I N T R O D U C T I O N
Imagine that sometime in the not-so-distant future an
attacker decides to attack a multinational company’s
digital assets, targeting hundreds of millions of dollars
worth of intellectual property buried behind millions
of dollars in infrastructure. Naturally, the attacker
begins by firing up the latest version of Metasploit.
After exploring the target’s perimeter, he finds a soft spot and begins a
methodical series of attacks, but even after he’s compromised nearly every
aspect of the network, the fun has only just begun. He maneuvers through
systems, identifying core, critical business components that keep the com-
pany running. With a single keystroke, he could help himself to millions of
company dollars and compromise all their sensitive data.
Congratulations on a job well done—you’ve shown true business impact,
and now it’s time to write the report. Oddly enough, today’s penetration
testers often find themselves in the role of a fictitious adversary like the one
described above, performing legal attacks at the request of companies that
need
high levels of security. Welcome to the world of penetration testing and
the future of security.