The client wanted a "realistic" adversary simulation. What they actually wanted was confirmation bias. Step one: inherit their default image, the one that's been quietly rotting in their private registry since 2019. Step two: nod politely while the project manager tells you the scope is limited to the staging environment. Step three: take the staging VPN profile and watch it happily waltz you into production because somebody reused the same wireguard keys everywhere.

I documented the compromised jump host, wrote the payload chain, and let the command shell idle long enough for their SOC to notice. Nobody called. Hours later, I exfiltrated their so-called golden AMI and left a markdown file on the desktop titled maybe_patch_me.md. The response? A congratulatory email for "maintaining discretion." If the stakes weren't so high, it would almost be funny.

Lessons from the Ruins🔗

  1. Segmentation isn't optional. When staging and production share credentials, your blast radius is the size of the data center.
  2. Telemetry without analysts is theater. Alert fatigue is real, but so is complete apathy.
  3. Threat models age like milk. The "known-good" baseline is usually where the malware hides.

The point of the exercise isn't that the defenders were lazy. It's that the system incentivized them to stay that way. "Failing" the pen test was just flipping the lights on and letting the cockroaches scatter.