⭐ Featured Episode

The Penetration Test That Penetrated Nothing

9 min read
By The Operator
Heat

Management hired external penetration testers. The TTY panicked. The testers discovered what I already knew. Everyone learned something, except management.

The Penetration Test That Penetrated Nothing thumbnail

Management scheduled a surprise penetration test without telling me, which was their first mistake.

The email arrived at 9:47 AM on a Tuesday—the worst possible day for management to remember security exists. Subject line: "External Security Assessment - This Week." No details. No scope. No heads-up to the actual people running the infrastructure. Just management's confidence that they'd made an "executive decision."

I forwarded it to the TTY with a single word: "Educational."

The TTY's response arrived in fourteen seconds:

TTY: "THEY'RE GOING TO HACK US???"

I could practically hear the capital letters and question marks echoing through the datacenter. This was going to be fun. For me, at least.

The Panic

The TTY appeared at my desk sixty seconds later, laptop clutched like a shield, eyes wide with the particular terror of a junior sysadmin who just learned that authorized attackers exist.

TTY: "We need to—"

OPERATOR: "No."

TTY: "But they'll—"

OPERATOR: "They won't."

TTY: "Should we at least—"

OPERATOR: "Absolutely not."

The TTY processed this. I watched their brain cycle through the five stages of security awareness: denial, panic, bargaining, acceptance, and checking the firewall logs anyway. They landed somewhere between panic and bargaining.

TTY: "But what if they find something?"

OPERATOR: "They will. They'll find exactly what I documented in the security audit from six months ago. The one management filed under 'action items for next quarter.' Which is executive-speak for 'ignore until it becomes someone else's problem.'"

The TTY's panic upgraded to existential dread.

TTY: "We have known vulnerabilities?"

OPERATOR: "We have known executive decisions. The vulnerabilities are theoretical. The budget constraints are very real."

I pulled up my clipboard—the actual one, not the metaphorical documentation, though that clipboard was also relevant. "Here's what's going to happen. The penetration testers will run their scanners. Nmap, probably. Maybe Burp Suite if they're testing web applications. Possibly Metasploit if they're feeling theatrical."

The TTY grabbed their notebook. They were learning to document everything. There was hope for them yet.

OPERATOR: "They'll find the usual suspects. Outdated SSL certificates on the legacy system that management won't fund replacing. The test server with default credentials that's been 'temporarily' on the public internet for eighteen months. Maybe the SMTP server that's configured exactly as RFC 5321 specifies, which coincidentally makes it look vulnerable to scanners that don't understand how email actually works."

TTY: "Should we fix—"

OPERATOR: "With what budget? The same budget that paid for this penetration test instead of the infrastructure upgrades I requested?"

The TTY understood. This was a learning opportunity with multiple lessons.

The Test

The penetration testers began their work Thursday morning. I knew this because the TTY burst into the datacenter at 10:03 AM with news that "suspicious traffic" was lighting up our intrusion detection system like a Christmas tree in July.

OPERATOR: "That's not suspicious. That's expensive."

I pulled up the IDS console. The traffic signatures were unmistakable: systematic port scanning, service enumeration, that distinctive pattern of a Nessus vulnerability scanner politely knocking on every door in the network asking if anyone was home. Professional. Authorized. Predictable.

TTY: "Are they in?"

OPERATOR: "In what? They're scanning. That's reconnaissance, not compromise. It's like walking around a building checking if the doors are locked versus actually picking the lock and going inside."

TTY: "So we're secure?"

OPERATOR: "We're assessed. Security is a spectrum, not a binary. Right now, they're discovering that our perimeter firewall is configured correctly, our segmentation is adequate, and our patch management is mostly compliant with mostly everything."

The TTY relaxed slightly.

TTY: "So they won't find anything serious?"

OPERATOR: "Oh, they'll find things. They'll find that Server Rack #7's management interface is accessible from the internal network—which is by design, since managing servers remotely is the entire point of management interfaces. They'll report it as 'potential unauthorized access vector.' Management will panic. I'll explain that blocking it would require us to physically visit the datacenter for every configuration change, which would cost more in time than the theoretical risk of an attacker who's already compromised our internal network specifically targeting server management interfaces."

TTY: "Will management understand?"

OPERATOR: "Management will schedule a meeting."

The TTY winced. They were learning.

The Findings

The penetration test report arrived the following Wednesday as a 47-page PDF with executive summary, detailed findings, risk matrices, and enough charts to stock a business school textbook.

I read it in twelve minutes. The TTY read the executive summary in four and immediately started sweating.

TTY: "CRITICAL FINDINGS. Multiple high-severity vulnerabilities identified. Immediate remediation required."

OPERATOR: "Keep reading."

