Under the Hoodie Under the Hoodie

Hoodies off. Shoes on. Step into the attacker mindset. And learn how to turn weaknesses into super strengths–with concrete data, actionable findings, and a few not-so-secret anecdotes.

Read the Report
hero figure

Real stories that help you securely advance.

Sometimes, you get the hard stuff right, like reliable intrusion detection. And sometimes, you miss the little things, like you leave your laptop in an unlocked car. Things like that happen (like, that really happened). Misconfigurations, missing controls, human error: the ever-growing attack surface means you need to be confident in your security posture. Or you can hire a team to break into your network to put your defenses to the test.

Since June 2019, our pen testers have performed 206 engagements. That’s 206 opportunities to study the art of pen testing. Or 206 real stories for us to animate into videos.

Grab some popcorn. We’re retelling a few of our favorite escapades.

hero figure
Playing Social Security Slots
Thanks for Sharing Your Wi-Fi
Ain't No Fence High Enough
I Know...Everything.
Playing Social Security Slots
Thanks for Sharing Your Wi-Fi
Ain't No Fence High Enough
I Know...Everything.
View Previous Seasons

Research to empower your tomorrow.

Pen testing reports are usually kept secret–for obvious reasons. But that makes it really hard to get a sense of the vulnerabilities, misconfigurations, and tactics that lead to compromise.

That’s where we come in. Research is core to what we do: exploring the nuts and bolts of pen testing, collecting and analyzing data, and discovering key trends. And making it all available to you–so you can prioritize the things you investigate and remediate before your next penetration test.

Here are some of the key findings:

  • Internal network configuration and patch management continue to provide easy soft targets to penetration testers, who can often use off-the-shelf, commodity attacks to escalate privileges and move laterally around the network, undetected.
  • Password management and secondary controls on the enterprise level, like two-factor authentication (2FA), are severely lacking, leading to easy compromises involving both password spraying and offline cracking hashed passwords acquired during simulated breaches.
  • More than ever, people depend on VPNs and internet-based applications rather than on-site and traditionally internal network controls. Meanwhile, penetration testers are finding significant flaws in those VPN terminators and custom webapps.

If you haven’t had a chance to peruse previous years’ reports, check out Under the Hoodie 2017, 2018, and 2019.

Under the Hoodie cover

This one time, on a pen test…

Our professional pentesters participate in an ongoing series of blog posts in which they describe what goes on “beneath the hoodie.” These are their stories.

This One Time on a Pen Test: I’m Calling My Lawyer!
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. As part...
Jonathan Stines
Sep 09, 2020
Read More
This One Time on a Pen Test: Playing Social Security Slots
Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. <!--kg-card-begin:...
Eric Mortaro
Sep 02, 2020
Read More
Ask a Pen Tester, Part 2: A Q&A With Rapid7 Pen Testers Gisela Hinojosa and Carlota Bindner
This blog post is part two of a two-part series. For more insights from Gisela and Carlota, check out part one here! Rapid7 pen testers Gisela Hinojosa and Carlota Bindner are back, ready to answer another rousing round of questions from our customers about the mysterious art of penetration testing....
Bri Hand
Sep 01, 2020
Read More

Pinpoint your problem areas with the pros.

With Rapid7 penetration testing services, you get a real-world view of how attackers could exploit your vulnerabilities, and guidance on how to stop them. Implementing strong detection and response tools, like our cloud SIEM InsightIDR, is also a good place to start.

There's even more to know.

Rapid7 openly shares our security research to foster collaboration and raise awareness around issues affecting the cybersecurity community. Just look at our 2020 National / Industry / Cloud Exposure Report. It’s a comprehensive census of internet-based cyber-exposure that helps answer the deceptively simple question, “Just how exposed is the internet today?”