- Updated at
Whether you realize it or not, 2022 is almost over. As offensive security specialists, we see some aspects of our work evolve in almost real-time. So wanting to understand how pentesting might change becomes essential to making better decisions.
Will pentesters use more specialized tools for their security assessments?
How will they improve their process to stay relevant as the field evolves?
Will a sharp and constructive mindset be enough to set them on the path to success? What else?
You’ll get answers to all these questions and more in this expert roundup featuring diverse and insightful contributions.
I reached out to 17 experienced offensive security pros from various industries (education, finance, network security, healthcare, etc.) to find out how they picture the future of penetration testing.
These ethical hackers share valuable and nuanced opinions on how pentesting will evolve in 5 key real-world areas: trends, training, process, mindset, and tools.
Let’s dig in!
Essential trends that shape how pentesting is changing
Social engineering is one trend to impact the future of penetration testing, followed by a shift towards standardization, international conflicts, and bug bounties.
The ethical hackers who contributed also believe the pentesting market will focus heavily on identifying security vulnerabilities in the supply chain. Cloud security will become an area of greater importance for security teams. The emergence of quantum computer will also change the way security professionals adapt to new challenges.
Curious to discover more insights? Let’s get straight to security experts’ full contributions.
Senior Team Lead at Social-Engineer, LLC | Co-organizer of Layer 8 conference | Certified SEPP (Social Engineering Penetration Test Professional)
I believe the future of penetration testing is in social engineering. I have been a pentester in the traditional sense, where I tried to obtain access to networks from inside and out. I was also tasked with finding vulnerabilities in websites and mobile applications. I’ve read through API documents and tried to get onto wireless access points. While that sounds like a lot of variety, one thing that struck me is that eventually, it’s a lot of the same. An unpatched host will be vulnerable to the same cyberattacks over and over again, so the solution is to patch it! Once a vulnerability is patched, it’s no longer vulnerable.
So let’s move up the stack just a little bit onto the unofficial 8th layer of the OSI model, the human. I enjoy social engineering because every human is different. There is no patch for social engineering and the same attacks or exploits don’t work every time. Attackers realize this and understand network perimeters are likely better secured today than they were five or ten years ago. Getting access through a vulnerable employee is now the preferred attack vector. Until policies, education, training, and motivation all catch up, the future of penetration testing and bypassing security controls will be through social engineering.
Andrei highlights not just one, but three emerging trends that will play a significant role in how penetration testing will evolve as a discipline in the next decade: standardization, international conflicts, and bug bounty programs.
Let’s go through each of them:
1. Companies have become dependent on technology, and because of that, standardization is a must. This enforces the minimum requirements for different industries to operate. In a way, you can say that it could bring more work for penetration testers, and you might be right. At the same time, minimum requirements usually become over time into the recommended requirements and based on my experience, this is not enough to protect against cyber threats.
2. International conflicts forced the industry and the governments to consider investing in cyber security, particularly offensive security capabilities. I feel that this trend evolves and we will see more and more interconnection between cyber security specialists, and the needs of the governments to develop their own set of "virtual missiles". And penetration testers and security researchers will play a major role here.
3. Bug Bounties created the premises to use the international community of cyber security specialists as one giant brain. This can limit in some ways the impact of some malicious organizations because their 0-days won't remain undiscovered for long. At the same time, bug bounty brings additional revenue streams for the penetration testers which can prevent the migration of smart people to more developed countries.
Penetration Tester at LIFARS | Global top 0.1% at TryHackMe & HacktheBox.
Cloud computing is growing at an accelerating rate, and businesses are becoming increasingly dependent on it. Being a relatively new discipline, it is still widely misunderstood by many and is often poorly configured. At present, cloud security engineers and cloud penetration testers are very scarce and cannot meet the growing demand in the cybersecurity market.
