SecretCon 2025 - Prioritizing Internal Pentests: so much to hack, so little time

Date:

The talk can be found here.

We are 2 members of the pentesting team at Target. In an organization of our size, there is no shortage of apps to test so the question becomes: how do you decide which apps are the most critical? This presentation will cover the main considerations we make when trying to answer this question and how we used data analysis to refine our algorithm. We will share our journey from drowning in pentest requests to curating our workload. This is not a topic we found much public material on when evaluating how other organizations overcame this challenge. It’s our hope that we can give internal pentest teams some guidance instead of making the same mistakes we did.