In a discipline where staying one step ahead of the adversary is the entire job, the value of testing your own defenses cannot be overstated. The story below comes out of an MDR (Managed Detection and Response) RFP engagement we ran for a services company with more than a thousand locations. The mandate had two parts: help the client find a new penetration testing provider, and stress-test the incumbent’s detection capabilities along the way.
What unfolded was a useful reminder of how much can hide inside a security program that looks, on paper, perfectly capable.
What Pen Testing Actually Spans
“Penetration testing” covers a wide spectrum. At one end sit basic vulnerability scans — useful, but limited to surface-level findings. At the other end is a full Red Team Advanced Persistent Threat simulation, where ethical hackers operate over weeks or months to mimic the patience and creativity of real adversaries.
For this engagement, we recommended a light red team approach: a focused effort that combined manual techniques with automated tooling, executed by experienced ethical hackers operating under strict rules of engagement.
The Operation
The result was, as one team member put it, “a little cinematic.” Our white-hat operators infiltrated the client’s network and, through a chain of legitimate-looking actions, escalated their way to domain admin privileges — effectively obtaining the keys to the kingdom directly through IT leadership credentials. From there, they captured password hashes and created additional domain admin accounts, granting themselves what penetration testers sometimes call “god privilege”: a level of access that turns the entire network into an open book.
The implications were significant. Despite the sophistication of the incumbent MDR provider’s endpoint detection and log analytics, the entire operation slipped past unobserved. No alert was raised. No anomaly was flagged. The breach simulation completed successfully and silently.
What the Test Revealed
The findings did exactly what a good penetration test is supposed to do: they made invisible problems visible. Defenses that the client and the incumbent both believed to be working in concert turned out, under realistic adversarial pressure, to have meaningful gaps. The conversation that followed was uncomfortable but productive, and it ultimately drove the client to reconsider both their MDR provider and their broader detection posture.
This is also why we encourage clients to rotate penetration testing vendors annually. Familiarity breeds blind spots. A fresh team brings a different methodology, a different toolset, and a different intuition for where to push, which surfaces vulnerabilities that an established relationship will routinely miss.
The Takeaway
The incumbent provider’s failure to detect the orchestrated breach was the single most important data point of the engagement. It became the deciding factor in the client’s decision to seek a new MDR partner, and it reinforced something we tell every client we work with: assumptions about your security posture should be tested, not trusted.
Cybersecurity is a continuous discipline. Adversaries do not stand still, and neither can defenders. Penetration testing — done well, done regularly, and done by teams with no incentive to flatter your existing tooling — remains one of the most cost-effective ways to keep that gap from widening.