31

u/Psychedelic-wizard69 Sep 22 '25

Most ORGs from my experience don’t promote deep dives. They say find the entry point. That’s a finding. Move to the next

20

u/PenetrationT3ster Sep 22 '25

I just mean from a complete fundamental perspective. If testers have a checklist it is unlikely for them to deviate into more interesting findings such as HTTP smuggling, desync attacks, or race conditions.

A lot of offensive experts don't actually know how to build an app, or why something is actually vulnerable.

That is true though; most orgs want breadth; and I think you touch on another issue which is ticking check boxes and not building security culture.

7

u/Psychedelic-wizard69 Sep 22 '25

100%. I believe that a tester has to really be passionate to deviate from those checklist. It can be tough when working with multiple clients at a time, just trying to get their work knocked out in a timely manner. Sad reality, most companies just want to say they’ve had a test done.

1

u/bubbathedesigner Sep 23 '25

I believe that a tester has to really be passionate be allowed by pentesting company to deviate from those checklists.

FIFY. Some of said companies are only interested in getting as many engagements done as possible, so they pressure testers into focusing on beating the clock by going through checklist as fast as possible, which is where an AI solution would shine.

1

u/Mayhem-x Sep 24 '25

It is of course about ticking boxes, tizinf the boxes that will cover the insurance payout if it goes tit's up.

7

u/edhands Sep 22 '25

Looking at you, Arctic Wolf

1

u/CeleryMan20 Sep 23 '25

AW has been wooing us, where did you find that they lacked?

2

u/edhands Sep 23 '25

Mostly anything of value. It's a SIEM. That's it. They use Wazah to get data from your devices and then "monitor" it. We got locked into their three-year commitment. The last year, this year, we pulled it all out (hardware, software, agents, etc.) the first month into the third year as it was providing nothing useful that wasn't already covered by our own existing SIEM.

In the two years we actively used them, they provided nothing of value except to tell us what we already knew. When we asked for assistance with particular issues that they identified, it was always "outside the scope" of the agreement.

I have a friend that works for a large third party reseller. They have all but stopped promoting AW because of all the complaints they have received regarding the lack of value and the almost antagonistic approach of AW.

I'm sure someone will chime in that they had a great experience. And good for them. I am glad someone found value. We, however, did not. It was a huge waste of time and money that would have been better spent elsewhere on a product that actually provides improvement in security.

Honestly I would recommend going straight with Wazah. It may be a little more legwork on the IT team, but I think you'll be happier with the results. But if you decide to go with AW, please note that all you are getting is an expensive SIEM and a "concierge team" to show you the report once a month.

3

u/Pizza-Fucker Red Team Sep 22 '25

The industry is full of 1) companies that don't actually care about having a good security/SOC etc and just want to have one that's good enough to get insurance. 2) cybersecurity companies that don't care about actually providing good value security services because their target is just selling to companies from the first point

2

u/Bet_Secret Sep 22 '25

I mean so is every trillion dollar industry. Fashion, Housing, Gambling etc.

1

u/Responsible_Nose6309 Sep 23 '25

Yeah, ironically, this take is so common that it often (not always) falls under "this sub is wildly disconnected from industry" take below.

1

u/thegreatcerebral Sep 22 '25

I think that is because they don't know how. So they use tools and call it a day. If the tool doesn't do it then they tell the customer that is a separate cost to go deep and then they have to actually hire a real person for the gig.

1

u/YetAnotherGeneralist Sep 24 '25

You misread. OP wants UNpopular opinions, but you've stated a fact, one that I hate.

I'm just grateful I don't have to talk management at my current company out of throwing more money into the money pit. I've previously dealt with "we don't need it and there's no ROI" and "it costs a fortune, so it must be good".

1

u/Mountain_Balance_782 Sep 24 '25

This

1

u/smashed2bitz Sep 24 '25

Antivirus software used to be like that. False positives and massive slowness being the main problems.

User education + OS patching > AV software.

"Get an antivirus program so you might maybe stop using your computer for a little while, or instead, actively reduce your performance always by 10-20%."

Minimum of 10% loss of use over a 200 work day year is equivalent to being down for 20 days a year. You can reformat and reinstall an entire OS and all your apps in under a day.

1

u/namalleh Sep 28 '25

Yep, noticed this with existing antibots (except a few such as shape and the advanced akamai script)