They flipped to the detailed findings. I watched comprehension dawn slowly, like a sunrise made of disappointment.

TTY: "'SSL certificate expires in 47 days.' That's... not actually a vulnerability right now?"

OPERATOR: "It's a future problem with a known solution. Also known as 'calendar-based infrastructure management.'"

TTY: "'Default credentials on test server.' But that's the server you told me to spin up for the interns. With intentionally simple credentials. That's on the isolated test network."

OPERATOR: "Which is mentioned in the scope documentation. If you read to page 34, paragraph 6, subsection B."

TTY: "'Potential SQL injection vectors detected.' On the demo application. That we built. For demonstrating SQL injection. In our security awareness training."

OPERATOR: "The irony is noted. Keep reading. It gets better."

Page 23 contained my favorite finding: "Network segmentation insufficient." The evidence? A network diagram showing that our development, staging, and production environments were separated by VLANs and firewall rules—exactly as recommended by every security framework since networking was invented.

The "insufficiency" stemmed from the penetration testers' inability to jump between networks freely, which they interpreted as a limitation of the test rather than evidence that the security controls were working. Professional standards required them to note this. Professional courtesy required me not to laugh too hard.

TTY: "So we're... fine?"

OPERATOR: "We're documented. Which is what penetration tests actually do. They don't make you secure. They document your current security posture so management can make informed decisions."

TTY: "Will management make informed decisions?"

OPERATOR: "Management will schedule another meeting."

The Meeting

The post-test review meeting happened Friday at 2 PM, which is when management schedules all bad news to minimize the chance of follow-up questions before the weekend.

The penetration testing team presented their findings with the grave seriousness of doctors diagnosing a terminal illness in a patient who'd actually just had too much coffee. Management nodded sagely at every "critical" and "high-severity" designation.

I waited.

Finally, the testing team reached their recommendations: "Immediate remediation of critical findings. Budget allocation for infrastructure upgrades. Implementation of additional security controls."

Management turned to me.

MANAGEMENT: "Can you implement these recommendations?"

OPERATOR: "Yes. With the budget I requested six months ago. The same budget that was redirected to fund this penetration test."

The meeting got quieter.

OPERATOR: "The critical findings are items from my security audit. Which I filed. In March. The recommendations are identical to my recommendations. Which I provided. With cost estimates. And implementation timelines."

I pulled up my documentation. Projected on the conference room screen: my audit report, dated March 15th, with line-by-line correlation to the penetration test findings.

MANAGEMENT: "So you knew about these issues?"

OPERATOR: "I documented them. And provided solutions. And cost estimates. And waited for budget approval that never came."

The penetration testing team looked at their report. Then at my audit. Then at management. Professional courtesy prevented them from laughing, but professional respect made them nod.

USER: "The Operator's audit is comprehensive. Our findings validate the identified risks. The recommendations align with industry best practices."

Which was professional-speak for "you hired us to tell you what your sysadmin already told you for free."

Management absorbed this.

MANAGEMENT: "So what's our next step?"

OPERATOR: "Allocate the budget. Approve the infrastructure upgrades. Let me implement the security controls I specified in March. Or schedule another penetration test in six months to re-discover the same findings."

MANAGEMENT: "We'll review the budget."

Which meant nothing would happen until next quarter.

The meeting adjourned. The TTY followed me back to the datacenter, processing.

TTY: "So the penetration test was..."

OPERATOR: "Expensive validation. Useful for compliance. Required for insurance. Excellent for creating documentation that management might eventually read. But not a substitute for actually funding security infrastructure."

TTY: "Did we learn anything?"

OPERATOR: "You learned that security theatre exists at every level. And that documentation is immortal. The penetration testers learned that we actually know what we're doing. Management learned nothing, but that's consistent with historical patterns."

I updated my clipboard. Added notes. Filed the penetration test report next to my audit report. Created a new entry for "next quarter's budget discussion."

The TTY returned to their desk. I watched them create a new document: their own security audit checklist. They were improving.

Server Rack #7's indicator lights blinked in what I chose to interpret as approval.

The Operator's Notes:

The moral: External validation is useful. Internal documentation is essential. Budget allocation is mythical. The penetration test found exactly what I told management existed. Management will schedule another penetration test next year. The TTY learned to document everything before management forgets it exists. I learned nothing new, but the coffee was acceptable.

Documented. Filed. Ready for next quarter's identical meeting.

Uptime: 157 days. Penetration test findings: 14. Findings that surprised me: 0. Coffee consumed during report review: 3 cups. Meetings scheduled as a result: 2. Budget allocated: TBD (translation: none).

security-theatremanagementTTY-adventurescomedylessons-learned
Note added to ClipboardManagement
View in Clipboard
← Back to All Episodes