> sudo -u attacker /bin/think_
Most organisations build security by thinking about what they need to protect. They list their assets, categorise their data, implement controls, and write policies. This is sensible, necessary work — but it has a fundamental blind spot.
It's entirely inward-looking. It asks "what do we have?" and "how do we protect it?" — but it rarely asks the question that matters most: "if I wanted to break into this organisation, how would I actually do it?"
That's the question an attacker asks. And the gap between how defenders think and how attackers think is where most breaches live.
Penetration testing exists to bridge that gap. A good pen tester doesn't just run tools against your systems — they adopt the attacker's perspective, think creatively about how to subvert your defences, and demonstrate what a real adversary could achieve. Understanding that mindset is the first step to building defences that actually work.
Defenders have to protect every entry point, every system, every user, every configuration, every day. Attackers only need to find one weakness, once. This asymmetry is permanent — you can't eliminate it. But you can understand it, and design your defences accordingly.
Attackers don't think in checklists, compliance frameworks, or risk registers. They think in opportunities, paths, and objectives. Their approach is fundamentally creative — they're solving a puzzle, and the puzzle is your organisation.
Here are the mental models that distinguish an attacker's thinking from a defender's:
| Defender Thinks... | Attacker Thinks... |
|---|---|
| "We have a firewall, so the perimeter is secure." | "What's behind the firewall that I can reach another way? VPN? Cloud? A third-party supplier with a trust relationship?" |
| "We patched everything on the critical list." | "What about the medium-severity flaw on that forgotten staging server? The one with credentials that also work on production?" |
| "We use MFA everywhere." | "Everywhere? What about the service accounts? The legacy application? The VPN concentrator? The admin portal that was 'temporary'?" |
| "Our users completed security awareness training." | "All of them? And how good is that training against a targeted spear-phish that references a real internal project by name?" |
| "We have network segmentation." | "Is it enforced? Or is there a workstation in IT support that has routes to both the corporate network and the production environment?" |
| "Our security team monitors for threats." | "What do they monitor? What are their blind spots? What if I use living-off-the-land techniques that look like legitimate admin activity?" |
The pattern is clear. Defenders think about what they've implemented. Attackers think about what's been missed, what's been assumed, and what's been forgotten.
Whether it's a financially motivated criminal gang, a state-sponsored APT group, or an opportunistic script kiddie, effective attackers share a set of operating principles. Understanding these helps explain why breaches succeed — and where defensive strategies most often fail.
Attacks aren't single events — they're journeys. Every successful compromise follows a progression, from initial research to final objective. Understanding this progression is essential for both pen testers (who simulate it) and defenders (who need to detect and interrupt it).
The most widely-used model for describing this progression is Lockheed Martin's Cyber Kill Chain, often supplemented with the more granular MITRE ATT&CK framework. Here's what the journey looks like in practice — not from a textbook, but from the attacker's perspective.
| Phase | What the Attacker Does | What They're Thinking |
|---|---|---|
| 1. Reconnaissance | OSINT gathering — LinkedIn profiles, job adverts (revealing tech stacks), DNS records, certificate transparency logs, breached credential databases, GitHub repos, Shodan scans. | "What can I learn about this organisation without touching their systems? What technologies do they use? Who works there? What's exposed to the internet?" |
| 2. Weaponisation | Craft the attack tools — phishing emails, exploit payloads, malicious documents, watering hole pages. Tailor everything to the specific target using intelligence gathered in Phase 1. | "Based on what I know about their tech stack and their people, what's the most effective way in? Can I reuse an existing exploit, or do I need to customise?" |
| 3. Delivery | Get the payload to the target — spear-phishing email, compromised website, USB drop, exploiting an internet-facing vulnerability, attacking a supply chain partner. | "What delivery method is most likely to succeed and least likely to be detected? Email? Web? Physical?" |
| 4. Exploitation | The payload executes — a vulnerability is exploited, a credential is captured, a backdoor is installed. The attacker achieves initial access to a system or account. | "I'm in. Now — where am I? What can this account access? What's on this machine? How noisy was that entry? Did anything alert?" |
| 5. Installation / Persistence | Establish persistence — scheduled tasks, registry modifications, web shells, stolen tokens, implanted SSH keys. Ensure access survives reboots and password changes. | "If they discover this foothold, do I have a backup? Can I get back in through another route? How do I make this access survive?" |
| 6. Lateral Movement | Pivot from the initial foothold to higher-value systems — credential harvesting, pass-the-hash, Kerberoasting, exploiting trust relationships, abusing administrative tools. | "The workstation is a stepping stone, not the target. How do I reach the domain controller? The database server? The backup system?" |
| 7. Objective Completion | Achieve the goal — data exfiltration, ransomware deployment, intellectual property theft, business disruption, financial fraud, or simply proving access for espionage purposes. | "I have what I came for. Now — how do I get the data out without triggering DLP? Or how do I maximise the impact of the ransomware before anyone notices?" |
The critical insight for defenders: every phase is a detection opportunity. You don't have to stop the attacker at the perimeter. If you can detect and respond at any point in the chain — reconnaissance, delivery, lateral movement — you can disrupt the attack before the objective is achieved.
True defence in depth isn't just having multiple controls at the perimeter. It's having detection and response capability at every phase of the kill chain — so that even if the perimeter fails, the attacker is detected during lateral movement, or the exfiltration is blocked, or the ransomware is contained before it spreads.
Theory is useful, but a concrete example makes the attacker mindset tangible. Here's a realistic scenario — a composite drawn from patterns we see regularly in our pen testing engagements.
