Pen Test Partners

⏳ Two weeks to go until PTP Cyber Fest 2026. Day one starts with a scenario no organisation wants to face, but every organisation needs to be ready for. Our Ken Munro and Joseph Williams will be joined by Nick Holland from @Shoosmiths on our DFIR Panel, looking behind the scenes during a ransomware incident. The panel will cover the technical investigation, legal considerations, and the key decisions organisations need to make under pressure. 📍 The Fox Pub 📅 Tuesday 2nd and Wednesday 3rd June 🔗 View the full agenda and register for free here: events.rantcommunity.com/CyberFest2026#/ #CyberFest2026 #DFIR #Ransomware #IncidentResponse #PenTestPartners #RANTCommunity

OT pen test findings need a different kind of context. A finding may be technically correct, but if the recommendation does not fit the environment, it will get pushed aside. Not because OT engineers are ignoring security, but because replacing equipment can be unrealistic, costly, or simply disproportionate to the actual impact. Do that too often and the important findings get lost. In our latest blog post, @cybergibbons explains why useful OT reporting needs more than a raw CVSS score. It needs context around impact, practical remediation, and longer-term strategy. He also breaks down common misconceptions in OT reporting and shows where recommendations often become impractical. A good OT report should not just tell plant teams what is wrong. It should help them work out what matters, what can be fixed now, and what needs to be planned properly. 📌 pentestpartners.com/security-blog/… #OTSecurity #ICSSecurity #CyberSecurity

AI in DFIR has a confidence problem. In our latest blog post, @jwdfir looks at why investigator judgement matters so much. He covers how easy it is to latch onto the wrong thing early in an investigation, why context is what turns artefacts into evidence, and what it actually takes to build a clear picture of what happened. He also puts AI to the test. Using event logs from a real DFIR challenge, he shows how an LLM produced a confident answer that still got key parts wrong. That is the risk. AI can assist in DFIR, but a confident answer is not the same as a correct one. 📌Read here: pentestpartners.com/security-blog/… #DigitalForensics #IncidentResponse #CyberSecurity #AI

There is a widely held belief that OT is too fragile to pen test. That simply connecting a laptop to an OT network will take down everything. This belief is wrong. Or, more accurately, it is a massive oversimplification of a much more nuanced reality. In our latest blog post, @cybergibbons breaks that down properly. Some OT devices are sensitive. Everyone serious in this space knows that. But that does not mean the whole environment is untouchable. The real job is knowing what can be assessed safely, when to stop, and how to work through a network in stages without creating risk. That is the difference between reckless testing and a competent approach to OT testing. 📌Read here: pentestpartners.com/security-blog/… #OperationalTechnology #OTSecurity #ICSsecurity #PenTesting #CyberSecurity

If you work in EU financial services, it is time to explore DORA. DORA was introduced because financial services now rely heavily on shared ICT platforms, outsourced providers, and complex digital dependencies. Regulators want financial entities to prove they can keep operating through disruption, not just document policies and hope they hold up. That is the real shift DORA brings... Resilience has to work in practice. It also raises the bar for supplier oversight, contractual control, and evidence that recovery processes hold up under pressure. 📌Read our breakdown here: pentestpartners.com/security-blog/… #DORA #OperationalResilience #FinancialServices #CyberSecurity #ThirdPartyRisk

Cloud environments are dynamic by nature. New services appear, teams change, applications scale, and permissions evolve over time. That makes IAM difficult to manage well, and when it is too permissive, attackers do not need public exposure or a complex exploit to get further in. Control plane access can be enough to modify the rules around sensitive resources and work around the protections already in place. In this blog post, we look at an Azure assessment where managed identity abuse let us modify the firewall rules protecting an Azure Key Vault, add our own IP address to the allowlist, and dump secrets. It also covers the IAM issues we see most often in cloud assessments, along with quick wins to reduce IAM risk. 📌 pentestpartners.com/security-blog/… #CloudSecurity #IAM #AzureSecurity #AWS #GCP #CyberSecurity

