Typically security assessments involve off-the-shelf or open-source products, automated scans and attacks to identify vulnerabilities, and engagements scoped to last a week or two in effort to assist clients in becoming compliant. Ultimately, the scope and sophistication of the assessment are limited to the functionality provided by the purchased or free toolset.
This approach is ineffective for several reasons. First, attackers leverage custom tools, exploits, and methodologies when targeting an organization. Further, what organizations need is a realistic perspective of their ability to identify, detect, and respond to an attack, which the typical approach fails to provide.Finally, attackers are not bound by the strict timeline and scope of traditional penetration tests. All these factors combined represent why more and more organizations are being breached every year. The conventional testing approach is not working!