Grading on a curve: How to assess a pentest
Red Canary argues that penetration tests and adversary emulations are frequently misused as exhaustive report cards for detection teams, when in reality their scope and intent differ fundamentally from real threat campaigns. The core thesis is ‘detect to disrupt’: breaking the adversary’s attack chain at any sufficiently early stage is more valuable than achieving 100% atomic-event coverage across all TTPs. The article contrasts real multi-stage adversary behavior with time-boxed, scope-constrained pentests, noting that a real attacker continuing toward exfiltration will generate far more behavioral signal than a pentester proving initial access and stopping. Detection philosophy should prioritize high-fidelity, chain-breaking TTPs (e.g., LSASS dumping, suspicious persistence) over low-signal atomic events that generate noise, and context-chaining across correlated events (file write → unusual process exec → C2 connection) is emphasized as the mechanism for separating malicious intent from benign activity.