Ghidra is free, extensible, and helpful for reverse engineering firmware, but its learning curve is steep... In this blog post, Adam Bromiley (@OPSEC_failed) shares tips and tricks that make firmware reversing less painful, from finding the load address and interrupt vector table, through to defining a proper memory map and making better use of strings, scripts, LLMs, and more. It's a guide built from real research projects and a lot of hours spent in front of Ghidra’s UI. 📌Read here: pentestpartners.com/security-blog/… #ReverseEngineering #FirmwareSecurity #Ghidra #HardwareHacking #CyberSecurity

Some blog posts refuse to die. This is one of them. Back in May 2014, we published a guide on breaking out of Citrix and other restricted desktop environments. People have kept finding it, using it, and sending it around. So our Kieran Larking updated it with the newer breakout paths we see on modern Windows 10 and Windows 11 builds. Some old tricks no longer work. Others still do, just through different doors. The updated post pulls the techniques into one place and focuses on how people actually get out today. Bluetooth file transfer is one example of a newer angle that can matter on a physical endpoint. Dialog boxes and file pickers still get you to places they should not. From there, the practical pivots tend to be into whatever is still exposed, like PowerShell, Task Scheduler, Task Manager, and modern browser behaviour. It is less about one magic shortcut and more about chaining small gaps. If you run Citrix, VDI, or any restricted desktop setup, this is a useful checklist for hardening and for validating that your lockdown does what you think it does. 📌 pentestpartners.com/security-blog/… #RedTeam #PenTesting #CyberSecurity

EV batteries are becoming grid infrastructure. That brings real benefits for balancing short term peaks and troughs on the grid, but it also increases the impact of charger security failures. Our earlier EV charger research showed how compromised connected chargers could be switched on and off at scale to create disruptive spikes in demand. With bidirectional charging, the risk grows because chargers can switch between charging and discharging, which increases the power swing per device and creates a new impact for owners by remotely draining vehicle batteries. @TheKenMunroShow points out that as vehicle to home and vehicle to grid charging moves closer to wider rollout, secure design, secure defaults, and proper vulnerability handling need to be built in from the start. 📌Read here: pentestpartners.com/security-blog/… #Cybersecurity #EVCharging #SmartGrid #IoTSecurity #EnergySecurity

Ken Munro spoke at CISO 360 Americas in New York last week. His talk focused on discovering shadow tech. That means finding the smart devices in your buildings that can create back doors into an organisation. He also joined the “Quantum ready, AI resilient” panel on balancing innovation with trust, resilience, and human agency, alongside Rachael Sherman and Sounil Yu. #CISO360 #Cybersecurity #CyberResilience

@AlanMonie found that Shelly Gen 4 smart switches keep their default, open Wi-Fi access point enabled even after you join them to your home network. Anyone nearby can connect and trigger whatever the device controls. That includes garage doors, gates, lights, sprinklers and more... It also gives an attacker a foothold inside your network. From a compromised Gen 4 device, it is possible to ‘pivot’ and control other Shelly devices on the internal network, and in some cases send traffic to non Shelly devices too. The other problem is scale. These default Shelly SSIDs can be discovered and geolocated using wigle.net, which makes targeting much easier. Shelly initially engaged in disclosure and said firmware 1.8.0 would address it, then went quiet. After 120 plus days, we have published so owners can take action. The DIY fix is simple, but only if you know the access point is still on. 📌pentestpartners.com/security-blog/… #iotsecurity #smarthome #wifisecurity #physicalsecurity #vulnerabilitydisclosure #pentesting

Covert recording devices are cheap, easy to buy, and easy to use. That is what makes them risky. Tom Roberts bought an off the shelf audio bug for proof of concept work and found a concerning surprise. Several recordings were already on the device! The real risk is not a skilled attacker. It is everyday misuse, driven by frustration, curiosity, or spite. 📌 pentestpartners.com/security-blog/… #socialengineering #covertrecording #surveillance #infosec #cybersecurity

