> diff pen_test_chain.txt incident_timeline.txt && echo 'almost identical'_
In October 2024, a mid-sized financial services firm experienced a ransomware incident. The incident response team's forensic analysis revealed the attack chain: initial access via a phishing email containing an HTML smuggling payload, execution on a workstation that bypassed the endpoint protection, credential harvesting via LLMNR poisoning on the workstation VLAN, lateral movement to the file server using the captured credentials (SMB signing was not enforced), privilege escalation through a Kerberoastable service account with a weak password, and domain compromise via DCSync — giving the attacker the keys to the entire Active Directory.
Seven months earlier, the firm's annual pen test report had documented the same chain. Not a similar chain. The same chain — the same entry techniques, the same escalation path, the same destination. LLMNR was finding F-003. SMB signing was F-007. The Kerberoastable service account was F-011. The report recommended disabling LLMNR, enforcing SMB signing, and migrating the service account to a gMSA. The findings were in the remediation tracker. Two of the three were marked as "in progress" when the real attack arrived.
This pattern — pen test findings that precisely mirror the eventual breach pathway — is not unusual. Pen testers and real attackers use the same techniques because they exploit the same weaknesses. The techniques that appear in pen test reports — credential harvesting, lateral movement, privilege escalation, data access — are the same techniques that appear in incident response forensic reports. The pen test is, in effect, a controlled preview of the organisation's most likely breach scenario.
The overlap between pen test techniques and real-world attack techniques isn't coincidental. Both pen testers and attackers are solving the same problem: starting from a position of limited access and finding the most efficient path to the highest-value target. The environment's weaknesses determine the path — and those weaknesses are the same regardless of who exploits them.
| MITRE ATT&CK Tactic | Common Pen Test Technique | Real-World Incident Technique | Why They Match |
|---|---|---|---|
| Initial Access | Phishing payload delivery. Exploitation of internet-facing services. Password spraying against exposed portals. | Phishing with malicious attachments or links. Exploitation of VPN or web application vulnerabilities. Credential stuffing from breached databases. | The internet-facing attack surface is the same. The entry points that a pen tester identifies are the same entry points a real attacker would target. |
| Credential Access | LLMNR/NBT-NS poisoning. Kerberoasting. Password spraying. Credential dumping from LSASS. | LLMNR poisoning (used extensively by ransomware operators). Kerberoasting. Credential theft via Mimikatz or equivalent tools. | Credential harvesting techniques exploit protocol and configuration weaknesses that exist regardless of who's testing. If the pen tester can poison LLMNR, so can the attacker. |
| Lateral Movement | Pass-the-hash. PsExec. WMI execution. SMB relay (where signing isn't enforced). RDP with captured credentials. | The same techniques — pass-the-hash, PsExec, WMI, RDP — are used by virtually every ransomware operator and APT group for lateral movement. | Lateral movement exploits network architecture — flat networks, missing SMB signing, excessive admin rights. The architecture is the same regardless of the adversary. |
| Privilege Escalation | Kerberoasting of service accounts. Abuse of misconfigured delegation. Local privilege escalation via unpatched services. GPO abuse. | Service account compromise. Delegation abuse. Token impersonation. Exploitation of misconfigured Active Directory permissions. | Active Directory misconfigurations are exploited identically by pen testers and attackers. The Kerberoastable service account that the pen tester cracks is the same one the attacker would target. |
| Impact | Demonstration of data access. Proof of Domain Admin. Evidence of ability to deploy payloads across the domain. | Ransomware deployment via Group Policy. Data exfiltration. Destruction of backups. Domain-wide encryption. | The pen tester stops at proof of access. The attacker continues to impact. But the path to that point — the chain of findings — is identical. |
The only meaningful difference is intent. The pen tester stops at proof of compromise and writes a report. The attacker continues to ransomware deployment, data exfiltration, or destruction. The chain that both follow is the same — because the chain is determined by the environment's weaknesses, not by the person exploiting them.
