Imagine that sometime in the not-so-distant future an attacker decides to attack a multinational company’s
digital assets, targeting hundreds of millions of dollars worth of intellectual property buried behind millions
of dollars in infrastructure. Naturally, the attacker begins by firing up the latest version of Metasploit.
After exploring the target’s perimeter, he finds a soft spot and begins a methodical series of attacks, but even after he’s compromised nearly every aspect of the network, the fun has only just begun. He maneuvers through systems, identifying core, critical business components that keep the company running. With a single keystroke, he could help himself to millions of company dollars and compromise all their sensitive data. Congratulations on a job well done—you’ve shown true business impact, and now it’s time to write the report. Oddly enough, today’s penetration testers often find themselves in the role of a fictitious adversary like the one described above, performing legal attacks at the request of companies that need high levels of security. Welcome to the world of penetration testing and the future of security.