A Pentest Wednesday® Story
Introduction
Most security teams don’t suffer from a lack of data. They suffer from a lack of certainty.
Vulnerability scanners, annual penetration tests, and compliance assessments can generate thousands of findings. Yet they often fail to answer a simple question: Which risks actually matter?
For a global investment firm operating across 18 locations, that question became increasingly important. A small security engineering team was responsible for securing a growing environment while balancing infrastructure projects, identity management, user support, and the countless responsibilities that come with protecting a modern enterprise.
The team wasn’t struggling to generate findings. They were struggling to understand which findings represented real risk, whether remediation efforts were working, and how to ensure leadership would never be surprised by an exposure that should have been discovered earlier.
That journey led them from point-in-time testing to continuous validation.
Outcomes at a Glance
- Reduced impacts from 251 to 0 in a same-scope internal pentest
- Reduced compromised credentials from 52 to 0
- Reduced compromised hosts from 67 to 0
- Reduced cracked Active Directory passwords from 40 to 0
- Expanded continuous validation across 18 locations using a phased rollout strategy
- Enabled a lean security team to continuously validate risk without significant operational overhead
Impact
The team wasn’t expecting perfection. Every environment contains weaknesses, and no experienced security practitioner assumes an internal pentest will come back clean.
What surprised them was how effectively those weaknesses could be chained together once an attacker gained a foothold.
One of the firm’s early internal pentests identified 85 weaknesses. By itself, the number wouldn’t have stood out to most security teams. The real concern wasn’t the weaknesses themselves. It was what those weaknesses enabled.
NodeZero® showed that those weaknesses could produce 251 impacts, including domain compromise, sensitive data exposure, ransomware exposure, host compromise, domain user compromise, and compromised credentials.
That distinction matters because attackers don’t exploit weaknesses in isolation. They chain weaknesses, misconfigurations, and credentials together to achieve an objective. A low-priority finding on its own may appear manageable, but when combined with other weaknesses, it can become part of a pathway to something much more serious.
Figure 1. An early internal pentest identified 85 weaknesses that led to 251 impacts, including domain compromise, ransomware exposure, sensitive data exposure, and host compromise.
As the Senior Security Engineer explained:
“That impact section in NodeZero is just pure evidence of what can happen in a real life scenario.”
That shift from theoretical risk to demonstrated impact changed how the team approached remediation, shifting the conversation from identifying weaknesses to understanding their potential business impact.
Background
Like many organizations, they were already investing in security testing. The challenge wasn’t finding another tool. It was finding an approach that could scale across the business without creating additional work for a small security team already balancing infrastructure projects, identity management, user support, and countless other responsibilities.
As the Senior Security Engineer described:
“NodeZero is, let’s say, five percent of my work. I’m dealing with a million different things, a million different projects, a million different responsibilities.”
That reality made operational simplicity more than a convenience. It became a requirement.
The team had experience with security testing platforms that required significant infrastructure and ongoing maintenance to keep running effectively. For a small team juggling competing priorities, that overhead mattered. NodeZero offered a different model. The platform was simple to deploy, easy to operate, and allowed the team to begin testing immediately without dedicating resources to managing complex hardware infrastructure.
That ease of deployment became particularly important because the team wasn’t interested in running a proof of concept. They wanted to build a sustainable program that could scale with the business.
Mitigation
Technology wasn’t the biggest obstacle. Building trust across the organization was.
As the Senior Security Engineer joked:
“Everybody hates security teams, right? They feel we are the team saying no to everything.”
The team knew that simply turning on testing across the environment wasn’t going to work. If continuous validation was going to become part of normal operations, it had to be introduced in a way that built confidence rather than concern.
Instead of testing everything at once, they rolled it out gradually. Testing schedules were communicated in advance. Stakeholders were brought into planning discussions. Segments were introduced in phases, giving teams an opportunity to see the results, ask questions, and gain confidence in the process before expanding coverage.
That deliberate approach paid off. What could have become a source of friction became a collaborative effort. The same mindset extended to identity security.
Like many organizations, the firm had password policies in place. On paper, those controls appeared to be doing their job. What the team didn’t know was how those passwords would stand up against the techniques attackers actually use.
The first NodeZero Active Directory Password Audit provided an answer.
Across a population of roughly 1,900 users, the audit identified 40 cracked passwords and six similar passwords.
Figure 2. The firm’s initial Active Directory Password Audit identified 40 users with cracked passwords and six users with similar passwords, revealing identity risks that traditional password policies had not eliminated.
As the Senior Security Engineer observed:
“People think their passwords are a lot more secure than they are.”
Remediation
The initial pentests and password audits had exposed real risks, but the larger challenge was ensuring those risks stayed closed over time.
The first place that mindset took hold was identity security. Rather than simply addressing the immediate findings, the team used them as the foundation for formal workflows around user notifications, manager escalation, and remediation tracking. Password validation became part of regular operations rather than a periodic project.
Within a few months, cracked passwords dropped from 40 to zero.
Figure 3. After implementing a formal remediation process and continuous password validation, cracked passwords were reduced from 40 to zero.
As the program matured, the team also began experimenting with newer capabilities to help manage findings at scale. As an early adopter of Horizon3.ai’s MCP Server, they used Claude with read-only access to NodeZero data, allowing the team to interact with scan results using natural language prompts.
Rather than manually reviewing every finding, the team could ask questions about recent scans, compare results over time, and identify which issues should be prioritized first.
As the Senior Security Engineer explained:
“It’s more about prioritizing the work and saving time, almost like having an additional set of eyes.”
For a lean security team responsible for a large and distributed environment, the ability to quickly triage findings helped reduce time spent reviewing results and allowed more focus on remediation.
The same philosophy extended beyond password security. Rather than treating pentesting as a point-in-time event, the team expanded testing across the environment and used the results to continuously prioritize remediation efforts.
A follow-up same-scope internal pentest provided the proof.
While 46 minor weaknesses still existed, the outcomes attackers cared about had largely disappeared. Impacts dropped from 251 to zero. Compromised credentials fell from 52 to zero. Compromised hosts fell from 67 to zero.
Figure 4. A follow-up same-scope internal pentest showed zero impacts, zero compromised credentials, and zero compromised hosts.
The goal was never to create a perfect environment. Every organization has weaknesses, and new ones emerge constantly. The goal was to eliminate the conditions that allowed attackers to turn those weaknesses into meaningful business impact.
Conclusion
Most security teams already know they have vulnerabilities. What they don’t always know is which of those vulnerabilities matter.
That’s where many programs struggle. Security teams become experts at measuring activity but often have a harder time measuring outcomes. Vulnerabilities are patched. Controls are deployed. Reports are generated. Yet one question remains difficult to answer:
Would those efforts actually stop an attacker?
For this global investment firm, continuous validation provided a way to answer that question with evidence rather than assumptions. Internal pentests revealed how weaknesses could lead to business-impacting outcomes, while password audits challenged assumptions about credential security. Follow-up testing then provided the proof that remediation efforts were actually working.
As the Senior Security Engineer put it:
“The worst thing from my perspective is for my boss or his boss to come to me and say, ‘Hey, did you know about this?’ and I said, ‘No.'”
That mindset ultimately shaped the firm’s approach to security. The objective was never to eliminate every weakness. It was to eliminate uncertainty around the risks that mattered most.
That’s the difference between measuring activity and validating outcomes.