Penetration Tests and Still Photographs: Moving into the Future

Posted by Chad Walter on Jan 26, 2022 1:44:15 PM

What do still photographs and today's penetration tests have in common? They're both single snapshots or points in time, and time is in constant change.

If you took the picture outside, especially here in the northeast, you may see grass where there’s now snow. If that picture was of your teenage child, their brown hair may now be purple, or they may have a completely different hairstyle. Even if you took that picture, then went back to the same scene 24 hours later, there is going to be a change.

Now, think of a penetration test the same way. Like the photograph, a penetration test is just a snapshot in time. Like the photographer, the tester can only see what is operational on the target environment during the point of the test. Their field of vision is limited to the environment, connected users, devices or applications, the tools available at that moment, and what is currently known about threats in that moment in time.

The first commercially viable photographic process was developed and introduced to the world in 1839. Celluloid-based moving pictures (what we call movies) came along about 49 years later. There have been many advances to get us to today’s real-time, on-demand video content that can be accessed at our fingertips 24 hours a day. (These videos are also, coincidently, a transport and implementation vehicle for cyber-threats.)

In comparison, penetration testing as we know it in the cybersecurity community first began sometime in the 1960s. In 1972, James P. Anderson outlined the first real definitive steps to test for vulnerabilities and compromise. Over the next 50 years, we have evolved penetration testing into the sophisticated services we use today. But, our current penetration testing programs are still similar to the first digital camera we had in the late 1990s. The tools are fascinating and have allowed us to take better-defined pictures, but tests remain closer to a still picture than a moving representation of actionable events.

So, how do we fix this? What can we do to update the penetration testing process and make it more aligned to the client’s cybersecurity needs? Addressing this question and working with our client’s needs, IGI Cybersecurity has created a more logical approach to the fluid nature of cyber-threats: PenLogic™. Our PenLogic service is closer to a moving picture version of a penetration test than a still image. With PenLogic, clients leverage an annual penetration testing strategy that applies logic to their changing landscape, while improving their visibility and risk posture.

Each PenLogic service is scoped to meet the unique needs of the client and will provide scheduled penetration testing, post-remediation penetration testing, and monthly baseline testing. Our penetration testing and cybersecurity experts will partner with the client’s team to assure that their vulnerabilities are addressed as the environment changes. Also, as an annual term service, the IGI PenLogic program will align better to client’s budget concerns and compliance cycles.

IGI PenLogic provides better visibility and resiliency, is actionable and scalable, and is a better use of company dollars.

To read our full announcement, visit