Are you really addressing what will get you hacked?
That question cuts to the heart of a common problem in security testing. While many organisations continue to commission penetration tests, they often receive lengthy reports filled with vulnerability findings that miss their actual security risks.
For our Penetration Testing Decoded series, we interviewed Joel Earnshaw, senior manager of cyber security, to unpack the challenges with current testing practices and discover better alternatives.
He puts it bluntly: "The old way of managing vulnerabilities, that CVE and CVSS centric approach, just simply isn't cutting it anymore. These days, we're seeing attackers move incredibly fast — from proof of concept, to active exploitation code within a matter of hours."
This traditional reactive cycle creates a dangerous illusion of security. Organisations invest significant resources in addressing high-scoring vulnerabilities, while often overlooking critical misconfigurations and identity-related issues that pose greater inherent risk.
So, what’s a more efficient approach that actually makes organisations more secure?
The missing ingredient
At Chaleit, we've reimagined penetration testing from the ground up, placing context at the heart of our methodology. Why? Because without understanding the specific environment, controls, and business priorities, vulnerability findings lack real meaning.
"MITRE does a solid job with the CVE program and scoring," Joel acknowledges. "But the issue is that it really only gives us a singular perspective on the criticality and severity of a vulnerability."
A vulnerability with a critical-rated CVSS score might represent minimal risk in your environment if proper compensating controls exist. Conversely, a seemingly minor misconfiguration could create catastrophic exposure if it affects a critical system.
"For us, the risk level of a vulnerability isn't just about its CVSS score," Joel clarifies. "If we have other security measures in place to mitigate the risk, like if a system is air-gapped — totally isolated from other networks and the internet — or has really tight access controls, then we might be able to address that vulnerability during our regular monthly patching cycle."
This contextual understanding transforms security testing from a checkbox exercise into a meaningful assessment of actual risk.
Partnership vs transaction
Most penetration testing follows a predictable pattern: testers arrive, follow their standard playbook, deliver a lengthy report, and disappear until next year. The problem is that this transactional relationship fails to deliver real security value.
"What we often see is that security service providers will come in, generate a report — be it seventy-two, eighty-five pages, doesn't matter — and that's it," Joel points out. "The whole engagement is very transactional: here's your templated report, thank you for your business, and we're done."
At Chaleit, we believe security testing should be built on partnership. Before testing begins, we take time to understand your environment, business priorities, and existing controls. This foundation allows us to identify what truly matters in your context.
"To really get the best results for everyone involved, you've got to build a genuine partnership," Joel agrees. "That means being totally open and honest with each other, having complete transparency, and really understanding what matters to both sides. Without that openness and shared understanding, how can you ever expect to achieve those meaningful outcomes?"
The identity blind spot
While organisations focus on patching vulnerabilities, many overlook a more pressing risk: identity and access misconfigurations.
"Identity is the new frontier," Earnshaw emphasises. "If you're not focusing on your identity-based exposure and the information assets those identities can access, then you're doing a disservice to the confidentiality, integrity, and availability of your information assets."
We've seen this firsthand. During a recent engagement, we shifted focus from application testing to identity management and discovered critical issues in just six days that traditional testing had missed for months.
Consider cloud sharing permissions. Many organisations have excessive sharing enabled in their collaboration tools, creating significant data exposure risks that standard penetration tests miss completely.
"We know that attackers are actively targeting the cloud, and that's where statistically they're having the most success," Joel warns.
When a large organisation, one of Chaleit's clients, adopted Microsoft Power Platform, we discovered overly broad Azure AD permissions and uncontrolled external access that standard testing had missed. Our targeted review reduced overprivileged roles by 70% while maintaining operational efficiency. For more details, read our cloud security case study.
Testing what matters
Despite changing risk profiles and threats, many continue commissioning the same tests year after year.
"People are missing the point in terms of what's actually important," Joel explains. "They're not asking the right questions or setting the right context to get the right information to then drive their remediation in the most targeted and effective ways."
Smart testing begins with understanding what's truly critical to your business.
"You must have an understanding or appreciation of what's important to the business. What’s mission critical? What can we do without?" Joel asks. "When you have that context around what's important, you can target it and get the most effective outcomes."
That’s why our team focuses on testing what will actually improve clients’ security, not just what produces a glossy report.
For organisations looking to implement these principles, understanding current best practices is essential. Our comprehensive guide to penetration testing provides detailed information for security testing that focuses on business-critical risks.
Five key lessons
Stop pursuing security testing that only produces reports. Start getting valuable insights that actually reduce your chance of being compromised. Here are key lessons from our discussion with Joel and our team’s experience:
Context transforms testing. Understanding your specific environment, controls, and business priorities turns vulnerability findings from abstract metrics into meaningful risk indicators.
Cyber security partnership beats transactions. Effective security testing requires transparency and ongoing collaboration, not just a one-off report.
Mind your identity. Identity and access management often presents greater risks than unpatched vulnerabilities, yet receives far less testing attention.
Focus on what matters. Direct testing resources toward business-critical systems and realistic attack vectors rather than pursuing comprehensive coverage.
Ask better questions. The quality of your security testing depends entirely on asking the right questions at the start.
Want to put these principles into practice and could use a helping hand? Contact us to discuss how our context-driven penetration testing can provide actionable security intelligence that can make a real difference to your organisation, or read our handbook on How to Buy Penetration Testing That Works.
