Security testing and vulnerability assessments have become another one of the checkboxes on the machine that is the corporate world, and general security for organizations. That's where pentesting companies and risk assessment companies operate currently. The same applies to what people call "red teaming" today. People expect these tests and assessments to be quick, and to follow a pattern. And when all it's said and done, the can check that box and publish on their website that "we are [enter some acronym] certified and run pentesting".
Attackers know these tests will follow a pattern.
They know these companies will scan networks and servers, that they will use tools that are predictable, and they know they will remain within the boundaries considered good pentesting.
As security professional, mimicking and acting like real adversaries, we need to disrupt that.
A real security test, the real adversarial look, is about mimicking the attackers, and how they will act, attacking any and all aspects of an organization's security. The point is to really stress test all domains, including policies and those things called assumptions. You have to change your standard operating procedure (SOP) every time, adapting to what you have in front of you, the organization and its capabilities. This means using resources and techniques that are not expected.
Disruptive security assessments should be the main target. A good security assessment begins once the "check the box" tests end. It begins once the audit or pentesting companies go home and the organization feels like they are now secured. Disruptive assessments bring security to the right place, and test the right things.
It's time to change the mindset, to change what everyone thinks what security is. Make an organization more resilient by being a disruptive force. Bring the power of thinking like an adversary to their doorsteps.