Under the Hoodie: Lessons from a Season of Penetration Testing
In 2017, Rapid7 launched the “Under the Hoodie” project to demystify the practice of penetration testing by surveying those who are in the field and conducting the investigations on what they most commonly see during client engagements. We have renewed this approach in 2018 to continue providing visibility into this often occult niche of information security. To this end, this paper presents the results of 268 engagements (251 of which involved live, production network tests), conducted from early September of 2017 through mid-June of 2018.
Rapid7 offers penetration testing services of all scopes and sizes, but in general, we find that our customers prefer external penetration tests, where the simulated attacker can only reach the target organization over the internet. Fifty-nine percent of all penetration tests performed in the survey period were externally based, where the targets tend to be internet-facing vectors such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure. External penetration tests make sense for most organizations, given the preponderance of internet-based attackers. However, we always advocate for a penetration test that includes an internal component in order to understand the impact of a compromise and to quantify the gaps in an organization’s defense-in-depth strategy.