Many organisations, seeking to ensure operational continuity, have based their defence foundations on cyclic penetration testing. This is a solid, even indispensable, foundation, but in the current technological realities it is beginning to resemble building a moat around a castle in the aviation age. While the presence of safeguards gives executives the desired peace of mind, it is often a peace of mind based on fragile assumptions. The problem is that the traditional approach to systems verification is increasingly becoming a form of security theatre, where the main focus is not on real defensive skills, but on the satisfaction of putting a green marker on an audit tally.
Traditional penetration tests, while substantive and necessary, are inherently limited exercises. They take place in a controlled environment, have a well-defined timeframe and budget, and are constrained by a contract between vendor and client. Meanwhile, a true hacker collective does not operate under any contract. For an attacker, there is no concept of ‘scope of work’ or ‘operational hours’. The real threat is characterised by unpredictability, flexibility and the absence of any rules of the game. While the auditor checks the strength of a particular lock on the front door, the real aggressor patiently searches for an unlatched window in the basement or analyses the fatigue of a guard in order to get inside without using force.
The biggest weakness of conventional simulations is their predictability. Most tests focus on examining the infrastructure from the defender’s point of view, looking at the technologies and processes that seem most logical. However, what is logical to a systems engineer rarely coincides with the creative chaos that cyber criminals sow. They exploit often overlooked systems, operational weaknesses and attack vectors that escape standard methodologies. In this clash, asymmetry works in the attacker’s favour: he only needs to succeed once, while the organisation needs to defend itself effectively every time, on every front.
What is becoming particularly worrying is the evolution of social engineering, which has become frighteningly effective in the age of the ubiquity of artificial intelligence. Formerly primitive phishing attempts have given way to sophisticated campaigns in which the language barrier no longer exists. The use of AI makes it possible to create messages with such a high degree of authenticity that distinguishing them from official correspondence becomes a challenge even for conscious users. Voice cloning, generating real-looking service numbers or preparing emails from legitimate-looking domains are techniques that build enormous psychological pressure on employees. In such a scenario, the individual, despite their best intentions, becomes an unwitting accomplice of the criminal. Unfortunately, rarely does any company choose to incorporate such radical and realistic psychological testing into its standard security strategy, fearing to compromise team comfort or complicate procedures.
Data from security reports gives a broader view of the directions in which attacks are evolving. The shift away from traditional Office documents with macros embedded in them to image files in SVG or IMG formats is a sign that hackers have left long-established paths. The situation is similar in cloud environments such as Azure, where the goal is no longer simply to take over data, but to master the control plane or use session tokens to bypass multi-component authentication. Focusing solely on the so-called crown jewels, the most important critical systems, while intuitive, can sometimes be short-sighted. Often, it is the marginal services, such as Key Vault or cloud-based automation functions, that become the beachhead from which an attacker can conduct silent surveillance of a network for months.
The key to building real business resilience is a paradigm shift: moving from a simple wall-based defence to a holistic strategy focused on detection and response. Penetration testing should only be the starting point, not the ultimate goal. It becomes essential to implement procedures based on actual tactics, techniques and processes observed in active hacker groups. Only by systematically comparing its own defences with up-to-date threat intelligence is an organisation able to reduce an intruder’s time on the network and minimise potential losses.
From a strategic management point of view, cyber security should not be seen as an IT cost, but as an immanent part of operational risk management. Too often, treating security testing merely as a compliance requirement leads to superficial assessments that give a false sense of protection. In fact, the tests that are most valuable to the business are those that expose weaknesses in the strategy, not those that validate the correct configuration of tools. The strategic need for action should come from an analysis of the most likely crisis scenarios, not from a desire for certification.
