A Pentest Wednesday™ Story
Every security leader knows about Patch Tuesday. But as attackers move faster and chain exploits together in hours (if not minutes), organizations are realizing patching is only part of the solution. What matters most is proving those fixes work in their own environments.
That’s the essence of Pentest Wednesday™ — moving beyond vendor-driven updates to organization-driven validation. For one U.S. manufacturer, that shift turned uncertainty into confidence.
The Customer
A leading U.S. manufacturer, founded more than a century ago, has long prided itself on resilience. Known for supplying essential building products across North America, the company also recognized that protecting its operations and reputation required more than compliance checkboxes.
Manufacturing has been the most targeted industry for cyberattacks four years running, according to IBM, with ransomware, extortion, and data theft driving major losses. Despite years of investment in security, this manufacturer faced the reality of a sprawling network built over decades of operations and acquisitions.
Groups like Scattered Spider were proving that adversaries could bypass controls and weaponize misconfigurations in hours. Annual, point-in-time pentests were never going to keep pace.
The Problem
Like many organizations, this manufacturer relied on defensive technologies and annual pentests to meet compliance. The periodic pentest reports provided a snapshot in time but little proof of what really mattered. When introduced to continuous, offensive testing with NodeZero®, their first reaction was skepticism.
Horizon3.ai’s Customer Success team helped shift that perception through regular working sessions — walking through findings, validating fixes, and building a repeatable testing cadence. Instead of static reports, the manufacturer now had a cycle of action and verification.
As testing expanded, NodeZero uncovered inherited risks across multiple sites, including through acquisitions. Miscommunication from asset owners had left issues undiscovered — from Active Directory misconfigurations to systems unpatched for nearly two years, and even misconfigured email gateways. These findings reinforced why point-in-time tests could never keep pace with modern threats.
I am pleasantly surprised at how NodeZero has delivered on its promises. It’s really starting to show its value, and we’re now putting it in our tool belt as something we rely on weekly.
Director of Technology Services, leading U.S. manufacturer
AHA Moment
The turning point came in July 2025, when Citrix Bleed 2 (CVE-2025-5777) was added to CISA’s Known Exploited Vulnerabilities list. Unlike a typical CVE that can sit in a patch queue, KEVs demand immediate action because exploitation in the wild is already confirmed.
Soon after receiving a Horizon3.ai Rapid Response Flare Alert, followed by direct outreach from their Customer Success Manager, the manufacturer launched a NodeZero pentest. The Rapid Response test confirmed their Citrix implementation was exploitable. Within three hours, they had applied the vendor’s patch and retested with NodeZero to verify the exposure was closed.
We got the Horizon3.ai email early that morning saying we were likely at risk, and then your Customer Success Lead followed up to make sure we saw it, which was actually really cool. We then decided to start weekly external tests, which aligns with the best practices you mentioned.
Citrix Bleed 2 and the Limits of Patching
On July 10, 2025, CISA added Citrix Bleed 2 (CVE-2025-5777) to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Federal agencies were given 24 hours to patch affected Citrix NetScaler ADC and Gateway systems — underscoring how quickly regulators now expect organizations to respond.
For enterprises across industries, Citrix Bleed 2 highlighted a central issue: patching alone doesn’t prove risk is closed. Executives and regulators expect evidence that exposures are eliminated, not just assurances that patches were applied.
Groups like Scattered Spider were already exploiting Citrix Bleed 2 in ransomware campaigns, showing why continuous validation is essential to safeguard sensitive environments.
This was proof, not assumption — a critical vulnerability moved from detection to remediation and fix validation in hours, not weeks.
The Outcome
What began as uncertainty turned into a new operating model for the manufacturer:
- Weekly internal and external pentests established as standard practice
- Real-time validation of critical exposures, reducing remediation from weeks to hours
- Full coverage of every asset, with NodeZero used as an audit tool to track new and decommissioned systems
- Early adoption of NodeZero Tripwires™, with more than ten deployed across environments to provide ongoing threat detection
- Expansion into advanced use cases including EDR efficacy testing, risk-based vulnerability management, and remediation dashboards
Beyond the new testing cadence, the manufacturer also used NodeZero to support M&A security validation at its midwestern site. In just 40 days, they reduced exposures from High to Medium, eliminated 94 attack paths, and achieved a 100% reduction in network-level compromise scenarios.
NodeZero also surfaced risks that had gone unreported by network admins — from misconfigured Active Directory to systems left unpatched for years. These findings drove broader changes: analyzing vulnerability data through NodeZero’s Vulnerability Management Hub, strengthening identity defenses with ITDR testing, and enforcing new patch management protocols.
Today, the company isn’t just running tests; it’s using NodeZero as a strategic part of its security program.
Most pentesting companies just say, ‘Here’s what’s wrong with your stuff, fix it, and leave.’ But you’ve been making sure everything is proper with the test itself — and then some.
Director of Technology Services, leading U.S. manufacturer
Why Pentest Wednesday Matters
For this manufacturer, the lesson was clear: patching is necessary, but proof is decisive. Moving from monthly to weekly testing created a culture of validation that pushed their security program beyond compliance and into resilience.
Patch Tuesday applies the fixes. Pentest Wednesday proves the risk is closed.
Each week, I’ll be sharing new stories from the field — real-world examples of how organizations are using Pentest Wednesday to turn assumptions into evidence, and uncertainty into confidence.