If the pen test report is a preview of the most likely breach scenario, the incident response plan should be designed to address that scenario specifically. Generic IR plans — "in the event of a cyber incident, activate the incident response team" — are insufficient. A plan informed by pen test findings addresses the specific attack paths that have been demonstrated against the organisation's specific environment.
| Pen Test Finding | IR Planning Implication |
|---|---|
| Tester achieved initial access via phishing payload that bypassed endpoint protection. | The IR plan must account for endpoint protection failure. Detection cannot rely solely on the EDR catching the initial payload. Secondary detection layers — behavioural analysis, network monitoring, user-reported phishing workflows — must be operational and tested. |
| Tester harvested credentials via LLMNR poisoning within 12 minutes of internal access. | The IR plan should include LLMNR/broadcast protocol monitoring as an early indicator. If LLMNR is still enabled (pending remediation), the SOC should have detection rules for poisoning activity — providing early warning that an attacker is present. |
| Tester moved laterally across a flat network without encountering segmentation. | The IR containment strategy must account for unrestricted lateral movement. If the network is flat, containment cannot rely on network boundaries. The plan should define which systems to isolate first (domain controllers, backup servers, critical databases) and how to isolate them quickly. |
| Tester achieved Domain Admin via Kerberoasting and DCSync. | The IR plan should include a krbtgt password reset procedure — the only way to invalidate Golden Tickets after a DCSync-based domain compromise. The plan should also address clean AD recovery procedures, including trust verification and account-by-account validation. |
| SOC detected 0 of 7 tester actions during the engagement. | The IR plan must assume that the SOC may not detect the initial compromise. The plan should include threat hunting procedures, compromise assessment triggers, and proactive investigation playbooks that don't depend on alert-driven detection. |
Tabletop exercises — structured discussions where the incident response team walks through a hypothetical attack scenario — are most valuable when the scenario is realistic. The pen test attack narrative is the most realistic scenario available: it describes an attack that was actually executed against the organisation's actual systems by a skilled adversary.
The relationship between pen testing and incident preparedness isn't one-directional. Each feeds the other in a continuous improvement loop.
| Direction | How It Works | Example |
|---|---|---|
| Pen test → IR plan | Pen test findings reveal the most likely attack paths. The IR plan is updated to address those specific paths — including containment procedures, detection triggers, and recovery steps. | The pen test demonstrated DCSync. The IR plan now includes a krbtgt reset procedure with documented steps, authorisation requirements, and tested recovery timelines. |
| Pen test → tabletop exercise | The pen test attack narrative is converted into a tabletop scenario. The exercise tests whether the IR team can detect, contain, and recover from the demonstrated attack. | The tabletop exercise uses the pen test's 5-step chain as the scenario. The exercise reveals that the team doesn't know how to isolate the domain controller without disrupting all authentication — a gap now addressed in the updated plan. |
| Real incident → next pen test | If the organisation experiences a real incident, the forensic findings inform the next pen test scope. The tester validates that the post-incident remediations are effective and that the attack path is closed. | The organisation experienced a phishing-to-ransomware incident. The next pen test specifically targets the remediated controls: new email filtering, updated endpoint protection, deployed MFA, and new detection rules. |
| Tabletop → next pen test | Gaps discovered during the tabletop exercise inform the next pen test scope. The tester specifically tests the areas where the IR team identified uncertainty. | The tabletop revealed uncertainty about whether the EDR would catch a fileless attack. The next pen test includes fileless technique testing — providing the answer the tabletop couldn't. |
Pen testers and real attackers use the same techniques because they exploit the same weaknesses. The attack chain in the pen test report — phishing to credential harvesting to lateral movement to privilege escalation to domain compromise — is the same chain that appears in incident response forensic reports. The pen test is a controlled preview of the organisation's most likely breach scenario.
Organisations that use this preview to prepare — updating the IR plan against demonstrated attack paths, running tabletop exercises based on the attack narrative, building detection for the specific techniques that succeeded undetected, and pre-staging containment actions for the systems the tester compromised — respond faster, contain more effectively, and recover more completely when real incidents arrive.
The pen test report isn't just a list of vulnerabilities. It's the rehearsal for the incident that hasn't happened yet. The organisations that treat it as one are the organisations that are ready when it does.
Our reports include attack narratives designed to inform your IR plan and drive realistic tabletop exercises — with MITRE ATT&CK mapping, detection gap analysis, and containment recommendations that prepare your team for the incident that mirrors the test.