Therefore, over the next decade, cloud security will potentially become an area of greater importance than the security of on-premise systems. Rather than focusing on which ports are open in an environment, penetration testers will need to scrutinize the permissions of cloud policies and the configurations of storage services and attempt to escalate privileges in an environment with locked-down ports.
Co-founder & CEO at Obscurity Labs
In the next decade, penetration testers will have to adapt to the threat landscape, with penetration testing moving from simple attack paths to multi-attack chain scenarios bleeding into the realm of adversarial emulation (Red Team engagements).
It will be driven by the investments made at federal, state, local, and enterprise levels throughout the various sectors. This advancement in secure coding practices, active defenses, and oversight will cause a decrease in external exploitation. We already have seen this trend manifesting over the last 5-7 years with a massive increase in phishing to gain initial access, which is required to pose impact and harm.
That means the pentesting market will focus heavily on the assessment and engagement in supply chain testing of major software companies and manufacturers. We'll also see a change in the skillset, level of expertise, and tools required to assess and report findings to stakeholders.
However, this will not remove the traditional pentesting of immature organizations requiring the assessment of misconfigurations, patching programs, network segmentation, and internal security controls in place.
While Artificial Intelligence and Machine Learning are becoming more prevalent within the cybersecurity industry to assist operators in static and active threat identification, analyst alert fatigue, and vulnerability discovery, they have yet to replace the operator behind the toolset.
I don’t anticipate this in the next decade to change both the offensive and defensive nature of our lines of work. We can’t replace the human in the loop yet!
Speaker | Mentor | Ethical hacker & Award-winning penetration tester
Gabrielle shares her hands-on and educational pentesting resources (guides, open source tools, etc.) to help offensive security specialists get better at their job.
When asked about emerging trends in penetration testing, Gabrielle said without hesitation:
Quantum will play a major role in how penetration testing will evolve over the next decade. In the next ten years, we’ll have another digital revolution with the entry of the quantum computer on the market.
This technological advance will bring as much progress as risks in terms of cybersecurity.
A quantum computer will no longer use operations based on manipulating bits in a state of 1 or 0 but on superpositions of states of 0 or 1. It will therefore have a computing power far superior to our current computers.
This will give cybercriminals more resources for their cyberattacks. For example, they will have the ability to break cryptographic algorithms faster. They’ll also decrypt large volumes of data faster, including the most sensitive data for a company or society by attacking organizations of vital importance.
If you’re curious to understand more about the implications of the coming wave of quantum computing, listen to this insightful episode of the Hacking Humans podcast.
Moving on, we wanted to know how infosec specialists will approach training to keep their skillset sharp as the penetration testing industry evolves.
Evergreen training elements to use as penetration testing evolves
Keep your skillset and mindset sharp with these four evergreen recommendations from IT security specialists:
Focus on continuous learning & research
Attend training, competitions, webinars
Be more comfortable with living off the land in terms of concepts and mindsets
Let’s explore more!
Senior Security Consultant | Core Lead Pentester at Cobalt.io | Speaker at infosec conferences | Trainer & Red Team member at Synack.
Here’s what he believes matters to pay attention to:
Continuous Learning & Research about the latest trends and attacks that are coming every day is an essential factor. You’ll get to know some new zero-days or CVEs for software that you could test or interesting attack chains done by researchers, etc.
I follow this under my Learn365 challenge, where the goal is to learn at least one new thing, or read a new article, in a nutshell, gain some knowledge every single day for 365 days. This personal challenge has helped me grow a lot.
Ethical Hacker | GIAC Security Expert | Head of Professional Services and Penetration Tester at Pentest-Tools.com
Razvan highlights the importance of showing up and attending infosec events to connect with like-minded peers (LinkedIn is a great place for that too!).
Short answer: focus on continuous learning and be open to new challenges.
Long answer: I enjoy attending lots of cybersecurity community events (conferences, meetups, etc.) and networking with people to learn about the latest cybersecurity trends. I would recommend to every person who is passionate about their industry to attend training, competitions, and webinars on top of their day-to-day job, including online training via various platforms.
