Before a pentest, get the basics right... - Asset inventory, who owns what - Patch management that actually patches - Vulnerability scanning that runs, reports, and gets acted on If you do not have bandwidth to remediate, you are about to buy an expensive PDF. Plan time and

Not ready for a pentest but want to do something? - GRC based assessments like: NIST, PCI, HIPAA, CIS, etc. - Vulnerability assessments (internal and/or external) - Targeted reviews, segmentation testing, endpoint evaluation, M365/Entra cloud config assessment Compliance can be

Common external pentest blockers: - Unknown public footprint - Out of date sites/services you did not know you owned - No clear owner to patch WordPress, VPN, or edge devices, etc. Fix those first, then do the pentest.

For internal pentests, do this first - Audit AD permissions, especially Tier 0 - Eliminate local admin on workstations - Search file shares and SharePoint for creds and juicy data These three issues are why we get DA by 9 a.m. on Monday...

For web apps, "shift left": - Have a staging or test environment, full stop... please don't test in prod -.- - Integrate DAST and SAST in dev cycles - Define security requirements just as you would define business requirements Catching mistakes via pentesting is great, but many

Choose the right assessment by mapping to your goal: - Improve hygiene? Risk/vuln assessment - Validate detection and response? Purple team - Mature program with strong SOC? Assume breach/Internal Pentest

Real story, we sometimes tell prospects, you do not need a pentest yet. You need inventory, patching, risk assessments, program development first. Do the right thing for your maturity, you will get more value and better results

Security is a lifecycle, not one and done. Tech changes, people change… the process repeats. Stack small wins, then validate with a pentest when you are ready.

Finally, if you've read this far, thank you so much! The best way you can thank me, is by reposting ♻ the original tweet for this thread. You rock! 🤘

More context on this topic here 👇 https://offsec.blog/episode-14...

@techspence If your organization uses pencils

@HackingLZ Only number 2 allowed

@techspence Excellent thread!

@sec_hub93028 Thank you! 💪

@techspence @PyroTek3 I don't mean to insult you but this seems AI generated. I've followed your content because it's been great, down to earth technical shit, so please don't change for the algorithm

@MJHallenbeck @PyroTek3 Appreciate the kind words man. Nothing has changed for me. The #1 thing is to provide value. See here https://x.com/techspence/statu...

@techspence When they tell you they haven't patched some of their servers in... 14 years I'm not joking.

@AdamPiersen 14... I mean you have to be trying not to at that point

@techspence Orgs discover that these things need to be fixed after a pentest, if orgs wait until they are perfect, no one will be safe.

@m19o__ The enemy of good is perfect

@techspence When IT asks for the ICS/OT to be bolted on as part of the penetration test but have little or no information about the ICS/OT.

@Secure_ICS_OT Honestly, that scares me, lol

@techspence Or pentest can be the midterm and red team can be the final exam.

@plaverty9 Hah right!

@techspence I believe it's completely valid to test environments that aren't prepared to show system admins, middle managers, & the C suite just how serious the issues are. I believe testing in the middle of long-term, multi-year remediation projects to ensure you haven't slipped backwards

@3dot14r8 Yeah you're right, continuous and ongoing is the way to approach it

@techspence I believe in using small, targeted pen tests to validate the controls you're implementing will work as expected.

@3dot14r8 Big fan of targeted assessments too! Sometimes they are not small though hah. I did an assessment once for law firm that wanted to use Silverfort. Product worked awesome and we showed it blocking PTH, PTT, Cert abuse in real time. Super cool engagement. Metric ton of value

@techspence 100%. Reducing vulnerability is a multi-phase process with each phase involving greater difficulty but having less ability to handle vulnerabilities at scale. Penetration testing should come at the end to catch what everything else missed and to validate their efficacy.

@RogueShoten I hear what you’re saying but there are also times to pentest sooner rather than later, especially with software development