A Pentest Wednesday® Story
Every security leader knows about Patch Tuesday. But in the Defense Industrial Base (DIB), the conversation is dominated by compliance frameworks like CMMC and NIST 800-171. A Merrill Research study, commissioned by CyberSheath, found that only 4% of defense contractors are fully prepared for CMMC certification, with an average SPRS score of –12 — far below the required 110. The simple truth is that supply chain security depends on validation, not paperwork.
That’s the idea behind Pentest Wednesday — our way of describing how organizations move from forms, surveys, and annual pentests to continuous testing and measurable risk reduction. For contractors across the DIB, this shift redefines how they approach third-party risk management.
The Customers
The DIB is not one uniform sector. It spans aerospace labs, maritime defense firms, metals fabricators, electronics manufacturers, and SATCOM manufacturer. Each has a different mission, but a shared set of challenges: sprawling networks, lean security teams, and adversaries who know the supply chain is the softest target.
For years, most DIBs have relied on spreadsheets and audits as a stand-in for proof. But leaders admit they couldn’t answer the only question that mattered: would these defenses hold up in a real-world cyber attack?
One DIB executive puts it bluntly:
The idea that suppliers like us are secure because we filled out a form is wishful thinking.”
Another adds:
I thought our security posture was pretty solid, but NodeZero showed us weaknesses we couldn’t ignore.”
The Problem
Point-in-time checks and self-attestations don’t prove whether controls stop real attacker behavior. Questionnaires can be filled out, audits can be passed, and dashboards can show green — but none of it validates resilience against a live attack.
In early assessments, common weaknesses surfaced again and again:
- lateral movement despite “segmentation”
- suspicious behaviors missed by EDR
- credentials exploited to reach sensitive data
For smaller teams, the challenge was scale. Limited staff couldn’t realistically validate every environment or control, which meant issues often lingered longer than they should. Even large, well-resourced DIBs saw the same pattern: testing revealed multiple paths to sensitive data and compromise — blind spots that paper compliance simply hadn’t captured.
The result was a dangerous gap between what organizations believed about their defenses and what was actually true.
AHA Moment
That changed as the DIB began using the NodeZero® Offensive Security Platform through the NSA’s CAPT initiative. Instead of assuming detections worked, organizations tested them. Instead of relying on assurances, they focused on proof. As one C5ISR/SATCOM leader explained: “NodeZero became a sparring partner for our SOC — validating whether our defenses, including EDR, would actually catch the attacks we assumed they would.”
The results were eye-opening. Assumptions about segmentation, credential safety, and EDR effectiveness didn’t hold up under real testing. What mattered most wasn’t simply that these weaknesses existed — it was what they meant. Left unchecked, they created direct paths to crown-jewel systems and gave adversaries the ability to pivot through suppliers to reach higher-value targets upstream. On paper, audits still showed green. In practice, the risk to national defense was real.
For smaller organizations, NodeZero also became a force multiplier. As one leader explained:
“NodeZero provided our small team with an advantage we never had before — it multiplied our capacity.”
The cadence shifted too. A university aerospace lab that once ran annual assessments completed five pentests in five months. Another defense electronics manufacturer used repeat testing to track posture improvements over time.
One DIB took it further, running weekly internal pentests against roughly 200 hosts. The first tests uncovered hundreds of weaknesses and business impacts. But within a month, weekly testing and remediation drove dramatic improvements: impacts dropped from more than 700 to just 27, weaknesses from 281 to 66, and compromised credentials from 708 to 32. In the latest test, NodeZero could no longer obtain a domain compromise.
What began as one-off engagements evolved into a new rhythm: testing, remediating, and verifying on a continuous basis —
- compressing the mean time to remediate (MTTR)
- giving leaders continuous, audit-ready evidence of progress
- cutting exposure for a highly targeted industry
The Outcome
The shift delivered immediate impact. A small cybersecurity services provider supporting the DIB explained: “We didn’t just rely on dashboards anymore. NodeZero showed us if our EDR/XDR stack was working in reality, not just in theory.”
A maritime defense contractor added:
NodeZero uncovered detection gaps we never expected. More importantly, it lets us validate our fixes and prove improvements to leadership.”
Other suppliers used findings to accelerate compliance milestones. One noted:
We just went through a DoD CMMC assessment. NodeZero helped us prove risk reduction, not just claim it.”