Also, always have fun while you learn!
I believe staying current on industry news and updates is one of the most evergreen aspects of being a successful pentester. But you need to couple this with technical acumen. Security researchers and threat actors are constantly finding and exploring new weaknesses to weaponize technology in various ways.
If pentesters are not staying up to date with changes, they run the risk of growing stale, having skills age out of effectiveness. They are also doing their clients a disservice by not testing the penetration of client assets through modern methods.
There are many outlets to get access to current threat intel and news but to share a curated, time-effective resource, I host a Daily Cyber Threat Briefing every weekday morning for 45 minutes where hundreds of practitioners attend to get their daily dose of intel. Feel free to join this show and add this evergreen practice into your routine.
Principal Penetration Tester at Dragos, inc.
To keep your offensive skillset and mindset sharp and flexible as the penetration testing field evolves is to be more comfortable with living off-the-land in terms of concepts and mindset. I have noticed a trend lately that there seems to be more of a focus on learning all the various tactics, techniques, and procedures (TTPs) across a significantly broad spectrum of devices, services, etc., as well as the tools that exploit them.
Collecting all these TTPs will surely benefit you or someone on your team at some point, but there's no guarantee it will benefit you today.
There will be times in a vulnerability assessment when you won't be able to introduce third-party tools or exploits per the rules of engagement and you may even see something you've never seen before.
Understanding the concepts of living off the land, the systems you are assessing, and developing an adaptable mindset capable of leveraging things such as existing communications on the network, what is installed or stored on an asset, etc.
They'll have far better benefits not just for these cases, but for all penetration test assessments you'll work on.
Additionally, this further equips you to present clients with the opportunity to see and learn about potential oversights and/or misconfigurations in their environment.
Ways to improve your process & deliver quality engagements
And always remember to build relationships in the industry and focus on the business impact to provide better ethical hacking assessments.
Explore our contributors’ full insights below.
Co-founder | Offensive Security Director at Volkis
There is a simple answer: people!
It all starts with people. Infosec is constantly changing and keeping up with the firehose of information can be daunting unless you love it! Our team is passionate about infosec and loves what they do, which means it’s less of a chore and more fun to learn these new things.
It’s important to remember that infosec is just one side of it. It doesn’t exist in a vacuum. We have to intimately understand our clients’ goals around infosec and how they differentiate from other industries and even competitors in the same industry. E.g. Ransomware almost didn’t exist 10 years ago, and now, it’s the biggest concern for most organizations.
“That’s how it has always been (done)” is banned at Volkis. Our internal processes, reporting style, and preconceptions are always up for debate and change if there is a better way. We regularly review what we do and play devil's advocate to see whether we could have something better.
In the second episode of the We think we know podcast, Alexei unpacks the skills and mindset it takes to deliver quality in penetration testing and become a better ethical hacker. Tune in for more details!
OSCP | Security Research Lead | Product Owner at Pentest-Tools.com
Being up-to-date in the penetration testing environment is challenging. Every day, new techniques are published and you must filter what is valuable or not. I'm constantly trying to improve my methodologies by reading technical blog articles, write-ups, and bug-bounty reports.
From my perspective, an important process of any pentest engagement is the automation of recon and vulnerability discovery phases. You must develop an automation flow that can deliver quality results, leaving the manual testing ( and the fun part ) in your hands.
With every new engagement, you must learn at least a new technique and how to approach a specific technology or framework.
Senior Offensive Security Manager at Robinhood
Try to keep up with emerging trends in penetration testing by following infosec pros on Twitter and research you found publicly. Make sure you attend or watch conference talks. Take (smaller) vendor pitches to see what problems they are solving. Major vendors aren't usually innovating. They buy the small companies that innovate.
From a strategic perspective, create relationships with people who are younger or newbies in their careers and periodically check in with them on THEIR challenges and what they seek in their work/verticals.
