Finding a Company’s BreakPoint is all about identifying how to compromise an organization. Andrew and Zack will be sharing their experience from various engagements (DoD Red Team engagements, Commercial Penetration Tests, and various other Security Assessments). Often many will believe that a Pentest or Red Team engagement is all about “Scan then Exploit”, but that is only a subset of the work. The talk will be aimed at providing actionable methods for listeners in hopes that they can apply them to their day job with a goal of improving their organization's security posture. Some of the topics discussed will be: · How to Conduct a Phishing Engagement · Vulnerabilities Missed by Automated Testing (Scans) · Manual Exploitation: So the Metasploit module is not working, now what? · Push Past Scans: So you ran a vulnerability scan, now what? · Introduce some Python scripting concepts to save time Andrew and Zack will also share where these methods can cross over into vulnerability assessments, and internal vulnerability management programs to help Blue Teams think more like the Red Team.

Andrew McNicol is driven by his passion for helping organizations identify exploitable vulnerabilities before an adversary. He is currently the CTO at BreakPoint Labs specializing in offensive security services, mentor for SANS, and one of the founders and lead authors of Primal Security. Previously, he lead a penetration testing team and worked on an incident response team focusing on malware analysis and network forensics for DoD, Law Enforcement, and Commercial companies. Andrew holds an M.S. in Information Assurance, and variety of InfoSec qualifications (OSCE, OSCP, OSWP, GICSP, GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, etc.). Zack Meyers is a business-oriented guy that then became a motivated InfoSec geek after getting started as a continuous monitoring vulnerability analyst. Shortly after, he took an interest in the offensive side of security work and currently works as an Offensive Security Engineer at BreakPoint Labs. Today he is always looking to learn about new techniques and tools that can help him identify his next big vulnerability finding. He is currently a member of Primal Security Blog | Podcast and holds several security certifications including OSCP, CISSP, GWAPT, GPEN, GCIH, etc.

Recorded at BSides Philly 2016