> grep -c 'architectural' findings.json && echo 'these are the ones that matter most'_
A pen test report identifies that LLMNR is enabled across the domain. The fix is a GPO change — fifteen minutes, no downtime, no procurement. The finding is remediated. The specific attack vector is closed.
The same report identifies that the tester moved laterally from a compromised workstation to the finance server, then to the domain controller, without encountering a single network boundary. No segmentation. No firewall between VLANs. No east-west traffic filtering. The workstation, the finance server, and the domain controller all sit on the same flat network.
This finding doesn't get fixed by changing a GPO. It requires network redesign: VLAN segmentation, internal firewalls, access control lists, micro-segmentation policies, and a change management programme to implement them without disrupting operations. It's a six-month project, not a fifteen-minute fix. And it's the finding that matters more — because disabling LLMNR closes one entry point, but segmenting the network limits the blast radius of every future compromise, regardless of the entry point.
The first finding is a configuration issue. The second is an architectural weakness. Both appear in the same report. Only one changes the organisation's fundamental security posture.
Penetration testing is typically positioned at the end of the lifecycle — after the systems are designed, built, and deployed. The test finds issues. The issues are remediated. The cycle repeats. But the most effective use of pen testing is as an input to architecture, not just a check on configuration.
| Without the Feedback Loop | With the Feedback Loop |
|---|---|
| The pen test finds a flat network. The finding is noted. Segmentation is added to the remediation roadmap. Next year, the pen test finds the network is still flat — the project was deprioritised. | The pen test finds a flat network. The finding feeds into the architecture review. Network segmentation is incorporated into the infrastructure design standard. All new deployments are segmented by default. The legacy network is scheduled for segmentation as part of the next refresh cycle. |
| The pen test finds weak service account passwords. The passwords are rotated. Next year, new service accounts are created with weak passwords — the process that creates them hasn't changed. | The pen test finds weak service account passwords. The finding feeds into the identity architecture. A Group Managed Service Account (gMSA) standard is adopted. New service accounts are created with automatically rotated, complex passwords by design. The architectural pattern prevents the recurrence. |
| The pen test bypasses MFA by exploiting a legacy protocol that doesn't support modern authentication. The protocol is disabled on the tested system. Other systems still support it. | The pen test finding feeds into the authentication architecture. A conditional access policy is designed that blocks legacy protocols estate-wide. The authentication architecture standard is updated to require modern authentication for all new integrations. |
The feedback loop transforms a pen test finding from a one-time fix into a permanent architectural improvement. The finding doesn't just close the vulnerability — it changes the design standard so the vulnerability can't be reintroduced. This is the difference between remediating findings and improving architecture.
Every security architecture is built on assumptions: the network segmentation contains lateral movement, the authentication architecture prevents credential abuse, the privilege model limits escalation paths. Pen testing validates or invalidates these assumptions with evidence.
| Architectural Principle | What the Architecture Assumes | What Pen Testing Reveals |
|---|---|---|
| Network segmentation | The workstation VLAN, the server VLAN, and the management VLAN are isolated. Lateral movement between segments requires passing through a firewall with restrictive rules. | The tester discovers that the "allow all" rule added temporarily during the migration was never removed. Or that the segmentation doesn't cover the WiFi network. Or that the jump server in the management VLAN is accessible from the workstation VLAN via a misconfigured route. The architecture exists on paper. The implementation doesn't match. |
| Least privilege | Users have only the access they need to perform their role. Admin accounts are separate from daily-use accounts. Service accounts have the minimum permissions required. | The tester finds that 23% of users have local admin rights on their workstations. That the helpdesk team has Domain Admin access "because it's easier." That the backup service account has replicating directory changes permissions — enabling DCSync. Least privilege was the design intent. Privilege creep is the reality. |
| Defence in depth | Multiple layers of security controls protect critical assets. If one layer fails, the next layer catches the attacker. Perimeter, network, host, application, and data controls provide overlapping protection. | The tester compromises the perimeter via a phishing email and reaches the database server without triggering a single alert. The layers exist — but they don't interact. The perimeter control didn't feed the SIEM. The host-based detection wasn't configured on the database server. The layers are independent, not overlapping. |
| Zero trust / verify explicitly | Every access request is authenticated and authorised regardless of network location. No implicit trust based on being "inside the network." | The tester discovers that once on the internal network, lateral movement requires no additional authentication. Services trust the source IP rather than the user identity. Internal APIs accept requests without authentication if the source is an internal IP range. Zero trust was the strategy. Network-based trust is the implementation. |
| Secure authentication | MFA is enforced for all administrative and remote access. Legacy authentication protocols are disabled. Password policies enforce complexity and length. | The tester finds MFA enforced on the VPN but not on the Citrix gateway. Legacy NTLM authentication is still permitted because one legacy application requires it — but the exception applies domain-wide, not just to that application. The authentication architecture has the right intent but inconsistent enforcement. |
In each case, the pen test doesn't just find a vulnerability — it tests an architectural assumption. The finding isn't "NTLM is enabled." The finding is "the authentication architecture's assumption that legacy protocols are disabled is incorrect, and the inconsistency creates an exploitable path." This reframing is what turns a configuration finding into an architectural improvement.
