No Fence High Enough
I Know...Everything.
View Previous Seasons

Research to empower your tomorrow.

Pen testing reports are usually kept secret–for obvious reasons. But that makes it really hard to get a sense of the vulnerabilities, misconfigurations, and tactics that lead to compromise.

That’s where we come in. Research is core to what we do: exploring the nuts and bolts of pen testing, collecting and analyzing data, and discovering key trends. And making it all available to you–so you can prioritize the things you investigate and remediate before your next penetration test.

Here are some of the key findings:

  • Internal network configuration and patch management continue to provide easy soft targets to penetration testers, who can often use off-the-shelf, commodity attacks to escalate privileges and move laterally around the network, undetected.
  • Password management and secondary controls on the enterprise level, like two-factor authentication (2FA), are severely lacking, leading to easy compromises involving both password spraying and offline cracking hashed passwords acquired during simulated breaches.
  • More than ever, people depend on VPNs and internet-based applications rather than on-site and traditionally internal network controls. Meanwhile, penetration testers are finding significant flaws in those VPN terminators and custom webapps.

If you haven’t had a chance to peruse previous years’ reports, check out Under the Hoodie 2017, 2018, and 2019.

Under the Hoodie cover

This one time, on a pen test…

Our professional pentesters participate in an ongoing series of blog posts in which they describe what goes on “beneath the hoodie.” These are their stories.

This One Time on a Pen Test: Doing Well With XML
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. <!--kg-card-begin:...
Tommy Dew
Oct 07, 2020
Read More
This One Time on a Pen Test: I Know...Everything
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. <!--kg-card-begin:...
Shane Young
Oct 02, 2020
Read More
This One Time on a Pen Test: Ain’t No Fence High Enough
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. <!--kg-card-begin:...
Leon Johnson
Sep 23, 2020
Read More

Pinpoint your problem areas with the pros.

With Rapid7 penetration testing services, you get a real-world view of how attackers could exploit your vulnerabilities, and guidance on how to stop them. Implementing strong detection and response tools, like our cloud SIEM InsightIDR, is also a good place to start.

There's even more to know.

Rapid7 openly shares our security research to foster collaboration and raise awareness around issues affecting the cybersecurity community. Just look at our 2020 National / Industry / Cloud Exposure Report. It’s a comprehensive census of internet-based cyber-exposure that helps answer the deceptively simple question, “Just how exposed is the internet today?”