Edit

Penetration Testing

Authorised simulated attacks against systems and networks to identify vulnerabilities before adversaries doβ€”providing defenders with an attacker's perspective.

What is Penetration Testing?

Penetration testing (pentesting) is the controlled practice of attacking your own environment to discover exploitable weaknesses. Unlike vulnerability scanning, pentesting validates whether vulnerabilities can actually be exploited and chains them together to demonstrate real-world impact.

Vulnerability Assessment
vs
Penetration Testing

Identifies potential weaknesses

Proves exploitability

Automated scanning

Manual + automated

Breadth-focused

Depth-focused

"This could be vulnerable"

"I got Domain Admin"

The goal: Find and fix weaknesses before threat actors exploit them.

Why SOC Analysts Should Care

Pentesting directly improves defensive operations:

Pentest Output
SOC Benefit

Attack paths documented

Detection rule development

Techniques used

Purple team validation

Controls bypassed

Gap identification

Dwell time achieved

MTTD benchmarking

Logs generated

Alert tuning opportunities

{% hint style="info" %} Key insight: Every pentest is a detection engineering opportunity. If the red team moved laterally undetected, your detections have gaps. {% endhint %}

Types of Penetration Testing

Type
Scope
Focus

External

Internet-facing assets

Perimeter defences, web apps, VPN, email

Internal

Inside the network

Lateral movement, privilege escalation, AD

Web Application

Specific applications

OWASP Top 10, business logic flaws

Wireless

WiFi networks

Rogue APs, WPA2 attacks, segmentation

Social Engineering

Human element

Phishing, vishing, physical access

Cloud

AWS/Azure/GCP

Misconfigurations, IAM, storage exposure

Pentest vs Red Team vs Purple Team

Engagement
Objective
SOC Awareness

Pentest

Find vulnerabilities

Usually informed

Red Team

Test detection & response

Typically blind

Purple Team

Collaborative improvement

Fully integrated

For SOC improvement: Purple team exercises deliver the most valueβ€”attackers and defenders working together to validate and enhance detections in real-time.

The Pentest Lifecycle

Standard Techniques (What to Detect)

Phase
Techniques
Detection Opportunities

Recon

DNS enumeration, port scanning

Firewall logs, IDS alerts

Initial Access

Phishing, exploit public apps

Email gateway, WAF, EDR

Execution

PowerShell, scripting engines

Script block logging, AMSI

Persistence

Scheduled tasks, registry, services

Sysmon, autoruns monitoring

Priv Esc

Token manipulation, UAC bypass

Sensitive privilege use

Credential Access

LSASS dump, Kerberoasting

Credential access events

Lateral Movement

PsExec, WMI, RDP, SMB

Logon events, network auth

Exfiltration

DNS tunneling, cloud storage

DLP, proxy logs, DNS analytics

{% hint style="warning" %} Detection gap check: Review pentest reports for techniques that went undetected. Each one is a detection engineering backlog item. {% endhint %}

Pentesting's Role in Security Programs

Validates Controls

Confirms whether security investments actually stop attacksβ€”or just generate dashboards.

Tests Detection Capability

Reveals blind spots in logging, alerting, and response procedures.

Demonstrates Risk

Translates technical vulnerabilities into business impact for executive communication.

Meets Compliance

Required by PCI-DSS, HIPAA, SOC 2, and numerous regulatory frameworks.

Drives Prioritisation

Exploitable vulnerabilities get fixed faster than theoretical ones.

Leveraging Pentest Results as a SOC Analyst

During the engagement:

  • Monitor for pentest activity (if aware)β€”validate your detections fire

  • Note timestamps of attacker actions for log correlation

  • Track which alerts triggered and which didn't

After the engagement:

  • Request detailed logs of all techniques attempted

  • Map findings to MITRE ATT&CK techniques

  • Build or tune detections for gaps identified

  • Create purple team scenarios from successful attack paths

  • Update runbooks with observed attack patterns

Key Metrics from Pentesting

Metric
What It Measures

Time to initial access

Perimeter effectiveness

Time to Domain Admin

Internal control strength

Techniques undetected

Detection coverage gaps

Mean time to detect (if red team)

SOC responsiveness

Critical findings count

Overall security posture

Remediation time

Vulnerability management maturity

Building Offensive Awareness

SOC analysts benefit from understanding attacker methodology:

Skill
Defensive Application

Basic exploitation

Understand what alerts mean

Privilege escalation paths

Recognise post-compromise activity

AD attack techniques

Detect Kerberoasting, DCSync, etc.

Evasion methods

Anticipate detection bypasses

C2 frameworks

Identify beacon behaviour

Resources:

  • TryHackMe / HackTheBox β€” Hands-on practice

  • PNPT / OSCP β€” Structured learning paths

  • Atomic Red Team β€” Technique simulation

  • MITRE ATT&CK β€” Technique reference

Quick Wins

  1. Read pentest reports β€” Understand what was found and how

  2. Map to ATT&CK β€” Translate findings into detection opportunities

  3. Request raw logs β€” Correlate pentest activity with your telemetry

  4. Build detections β€” Create rules for techniques that bypassed controls

  5. Run atomic tests β€” Simulate techniques to validate new detections

  6. Join purple teams β€” Collaborate directly with offensive testers

Penetration testing tells you what's broken. Detection engineering ensures you see it next time.

PreviousHunting With SplunkNextPre-Engagement

Last updated