โ† Back to Schedule
Network security topology showing penetration testing pathways and defenses
Session 24

Insights and Lessons from a Year of Penetration Testing

Thursday, June 11, 2026 1:30 PM โ€“ 2:30 PM Pitzer ยท Fletcher 110

About This Session

Penetration testing is a critical element of a mature information security program โ€” yet it is often misunderstood or treated as interchangeable with vulnerability scanning. This presentation shares practical insights and lessons learned from a year of delivering penetration testing services within higher education environments, with a focus on what makes pen testing uniquely valuable and uniquely challenging.

The session clarifies the fundamental differences between vulnerability scans and penetration tests, discusses what makes an effective penetration tester, and addresses common challenges encountered during pre-engagement planning. Attendees will gain insight into recurring attack paths and systemic weaknesses observed during assessments.

Pen Testing vs. Vulnerability Scanning

Vulnerability Scanning

Automated identification of known vulnerabilities across systems โ€” broad coverage, low depth, useful for compliance baselines and patch prioritization.

Penetration Testing

Simulated adversarial attack โ€” a human tester actively exploits weaknesses to demonstrate real-world impact, including chained vulnerabilities that scanners miss entirely.

Assumed-Breach Testing

What happens after initial access is achieved? Assumed-breach models test lateral movement, privilege escalation, and data exfiltration โ€” the part attackers are most interested in.

Shadow IT Risk

The organizational risks posed by rogue or shadow IT โ€” systems outside standard management that represent invisible attack surfaces during real engagements.

Learning Outcomes

  • Differentiate between vulnerability scanning and penetration testing by understanding their goals, limitations, and appropriate use within an information security program.
  • Identify common factors that influence penetration testing outcomes, including pre-engagement scoping, assumed-breach models, and organizational blind spots.
  • Apply penetration testing insights to improve remediation prioritization, detection capabilities, and the overall effectiveness of security controls beyond compliance requirements.