Presenter:
The talk argues that penetration testing reports—especially in IT/OT environments—keep surfacing the same issues over and over, which signals deeper systemic problems rather than isolated vulnerabilities.
Key takeaways
- “Same findings, different day” problem
Pen test reports are repetitive because organizations aren’t fixing root causes—just patching symptoms. - Common recurring issues
- Weak or reused credentials
- Poor network segmentation (especially IT ↔ OT bleed)
- Excessive privileges and lack of least-privilege controls
- Outdated systems that can’t easily be secured
- Misconfigurations that persist across environments
- OT makes everything worse
- Legacy systems + uptime requirements = security tradeoffs
- Flat networks and remote access paths create easy attack routes
- Visibility is limited, so issues linger undetected
- The real problem isn’t technical—it’s operational
- Security findings don’t get prioritized or owned
- Teams lack alignment between IT, OT, and leadership
- Risk is accepted implicitly rather than consciously
- Reports aren’t driving change
- Pen test outputs often become checkbox exercises
- Without accountability and follow-through, nothing improves