Build relationships in the community and talk to people to get a sense of what challenges they are facing. There is where you need to spend time directing and filling the knowledge gap.
Remember this: Impact, impact, impact - if you focus on the impact, you will also deliver quality engagements.
Be tactical and balance what you need to learn in your current position and what you need/want to learn for future positions, or what you see coming up in the future (e.g. testing web3/blockchain services/products).
He also highlights:
Ask yourself these 5 particular questions:
Key mindset traits to help you grow as the discipline evolves
Continuous adaptation is a requirement but mixed with a thirst for curiosity for the offensive security field. Whether you offer penetration testing services, audits, or handle vulnerability scanning, staying current on industry news and updates will also keep you relevant in the field.
Don’t miss these 3 key insights security professionals shared.
Penetration Tester | Instructor | Developer | Researcher at Black Hills Information Security
The mindset trait is simple... "Continuous adaptation and change are requirements".
Penetration Tester | Instructor | Keynote Speaker | Published Author | The Hacker Factory Podcast Host
The mindset trait that keeps me relevant in the offensive security field is curiosity. The world of technology and security is dynamic and constantly changing.
Curiosity alone doesn’t keep me relevant. It requires continuous education and keeping up with what is happening in the industry, including the latest technologies, tools, and techniques.
Penetration Tester Specialist | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | Founder of Zerotak Security
One of the main perspectives that kept me on the right path over the years was finding comfort outside my comfort zone (that sounds pretty strange, right?). You should be evolving as much as possible while being comfortable with that!
Don't take a course just because you know it is an industry well known, but you hate doing it. Instead, do it because you love the topic and you are passionate about learning new things.
Technology is changing, you should too! Let me ask you a question to think for yourself: What will happen in 10 years with all the web penetration testers, if the blockchain and virtual reality are gaining ground, and the web will not be a thing at that time?
While you think about Cristian’s question, let’s take a look at another focus area of penetration testing we explored. All the tools that help offensive security pros improve their workflow and automate tedious tasks.
How to approach penetration testing tools to stay productive throughout changes
Understand that choosing the right tool for the job comes with time and experience. And one of the best ways to learn from tooling and rely on them is to read its code and monitor it to see how it works at a network level.
CISO | Researcher | Cyber Security Speaker at Hedgehog Security | Manager at Gibraltar CERT | CISO at Calpe Medical Services
The most important thing to remember about tools is that they are simply that - a tool in your toolbox. There is always a right one that will do the job and a wrong one. Choosing the right tool for the job comes with time and experience.
Take, for instance, the simple matter of working out all the live hosts on a network. I take my interns through three different lab environments, each one progressively harder to enumerate the hosts. It is amazing how often new testers rely on Nessus, OpenVAS, or similar output.
Even Nmap does get it right all the time unless you are knowledgeable about all the different switches. Sometimes, simple tools, like ARP, can tell you what blocks the scanners you’re using. And sometimes you have to roll up your sleeves and get down and dirty with some tcpdump action.
A pentester needs to be a master of their tools. Like a blacksmith is a master of the hammer and fire, and their working medium is metal, a pentester must be a master of their tools.
Cyber Threat Intelligence and Offensive Security Expert
An exploit tool is a functional PoC with added features.
The best way to learn from it and rely on it is to read its code and monitor it to see how it works at a network level.
When reading a tool source code, I like to get to the line of code that triggers the vulnerability. I learned a lot doing it this way.
Always practice a student mindset about penetration testing
I hope reading these 17 perspectives fueled yours with new ideas on how pentesting might evolve and how you can better integrate these insights into your security testing work.
A big thank you to all the offensive security specialists who found the time to share their know-how and experience! Their generous sharing helped us get a glimpse of how the penetration testing industry could look like a decade from now.
I’m planning to keep this roundup open and updated with input from more infosec peers, so, if you want to contribute, feel free to reach out. I’ll be more than happy to hear from you!