Pentesting now seems like a dirty word.
This struck me when I was reading Open AI’s recent post “Advancing red teaming with people and AI”, where they essentially describe pentests against their LLM. Anecdotally, it seems that suppliers are rebranding their pentest services to “red team engagements” to stay relevant.
This observation is in a market where many OG pentest vendors have been acquired and rolled in to the consulting arms of multinationals, their identity slowly being forgotten. New vendors have popped up, but they’re mostly competing on price in a race to the bottom.
Automation in the SDLC, default defences included in development frameworks, and effective EDR has also chipped away at the premise (and budget) for pentests.
Are pentests still required? Or are they only for compliance?
Personally I think many public-facing apps would be better served by enlisting in a bug bounty program instead of a pentest.
I’m Gene. I use my software engineering and red team experience to drive security uplift initiatives. Most recently I led the offensive …
More
This Attack Model maps potential attack vectors in a typical forgotten password …
STRIDE has not aged well… I’ve seen first-hand the …
A few years ago I was brought in to help with …
Let me tell you a story… A few years ago, I was …
The news of Hezbollah agents being targeted with …