The Cyber Threat Perspective Episode 166: Why Your Pentest Didn’t Make You Safer
Jan 30, 2026
Tyler Roberts, an offensive security practitioner and penetration tester, explains why pentests often fail to improve real security. He discusses organizational vs tester responsibilities. He highlights false confidence from checklist thinking, compliance-driven limits, realistic scoping, ownership and remediation, and using tests to validate detection and response.
AI Snips
Chapters
Transcript
Episode notes
Run External First Then Stagger Internal Tests
- Start with an external pentest if you've never tested before, then stage an internal test later to avoid overwhelm.
- Spencer Alessi recommends staggering engagements to build a baseline and choose appropriate future testing like red team exercises.
Remediate Root Causes Not Just Findings
- Fix root causes, not just symptoms reported in pentest findings to prevent recurrence.
- Spencer Alessi recounts an ADCS certificate template remediated then later re-enabled due to missing internal communication and application needs.
Run Locksmith After Every ADCS Change
- After any change in Active Directory Certificate Services, run locksmith and export mode 2 to a spreadsheet for review.
- Spencer Alessi insists running invoke-locksmith mode 2 on each ADCS change to catch misconfigurations early.