The bridge between pen testing and architecture is the design standard. When a pen test finding reveals an architectural weakness, the remediation shouldn't just fix the specific instance — it should update the design standard so future implementations are secure by default.
| Pen Test Finding | Configuration Fix | Architectural Improvement |
|---|---|---|
| Tester moved laterally across flat network from workstation to domain controller. | Add firewall rules between the workstation and server subnets. | Adopt a segmentation standard: all new network deployments must implement VLAN segmentation with deny-by-default inter-VLAN rules. Existing networks scheduled for segmentation within a defined timeframe. Standard includes micro-segmentation requirements for critical assets. |
| Service account password cracked in 11 seconds via Kerberoasting. | Rotate the specific service account password to a 30+ character random string. | Adopt a gMSA standard for all service accounts. Update the service account provisioning process to use gMSAs by default. Legacy service accounts migrated on a defined schedule. Standard prohibits user-created passwords for service accounts. |
| Tester bypassed MFA by using NTLM authentication against a legacy application. | Disable NTLM for the specific application. Find a workaround. | Update the authentication architecture standard: all new applications must support modern authentication (SAML/OIDC). Legacy applications requiring NTLM must be isolated in a restricted network segment with enhanced monitoring. A retirement roadmap is maintained for all legacy authentication dependencies. |
| SOC did not detect the tester's lateral movement over a five-day period. | Deploy a detection rule for the specific technique used. | Review the detection architecture against the MITRE ATT&CK framework. Identify coverage gaps across the kill chain. Implement a detection engineering programme with quarterly purple team sessions to validate and expand coverage. Detection is designed as an architectural layer, not a collection of individual rules. |
| Tester accessed production database directly from a compromised workstation. | Restrict database access to the application servers' IP addresses. | Adopt a tiered access model: workstations cannot connect to production data stores directly. All data access flows through application tiers with authentication and authorisation. Privileged access to databases requires a Privileged Access Workstation (PAW) via a jump server in a protected management VLAN. |
The most effective position for security testing isn't after deployment — it's during design. Architecture reviews, threat modelling, and design-phase assessments identify weaknesses before they're built into infrastructure that's expensive and disruptive to change.
This progression — architecture review, threat modelling, pre-deployment testing, post-deployment validation — creates a continuous feedback loop where each stage informs the next. Pen testing isn't a gate at the end of the process. It's a validation mechanism at multiple stages, feeding findings back into the architecture so each iteration is more secure than the last.
Pen test findings fall into two categories: configuration issues that get fixed by changing a setting, and architectural weaknesses that get fixed by changing the design. Both categories appear in the same report. Both matter. But architectural findings produce compounding returns — they don't just close one vulnerability; they prevent entire classes of vulnerability from existing in the first place.
The feedback loop between pen testing and architecture transforms testing from a periodic check into a design input. Findings update design standards. Design standards prevent recurrence. New systems are built securely by default. Legacy systems are scheduled for architectural improvement. Over time, the proportion of architectural findings decreases — because the design is getting better, not just the configuration.
The pen test that changes a GPO closes a finding. The pen test that changes the network architecture closes a category of findings. The pen test that changes the design standard closes them permanently. That's the feedback loop that turns penetration testing into secure architecture.
Our reports classify findings as configuration issues and architectural weaknesses, map architectural findings to design standard recommendations, and provide the evidence that drives investment in systemic improvement — because the most valuable pen test finding is the one that changes how you build systems.