CypherCon 2024

Rethinking Penetration Testing

Mike Saunders


I believe the current model for traditional penetration testing is broken. The typical scan and exploit model doesn’t reflect how real attackers operate after establishing a foothold. Many organizations aren’t mature enough to need or benefit from a proper red team assessment. Organizations are often unsure how to approach a Purple Team.

In this talk, I’ll discuss some of the differences between red teaming, assumed breach testing, and purple teams, highlight the strengths and shortcomings of each, provide guidance to help organizations understand which test is right for them, and provide questions they should be asking themselves and their consultants during the initial contact and scoping phases.

Importance: I wrote this talk as a response to the kinds of questions we get from clients when they are looking for offensive security testing purposes. There are a lot of different terms used for Red Teams, and Red Team means many different things to different vendors and clients.  In this talk, I try to break down the different kinds of tests (internal/external, Assume Breach, Purple Teams, Red Teams), describing the core ideas of each kind of test. I try to give pros and cons of each type of test.  I also make a case for why I believe Assume Breach testing is probably the right choice for most organizations.  I conclude the presentation by providing questions that potential clients can ask themselves, or vendors can use to help guide a client, to selecting the right kind of test for their needs.

Mike Saunders


Mike Saunders, Red Siege Principal Consultant, has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect and has been performing penetration tests for over a decade. Mike is a Black Hat Trainer and experienced speaker, speaking at conferences such as DerbyCon, WWHF, Circle City Con, regional BSides, SANS Enterprise Summit, the NDSU Cyber Security Conference, and SANS and Red Siege webcasts.