MainNerve LLC

When SHOULD organizations be pen testing? What's the ideal timing and trigger?

They test applications after they're deployed when changes are expensive and disruptive. They test annually on a calendar schedule regardless of what actually changed in their environment. Disagree with me. Or tell me I'm right. Either way, let's talk about it.

Hot take: Most organizations are testing the wrong things at the wrong time. They pen test their production environment right before a major launch when they can't afford to find anything critical.

Security folks: What's YOUR record? Not to brag, but to highlight how often the "sophisticated attack" is actually just trying admin/admin. Share your fastest compromise story. Bonus points if it was embarrassingly simple.

Someone just asked us: "What's the fastest you've ever compromised a network during a pen test?" Answer: 6 minutes. Default admin credentials on an internet-facing admin panel. Took longer to set up the VPN than to get in.

What drives you crazy about this industry? (And yes, venting is therapeutic. Let's hear it.)

Fill in the blank: "The most frustrating part of working in cybersecurity is ___________." We'll go first: Watching organizations ignore clear warnings until AFTER the breach, then suddenly having unlimited budget to fix everything. Your turn.

Have you ever created a "compliant" password that you knew was terrible? You're not alone. #CyberSecurity #PenTesting #InfoSec #PasswordSecurity #SecurityTips

When you force frequent changes, people increment numbers. When you require symbols, they tack them on the end. When you make it painful, they write it down. Swipe through to see what actually creates strong passwords (and what doesn't) →

We just cracked 67% of employee passwords during a pen test. The client was stunned. They had "strict" password requirements: 12 characters, uppercase, lowercase, numbers, symbols, changed every 90 days. Here's what everyone was actually using: Summer2024! Fall2024!

Meanwhile, focused testing on specific high-risk areas leads to actual remediation. What's your take? Comprehensive scope or targeted testing? There's probably no right answer, but we'd love to hear different perspectives on this.

Honest question for security leaders: Would you rather find 100 vulnerabilities you can't fix, or 5 vulnerabilities you can actually address? We see organizations obsess over comprehensive testing that generates massive reports, then get overwhelmed and fix nothing.

Swipe through to see why this approach saves time and money → What's stopped your organization from being fully transparent with pen testers? #CyberSecurity #PenTesting #InfoSec #SecurityTesting #ITSecurity

It's about using your testing budget efficiently to find NEW problems while accounting for ones you're already managing. The best pen tests happen when there's transparency and partnership, not when we're trying to "catch" you with findings you already know exist.

"Won't telling you about known vulnerabilities make the pen test less valuable?" We get asked this before almost every engagement. The answer: No. It makes it MORE valuable.

Have you ever had a patch break something critical? How did you handle it?

Everything worked again. And now they were stuck with a choice: security or functionality. Swipe to see: Why patching is more complicated than it sounds. The approach that actually works. Sometimes the most secure decision is to patch carefully rather than patch quickly.

A client called us in a panic last month. They'd just patched a critical vulnerability on their web server, and suddenly their application stopped working. Customers couldn't log in, transactions were failing, and revenue was dropping by the minute. They rolled back the patch.