{"id":574,"date":"2026-03-09T19:31:54","date_gmt":"2026-03-09T19:31:54","guid":{"rendered":"https:\/\/blog.lottabytes.com\/?p=574"},"modified":"2026-03-09T19:32:55","modified_gmt":"2026-03-09T19:32:55","slug":"penetration-testing-and-the-adversarial-mindset","status":"publish","type":"post","link":"https:\/\/blog.lottabytes.com\/index.php\/2026\/03\/09\/penetration-testing-and-the-adversarial-mindset\/","title":{"rendered":"Penetration Testing and the Adversarial Mindset"},"content":{"rendered":"\n<p>There are several different viewpoints around cybersecurity; what it is, what&#8217;s valuable, and how you accomplish it.  Many billions of dollars will be spent this year on cybersecurity, some for more valuable items than others.  Over the years of my career though, I&#8217;m more firmly convinced that the all-too-common-buzzword &#8220;cybersecurity&#8221; is simply having an operational team and capabilities that can survive the unexpected events (accidental or malicious) as they come along.  Cybersecurity is far more than a tool, or toolset that you can purchase; it&#8217;s a mindset of planning, training, governance, observability, and responsiveness to meet the unknowns of tomorrow, not in arrogance, but in the quiet confidence of preparedness.<\/p>\n\n\n\n<p>Up to the past year or so my experiences have been entirely defensive.  Establishing policy and business practices (<em>Governance<\/em>), identifying environments, assets, configs (<em>Identify<\/em>), securing architecture and configs (<em>Protect<\/em>), tuning SOC detection and ensuring proper logging (<em>Detect<\/em>) as nicely outlined in the <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.29.pdf\">NIST Cybersecurity Framework 2.0<\/a> have taken the majority of my time in the &#8220;cybersecurity&#8221; space.  However, during the past year I&#8217;ve had the privilege to learn a significant chunk of the adversaries&#8217; methods, tools, and mindset through <a href=\"https:\/\/tcm-sec.com\/\">TCM Security<\/a> training courses and their <a href=\"https:\/\/certifications.tcm-sec.com\/pjpt\/\">Practical Junior Penetration Tester (PJPT)<\/a> certification.  Having now gone through and completed the PJPT certification, I want to highly recommend them to anyone who is seriously pursuing a deeper understanding of securing your infrastructure.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"794\" src=\"https:\/\/blog.lottabytes.com\/wp-content\/uploads\/2026\/03\/image-1024x794.png\" alt=\"\" class=\"wp-image-575\" srcset=\"https:\/\/blog.lottabytes.com\/wp-content\/uploads\/2026\/03\/image-1024x794.png 1024w, https:\/\/blog.lottabytes.com\/wp-content\/uploads\/2026\/03\/image-300x233.png 300w, https:\/\/blog.lottabytes.com\/wp-content\/uploads\/2026\/03\/image-768x595.png 768w, https:\/\/blog.lottabytes.com\/wp-content\/uploads\/2026\/03\/image.png 1054w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>It&#8217;s one thing to know academically that your team should be using a bastion host for domain administration tasks, it&#8217;s another to have used adversarial tools and know from personal experience how trivial it is to perform privilege escalation against domain accounts because you&#8217;ve done it.  Again, we&#8217;ve all talked about strong passwords, but it&#8217;s one thing to talk about it, it&#8217;s another to have experience cracking password hashes in minutes due to a weak password strength.  I&#8217;m grateful for this experience that has allowed me to have a stronger understanding of how to defend my own infrastructure, detect incoming attacks, and respond in prepared confidence. <\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are several different viewpoints around cybersecurity; what it is, what&#8217;s valuable, and how you accomplish it. Many billions of dollars will be spent this year on cybersecurity, some for more valuable items than others. Over the years of my career though, I&#8217;m more firmly convinced that the all-too-common-buzzword &#8220;cybersecurity&#8221; is simply having an operational &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.lottabytes.com\/index.php\/2026\/03\/09\/penetration-testing-and-the-adversarial-mindset\/\" class=\"more-link\">Read more<span class=\"screen-reader-text\"> &#8220;Penetration Testing and the Adversarial Mindset&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3,177,176],"class_list":["post-574","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cybersecurity","tag-penetration-testing","tag-pjpt"],"_links":{"self":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/comments?post=574"}],"version-history":[{"count":1,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/574\/revisions"}],"predecessor-version":[{"id":576,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/posts\/574\/revisions\/576"}],"wp:attachment":[{"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/media?parent=574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/categories?post=574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lottabytes.com\/index.php\/wp-json\/wp\/v2\/tags?post=574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}