payloadforgeI've spent the last few weeks writing up what the offensive security industry has quietly become, using one engagement as the case study.
Same virtual appliance tested twice at two different organisations. First time: twenty-something findings from VA scans and a ChatGPT prompt. Second time: five CVEs in five days, responsible disclosure, vendor patches, halted go-live.
Why Infra Pentests Suck
Let's call him Marco. We were both at the same consultancy, a few years into pentesting, stuck on site together at a client. I was mid-level, still figuring shit out learning the ropes, while he was senior. Italian, slim, quiet guy who would sit in the corner with his headphones