The target is a mid-size professional services firm. 300 employees, Microsoft 365, Azure AD, on-premises file servers, and a customer-facing web portal.
Every step in that scenario used legitimate tools, known techniques, and exploited predictable human behaviour. No zero-days. No custom malware. No genius-level hacking. Just patience, methodology, and an understanding of how organisations actually work.
This is exactly what a penetration test simulates — and exactly what a vulnerability scan would never have found.
Organisations tend to protect what they consider valuable — the production database, the financial systems, the customer portal. Attackers target something different: whatever gives them leverage.
The target isn't always the crown jewels. Often, it's the stepping stone to the crown jewels — the system, account, or relationship that provides the access or privilege needed to reach the real objective.
| What Defenders Protect | What Attackers Actually Target |
|---|---|
| The production database | The staging database — same schema, same data, no monitoring, weaker access controls. Often contains a recent copy of production data. |
| The CEO's email account | The CEO's PA's email account — has access to the same calendar, attachments, and forwarding rules, but without the same level of protection. |
| The firewall | The VPN concentrator — one unpatched CVE and the attacker is inside the network, behind the firewall. |
| The domain controller | The IT admin's workstation — has cached Domain Admin credentials. Compromise the workstation, harvest the creds, own the domain. |
| The web application | The CI/CD pipeline — inject malicious code into the build process and it ships to production automatically, signed and trusted. |
| The network perimeter | The third-party supplier — they have a trusted VPN connection into your network and weaker security controls than you do. |
| The security team | The helpdesk — trained to be helpful, authorised to reset passwords, and rarely trained to resist social engineering at the level a targeted attacker will employ. |
This is why threat modelling — thinking about who would attack you, what they'd want, and how they'd get it — is more valuable than simply listing your assets and ticking compliance boxes.
Not all attackers are the same. Their motivations, capabilities, and patience levels vary enormously — and your defences should be calibrated to the threats most relevant to your organisation.
| Adversary Type | Motivation | Typical TTPs | Patience Level |
|---|---|---|---|
| Opportunistic / Script Kiddie | Curiosity, bragging rights, easy money | Automated scanners, known exploits, default credentials, mass phishing | Low — moves on quickly if initial attempts fail |
| Financially Motivated Criminal | Ransomware, data theft for sale, BEC fraud | Phishing, credential stuffing, exploit kits, RaaS (Ransomware as a Service), living-off-the-land tools | Moderate — will invest days to weeks for a profitable target |
| Organised Crime Group | Large-scale fraud, data harvesting, extortion | Custom tooling, supply chain attacks, insider recruitment, long-term infrastructure | High — well-resourced, patient, and persistent |
| State-Sponsored / APT | Espionage, intellectual property theft, geopolitical advantage, pre-positioning for disruption | Zero-days, custom implants, encrypted C2, living-off-the-land, supply chain compromise, long-term dormancy | Very high — will maintain access for months or years undetected |
| Insider Threat | Revenge, financial gain, ideology, coercion | Legitimate access used for illegitimate purposes — data exfiltration, sabotage, credential sharing | Variable — may be a single impulsive act or a carefully planned long-term operation |
| Hacktivist | Political or ideological statement, public embarrassment | DDoS, website defacement, data leaks, social media amplification | Low to moderate — seeking visibility and impact, not stealth |
Your penetration testing programme should reflect the adversaries most likely to target your sector and organisation. A small e-commerce business faces different threats to a defence contractor. The testing should be calibrated accordingly.
Understanding the attacker mindset isn't just academically interesting — it directly determines the quality and value of a penetration test. A pen tester who thinks like an attacker will find fundamentally different things than one who follows a checklist.
| Checklist Tester | Attacker-Minded Tester |
|---|---|
| Runs Nessus, reports the output | Uses Nessus as a starting point, then manually investigates anything interesting — probing, chaining, and thinking laterally |
| Tests the web application against the OWASP Top 10 | Tests the OWASP Top 10 and the business logic, the API, the authentication edge cases, the error handling, and the trust boundaries between components |
| Reports 47 findings sorted by CVSS score | Reports 12 findings — 3 of which chain together into a complete compromise — and explains the attack narrative end to end |
| Tests only what's in scope | Tests what's in scope, but flags out-of-scope risks discovered during testing ("we didn't test this, but you should know it's there") |
| Stops when a vulnerability is found | Exploits the vulnerability, then asks: what next? Can I escalate? Can I pivot? Can I reach something more valuable from here? |
| Produces a report the auditor can file | Produces a report the board can act on — with business impact, risk prioritisation, and a clear remediation roadmap |
The difference isn't in the tools — it's in the thinking. Both testers have access to the same technology. The attacker-minded tester uses those tools in service of a larger question: what is the worst realistic thing I can achieve with the access I've gained?
You don't need to become a hacker to benefit from attacker thinking. But you do need to regularly ask yourself the questions an attacker would ask — and be honest about the answers.
Attackers succeed not because they have better tools, but because they think differently. They look for what's been missed, chain small weaknesses into big compromises, target people as readily as technology, and adapt constantly to the defences they encounter.
Effective penetration testing embodies this mindset. A good pen tester doesn't just scan for vulnerabilities — they think like an adversary, act like an adversary, and show you what an adversary could achieve. The result isn't just a list of findings. It's a genuine understanding of your risk.
The best defence isn't a bigger wall. It's understanding how the people trying to get over, under, around, and through that wall actually think — and building your strategy accordingly.
Our testers come from the offensive security community — CTF winners, bug bounty hunters, and red team operators. We don't just run tools. We think, adapt, and demonstrate real-world impact.