The numbers tell the broader story. Across the DIB, NodeZero has been used in more than 9,500 pentests, covering over 1 million endpoints. It has identified more than 375,000 exploitable weaknesses — and thousands have already been closed, including critical, high, and medium weaknesses that would otherwise leave attack paths open.
This progress matters for national defense. Every closed weakness is one less attack path available to adversaries — and remediation efforts continue to accelerate.
When new vulnerabilities surface, timing and validation matter most. Within 24 hours of a CVE being published, NodeZero integrated it as a Rapid Response test. One DIB supplier was able to launch the test immediately and confirm within minutes that they were not exposed. This agility shows how Rapid Response equips defense teams to move faster than adversaries, validate exposure instantly, and make informed decisions before threats can be weaponized.
Suppliers also value that NodeZero reduces the burden of endless questionnaires and manual assessments, replacing paperwork with proof they can reuse for compliance and audits.
Horizon3.ai’s Customer Success (CS) team is central to making CAPT effective across the DIB. Rather than just surfacing weaknesses, CS acts as an advisor — helping suppliers understand what matters most and what to fix first. Findings are reviewed in the context of both attacker and business impact, with the highest-risk paths identified and prioritized. Remediation is then driven through to verified closure with retests. The result is a repeatable operating rhythm — clear guidance, actionable plans, and evidence — that enables contractors to reduce risk faster and strengthen the broader supply chain.
For smaller organizations in particular, the benefit was speed. A construction and engineering DIB noted that within seven minutes of testing, NodeZero demonstrated a full compromise path that their team quickly remediated. Another firm completed 70+ bi-weekly pentests in just four months, building a cycle of action and verification with almost no overhead.
NodeZero Tripwires™ are also quickly becoming one of the most powerful capabilities within the platform – giving defenders a way to embed honey tokens directly into every pentest, seamlessly integrating incident response with continuous validation.
For early adopters, the benefits are clear:
- Always-on detection: Tripwires are dropped into environments during pentests — fake credentials, data, or tokens that an attacker would try to use.
- Operational readiness: By triggering IR workflows through planted honey tokens, organizations validate not just their tech stack but also their human response under live-fire conditions.
- Wider adoption across DIB: With 2,490 Tripwire-enabled pentests run to date by 163 defense industrial base organizations, we’re already seeing measurable impact on how security teams detect, respond, and harden their environments.
For leaders across the DoD, Tripwires represent a model for shifting left in IR – turning every engagement into an opportunity to pressure-test defenses and strengthen resilience.
And the model is repeatable. Organizations tier their suppliers by risk, allocate NodeZero access, and let suppliers launch safe, agentless pentests on their own, often in under 15 minutes after being onboarded to the platform. Each test surfaces real attack paths, suppliers remediate, and one-click retests verify issues are closed. Parent organizations gain centralized reporting, while suppliers benefit from proof they can reuse for compliance frameworks like SOC 2 or ISO 27001.
That’s what makes Pentest Wednesday work at scale across the supply chain: measurable validation, faster remediation, and shared visibility without additional burden.
Across the DIB, remediation is happening at scale.
• 9,244 critical weaknesses remediated
• 7,259 high weaknesses remediated
• 8,108 medium weaknesses remediated
Why Pentest Wednesday Matters
For the Defense Industrial Base, compliance will always be required — but it isn’t enough. What makes the difference is proof. NodeZero gives contractors and suppliers evidence that risks are not just detected, but remediated, and proven to be closed. That’s how third-party risk management becomes more than paperwork. It becomes resilience.
And while these results come from the Defense Industrial Base, the lesson is broader. Every industry depends on suppliers, and every supply chain is an extension of the attack surface. What the DIB proves today is simple: validated remediation doesn’t just improve compliance — it improves resilience for everyone.
That’s what we call Pentest Wednesday — our way of framing how organizations turn assumptions into evidence and uncertainty into confidence.
Ready to See Proof in Your Supply Chain?
Every industry depends on suppliers. Whether you build aircraft, run hospitals, or manufacture consumer goods, your supply chain is part of your attack surface. Pentest Wednesday gives you evidence that vendors and partners can withstand real-world attacks — not just pass audits.
Each week, I’ll be sharing new stories from the field — real-world examples of how organizations are using Pentest Wednesday to turn assumptions into evidence, and uncertainty into confidence.