{"id":321,"date":"2021-04-07T22:46:00","date_gmt":"2021-04-07T22:46:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=321"},"modified":"2024-01-09T22:20:14","modified_gmt":"2024-01-09T22:20:14","slug":"pen-test-alternatives","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/","title":{"rendered":"Still Required, Not Admired: Traditional Pen Tests"},"content":{"rendered":"\n<p>In my role I\u2019m fortunate to talk to and learn from a number of experienced CISOs. Unequivocally, they tell me that traditional penetration (pen) testing isn\u2019t rapid enough or comprehensive enough to evaluate an organization\u2019s entire attack surface. \u201cPen tests are stale bread,\u201d is how one likes to put it. Another theme for these CISOs is that mandated regulatory requirements for pen testing aren\u2019t keeping pace with today\u2019s accelerated attacker risk. Read on to find out why the human-led pen test is a security tool that should be an \u201cand\u201d at best, not an \u201cinstead of\u201d more comprehensive testing.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Reasons for Pen Testing<\/h2>\n\n\n\n<p>There are two key reasons organizations conduct traditional human-led penetration tests:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To identify weaknesses that will help them improve their security posture<\/li>\n\n\n\n<li>To fulfill regulatory mandates<\/li>\n<\/ul>\n\n\n\n<p>Recent research we did with Dark Reading shows that current enterprise pen testing practices are driven more frequently by a desire to improve cybersecurity than to fulfill compliance requirements. In fact, the top two reasons that security professionals told us they conduct penetration tests are to measure their security posture and prevent breaches, with meeting regulatory requirements coming in third.<\/p>\n\n\n\n<p>That\u2019s somewhat surprising to me for two reasons. First, many security and compliance frameworks, like the\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf\">NIST 800-53: Security and Privacy Controls for Information Systems and Organizations<\/a>\u00a0and the\u00a0<a href=\"https:\/\/www.finra.org\/sites\/default\/files\/Cybersecurity_Report_2018.pdf\">Financial Industry Regulatory Authority (FINRA)<\/a>, dictate the use of periodic penetration testing in conjunction with vulnerability scanning to achieve compliance. Second, it\u2019s also surprising given the predictions of pen testing\u2019s demise over the last 15 years and the\u00a0<a href=\"\/news\/press-releases\/report-reveals-penetration-testing-failures.php\">devaluation of the pen test by many CISOs<\/a>, even those who started their careers as pen testers.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Do Pen Tests Make You More Secure?<\/h2>\n\n\n\n<p>But the fact remains that most enterprises spend hundreds of thousands of dollars on penetration tests annually. Some spend millions! Let\u2019s explore how and whether different approaches to pen testing can achieve the intended purpose of making organizations significantly more secure.&nbsp;<\/p>\n\n\n\n<p>The traditional pen test is typically approached as a deep dive into a scoped segment of the IT ecosystem. A vulnerability scan of the defined scope is often the first step in the process; a final report of a potential attack path developed over a period of weeks is the typical deliverable.&nbsp;<\/p>\n\n\n\n<p>Pen tests are deep but narrow, time-consuming, expensive and highly variable in the insights they deliver. The variability may be due to the scope of the assignment, the budget allocation, and certainly the training and quality of the individual pen tester. It\u2019s often said that a pen test is an inch wide and a mile deep, or as deep as the pen tester\u2019s skills.&nbsp;<\/p>\n\n\n\n<p>A skilled pen tester, aka ethical hacker, will deploy techniques that attackers can use and machines can\u2019t. These include social engineering practices to obtain credentials; loitering outside buildings with smokers to gain physical access and other ingenuous ploys. At its best, a traditional pen test draws on human insight and maneuvers to illuminate how vulnerabilities can be chained together. But many pen tests don\u2019t reach that level of ingenuity. In private, CISOs divulge that some lower-level pen testers may deliver little more than Metasploit output.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn why the human-led pen test is a security tool that should be an addition to a comprehensive security testing program.<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,34],"class_list":["post-321","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-attack-surface-management","tag-pen-testing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"Learn why the human-led pen test is a security tool that should be an addition to a comprehensive security testing program.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-07T22:46:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-09T22:20:14+00:00\" \/>\n<meta name=\"author\" content=\"CyCognito Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"CyCognito Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\"},\"author\":{\"name\":\"CyCognito Staff\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/e1e418d7d4a6d3abf5de7ef65d04da91\"},\"headline\":\"Still Required, Not Admired: Traditional Pen Tests\",\"datePublished\":\"2021-04-07T22:46:00+00:00\",\"dateModified\":\"2024-01-09T22:20:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\"},\"wordCount\":546,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"Attack Surface Management\",\"Pen Testing\"],\"articleSection\":[\"Perspectives\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\",\"name\":\"Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2021-04-07T22:46:00+00:00\",\"dateModified\":\"2024-01-09T22:20:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Still Required, Not Admired: Traditional Pen Tests\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/e1e418d7d4a6d3abf5de7ef65d04da91\",\"name\":\"CyCognito Staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dc81941cde3349893dfc090c431e4dc0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/dc81941cde3349893dfc090c431e4dc0?s=96&d=mm&r=g\",\"caption\":\"CyCognito Staff\"},\"description\":\"Rule Your Risk\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/cycognito\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/","og_locale":"en_US","og_type":"article","og_title":"Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog","og_description":"Learn why the human-led pen test is a security tool that should be an addition to a comprehensive security testing program.","og_url":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/","og_site_name":"CyCognito Blog","article_published_time":"2021-04-07T22:46:00+00:00","article_modified_time":"2024-01-09T22:20:14+00:00","author":"CyCognito Staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"CyCognito Staff","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/"},"author":{"name":"CyCognito Staff","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/e1e418d7d4a6d3abf5de7ef65d04da91"},"headline":"Still Required, Not Admired: Traditional Pen Tests","datePublished":"2021-04-07T22:46:00+00:00","dateModified":"2024-01-09T22:20:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/"},"wordCount":546,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["Attack Surface Management","Pen Testing"],"articleSection":["Perspectives"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/","url":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/","name":"Still Required, Not Admired: Traditional Pen Tests | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2021-04-07T22:46:00+00:00","dateModified":"2024-01-09T22:20:14+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/pen-test-alternatives\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Still Required, Not Admired: Traditional Pen Tests"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/e1e418d7d4a6d3abf5de7ef65d04da91","name":"CyCognito Staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/dc81941cde3349893dfc090c431e4dc0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dc81941cde3349893dfc090c431e4dc0?s=96&d=mm&r=g","caption":"CyCognito Staff"},"description":"Rule Your Risk","url":"https:\/\/www.cycognito.com\/blog\/author\/cycognito\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=321"}],"version-history":[{"count":3,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/321\/revisions"}],"predecessor-version":[{"id":566,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/321\/revisions\/566"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}