There is a standing joke in offensive security that every penetration test report could be written ahead of time, with only the names redacted. It is not quite true, but it is true often enough to be uncomfortable.
We delivered 47 penetration tests during Q1 2026 — a mix of external network assessments, internal post-compromise simulations, web application tests, API security reviews, social engineering engagements, and three full threat-led penetration tests under DORA Article 26. Across this volume, certain findings appeared so consistently that they have effectively become the baseline assumption rather than the exception.
This is, equally, where we saw the most interesting recent shifts. Some attack paths that were trivially exploitable two years ago are now meaningfully harder. Others, less expected, have moved in the opposite direction.
The patterns are worth surfacing.
The findings that appeared in over 60% of engagements
Five categories of finding appeared in the majority of Q1 2026 engagements, in environments ranging from 200-employee firms to 25,000-employee enterprises.
Active Directory misconfigurations remain the highest-impact category. Specifically: Kerberoastable service accounts with weak passwords, unconstrained delegation on legacy servers, and the persistence of NTLM authentication where it could have been deprecated. We achieved domain admin in 31 of 47 engagements within a working day. The path varied; the destination did not.
Internal network segmentation continues to be theoretical rather than operational. Most environments have segmentation diagrams. Few of them survive contact with reality. The most common finding is that segmentation enforces north-south traffic but permits broad east-west traffic between segments — particularly between user workstations, file servers, and management infrastructure. Once an attacker reaches any internal host, the network is functionally flat.
Internet-facing infrastructure exceeds the organisation’s inventory. This was the subject of a separate post on API sprawl, but the finding generalises. Forgotten subdomains, decommissioned-but-still-resolving services, development environments that should have been gated, and partner integrations that were never documented appear in roughly two-thirds of external assessments. The forgotten infrastructure is, statistically, less patched than the maintained infrastructure.
Privileged access boundaries are softer than they appear. Even in environments with formal privileged access management, we routinely find local administrator accounts on workstations, service accounts with interactive logon rights, and “break glass” accounts whose use is technically auditable but operationally unsupervised. The boundary between standard user and privileged user is, in most environments, more porous than the privileged access policy suggests.
Detection coverage has gaps that align with attacker priorities. Endpoint telemetry is good. Network telemetry, in many environments, is patchy. Identity telemetry — the logs that would catch credential theft, unusual authentication patterns, and privilege escalation — is often the least mature. This is, predictably, where adversaries spend most of their effort.
None of these are surprising. All of them are remediable. Most environments know about most of them.
Where defenders are visibly winning
The more interesting finding from Q1 was the categories where attack paths that were standard playbook items in 2023 have become meaningfully harder.
Phishing-based initial access is harder than it was. Conditional access, modern email security, and increasingly mature user training have raised the cost of phishing campaigns. We still succeed in phishing engagements — but we succeed against fewer users, on fewer attempts, and increasingly need to construct sophisticated lures rather than relying on credential harvesting templates. The marginal phishing email is less effective than two years ago.
Pure credential stuffing against external authentication is harder. MFA enforcement is now ubiquitous on customer-facing authentication. The remaining attack paths bypass MFA (session hijacking, AitM toolkits, MFA fatigue) rather than defeating it directly. This is genuine progress, even if the next-generation attacks have moved.
Workstation-level malware execution is detected reliably. Modern EDR platforms — properly tuned — catch the standard offensive security toolkits at execution time. We have largely stopped trying to drop standard implants directly; the success rate is too low to justify the operational cost. The tradecraft has shifted to living-off-the-land and abuse of legitimate administrative tools, which detection is now actively pursuing.
Brute force against well-protected internet-facing services has stopped working. Rate limiting, geo-blocking, and threat intelligence-driven IP reputation have eliminated the casual scanning attack. The infrastructure that operationalises this — Threater DNS at the network layer, similar capabilities at the WAF and authentication layers — is now mature enough that the attack class has moved on.
The defenders who feel like they are losing should be encouraged that, against the threat landscape of three years ago, they are largely winning. The threat landscape has, however, moved.
The shift in the offensive playbook
What we are doing more of, in Q1 2026 engagements, follows the gaps the defenders haven’t yet closed.
Identity is the consistent path. Where we used to start with phishing or external exploitation, we increasingly start with identity-targeted attacks. Compromised credentials from breach corpora. Active Directory enumeration that exploits weak service account passwords. OAuth consent phishing that bypasses MFA entirely. The identity layer has become the highest-leverage attack surface, and it is also where defenders have invested least relative to the importance.
APIs are the consistent target after identity. Once we have any foothold, internal APIs are reliably less defended than internal web applications. Authorisation flaws are the dominant exploit category, particularly in microservice architectures where each service authenticates the request but trusts the upstream caller’s authorisation decision.
Living-off-the-land works almost everywhere. The PowerShell, WMI, scheduled tasks, and PsExec techniques that detection platforms have pursued for years are now increasingly detected. What is not detected is the abuse of legitimate IT operations tooling — RMM platforms, deployment systems, configuration management agents — which sits beneath the EDR’s visibility envelope and is treated as benign by definition.
Cloud identity and configuration drift accumulate. Cloud environments that were configured securely at deployment have, over years, accumulated permissions that should have been temporary, service accounts that should have been retired, and trust relationships that should have been scoped down. Cloud security findings rarely involve novel exploits; they involve the patient enumeration of configuration drift.
What the high-performing defenders are doing differently
Of the 47 engagements, four resulted in genuinely difficult engagements where our team had to invest significantly more effort than budgeted to achieve objectives. The pattern across these four is instructive.
In each case, the client had deployed deception technology — Labyrinth Security in three of the four — that triggered detection on lateral movement attempts. In each case, the SOC was instrumented to detect identity anomalies in addition to endpoint telemetry. In each case, internal network segmentation was operationally enforced, not just diagrammed.
Most importantly, in each case, the security team had visible executive sponsorship and the operational authority to act on detections quickly. They were able to contain incidents — even simulated ones — within minutes rather than hours.
The technology was a necessary condition. The organisational discipline to operate the technology was the sufficient one.
What this implies for your testing programme
If your penetration testing programme is not finding the patterns above, the question is whether your testing has the right scope rather than whether your environment is genuinely cleaner than peer organisations. Most testing programmes are configured to find the findings the organisation is comfortable remediating. Programmes that find harder findings tend to be commissioned by organisations that are ready to act on them.
The single most useful change we see clients make is to commission a threat-led penetration test rather than a network penetration test. The framing — “what could an attacker who is genuinely trying to compromise this organisation do” — produces different findings than “what vulnerabilities exist on this network”. The first framing is what regulators are now expecting. The second is what your auditor will keep accepting until they are not allowed to anymore.
We expect the regulatory pressure on the first framing to increase substantially over the next 18 months.
Mellivor delivers penetration testing, red team engagements, and threat-led penetration testing under DORA, CBEST, and TIBER frameworks. To discuss your testing programme, contact our advisory team.