Ignoring the dodgy CGI, the l33t speak, and the questionable acting, our @TheKenMunroShow picks apart how much of Hackers (1995) would hold up in the real world today, and what we can learn from it. Some of it is nonsense. Some of it is surprisingly plausible. The most believable parts are the usually the least cinematic. Thirty years on, some of the security mistakes are still showing up. 📌pentestpartners.com/security-blog/… #cybersecurity #hackers #hackthegibson #otsecurity #HACKTHEPLANET

The EU Cyber Resilience Act applies to organisations that build, sell, import or distribute products with digital elements into the EU. That includes software, firmware, connected devices and embedded systems. It sets mandatory security requirements across the product lifecycle, covering secure defaults, vulnerability handling and update processes. From September 2026, reporting and vulnerability handling obligations apply. Full compliance is required by December 2027 for products to remain on the EU market. We break down what this means in practice and how teams should prepare. 📌pentestpartners.com/security-blog/… #CyberResilienceAct #ProductSecurity #EUCompliance #CyberSecurity #SecureByDesign

Our @AlanMonie reported a vulnerability to Carlsberg that exposed visitor videos and full names from its Copenhagen exhibition. The issue relied on low-entropy wristband IDs embedded in QR codes. There was no real authentication, and rate limiting wasn’t effective. With a bit of time and one laptop, it was possible to brute force access to other people’s photos and videos. Alan reported the issue through Carlsberg’s vulnerability disclosure program via Zerocopter. He waited. He retested when asked. After that, communication stopped, while the issue remained exploitable and disclosure was blocked. More than 150 days after the original report, we have published. This write-up walks through the technical details, the full disclosure timeline, and why responsible disclosure must include disclosure. 📌pentestpartners.com/security-blog/… #cybersecurity #carlsberg #responsibledisclosure #gdpr #vulnerabilitydisclosure #infosec

A single exposed secret led to compromise across AWS, GitHub, and Azure. There were no platform integrations and no shared identity architecture. The linkage existed entirely through reused, long-lived, overprivileged credentials. Once those secrets leaked, cloud boundaries stopped mattering. Each environment became a stepping stone to the next. This write-up breaks down the attack path and where small changes make a difference based off of lessons from testing. 📌 pentestpartners.com/security-blog/… #cloudsecurity #multicloud #cybersecurity #cloud #AWS #Github

As AI tools fill submission queues with low-value findings, VDP teams are being overwhelmed by trivial duplicates, automated XSS reports, and submissions that don’t help security teams fix real issues. As a result, important findings are increasingly delayed, missed, or buried in the noise. Our latest blog post by @TheKenMunroShow looks at what is going wrong in VDPs and gives practical ways teams can reduce noise, protect signal, and keep disclosure working as intended. 📌pentestpartners.com/security-blog/… #cybersecurity #vulnerabilitymanagement #VDP #AIsecurity #infosec #vulnerabilitydisclosureprogram

We investigated a macOS infostealer variant that, at the time, had not been recorded in the wild. Delivered via a single copy and paste terminal command disguised as a Homebrew installer, the malware harvested credentials, staged user data, and attempted exfiltration using only native macOS tooling. Network egress controls prevented data loss and contained the incident to one host. This case shows how quickly modern infostealers can operate without noisy tooling or exploits. Read the full breakdown of the fastest growing malware category in 2025 here: 📌 pentestpartners.com/security-blog/… #CyberSecurity #DFIR #ThreatResearch #MalwareAnalysis #macOSSecurity

Our Ross Donald took a look at Eurostar’s public AI chatbot and found four security issues, including guardrail bypass, prompt injection, weak conversation binding, and HTML injection. The chatbot UI suggested strong controls, but server side enforcement was incomplete. By modifying chat history and IDs, it was possible to influence model behaviour and extract internal details. This research shows that familiar web and API security failures still apply, even when an LLM sits in the middle. 📌 pentestpartners.com/security-blog/… #CyberSecurity #AIsecurity #LLM #ApplicationSecurity #AI #Chatbot #Eurostar