CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!Traditional risk assessments offer great insights—but they ultimately fall short when confronting actual attacks. Combining penetration testing with tabletop exercises creates a comprehensive, "better" approach to long- and short-term security resilience, which translates to happy customers who are willing to pay the price for your expert consulting.
(Thank us later).
Ultimately, the goal here is to uncover the “real risks” facing your clients’ business. This goes deeper than, “Do you have endpoint protection in place?” Instead, it means you need to be actually testing and finding viable attack paths to your clients’ systems.
Once you do that, you would show your client how you would reach their jewels, and what’s at risk. Think external attack surfaces, cloud misconfigurations, physical security weaknesses, social engineering vulnerabilities, privilege escalation paths, and data exfiltration routes...all of which could be hiding thousands of untapped risk areas if they aren't properly managed.
Don't take our word for it, though. Our contributing Rogue Recon has acknowledged that, over 20 years in the field, he's seen the power of pentests firsthand—noting that they "uncover social engineering paths + overlooked dev environments."
"They're great for TTX prep," he continues. "Teams are caught off guard by real-world attack flow."
Recent industry reports also encourage a transition to a more holistic approach to visibility, as vulnerability exploitation tripled in 2024—implying a 180% increase in occurrences compared to previous years. This, precluded by a jump in ransomware- and pure extortion-favoring threat actors, further highlights the need for "better" when it comes to protecting the jewels.
So—ready to reap the benefits of a comprehensive pentest-friendly approach for your clients? Let’s dig in.
When you conduct a thorough penetration testing engagement, you're mapping out the dungeon, its monsters, and possible ways to lose the jewels before your client ever faces a dragon. In addition to the initial ROI you get just from doing penetration testing, you can use those findings to fuel engaging storylines for your next tabletop.
Win.
Our Recon actually encountered a rogue dev server that a third-party security team had left behind in his client's environment. The worst part? It was hiding hardcoded AWS keys in the environment files.
Once found, the Rogue Recon used the keys to gain access to production data and IAM permissions that let him into the logs (and plenty of other areas he didn't belong in). The team was (understandably) floored when they found out.
"I remember at the time, the team was totally lost when thinking through what to do if this had been a real incident. Their first instinct was just to shut the server down. But that didn't address the bigger issue—those exposed API keys, the access path into cloud infrastructure, potential persistence mechanisms...there were several follow-up risks that weren't part of their IR playbook."
While not uncommon, the Recon’s findings highlight another important fact for IR consultants (and those they serve)—the real magic of penetration testing is that you aren't forcing clients to care about hypothetical risks. You're walking them through the weaknesses they have NOW, almost guaranteeing buy-in.
"Ultimately, if you want to use this in a TTX," our Rogue notes, "... you'd want to walk the team through 'what if this was real. ’ Test their detection capabilities, cloud visibility, and incident response coordination across DevOps and security."
Pentesting and TTX: Are they worth it, especially when paired?
Absolutely. Here's why.
Consider ransomware, for example. If you're a business, a pentest is pretty incomplete on its own in this context. You'll have to test your response, of course. You'll need to determine if you're actually going to pay. You'll also need to test containment, recovery, and backups—which aren't even covered in a pentest.
That's why you need to do both concurrently.
If you, as an IR consultant or MSSP leader, deliver a penetration testing report showing critical vulnerabilities, then immediately offer to conduct a tabletop exercise based on those exact findings, your conversion rate is (very nearly) guaranteed.
And so is your executive buy-in.
"MSSPs often struggle to show value beyond monitoring," confirms the Rogue Recon. "A red team report followed by a targeted TTX gives clients a real 'aha!' moment— it makes risk feel real, not theoretical."
Ready to roll for initiative and witness the benefits of a combined pentest x TTX strategy for the organizations you serve? Here’s how.
The first step in creating the pentest x TTX pipeline is integrating penetration testing into your incident response planning framework. As you work this in, be sure to document as comprehensively as possible to set the stage for additional TTX buy-in. For many, this looks like clarifying the attack paths that exist in addition to the obvious (and not-so-obvious) vulnerabilities.
The purpose of these paths is twofold: While they offer more immediate buy-in for a future TTX from your client, they also serve as the storylines for your TTX scenarios. Consider it your worldbuilding step.
Our Rogue Recon just had a recent penetration testing experience that revealed just how powerful pentests can be when they're paired with a lore-adjacent TTX:
"One 'AHA' moment came during a phishing engagement where the client thought they were fully covered with MFA via Entra ID/Office 365. They were using the default Microsoft Authenticator push notifications, thinking that was enough to stop any phishing attempts.
We set up a phishing site using Evilginx2, which acts as a man-in-the-middle and proxies the real Microsoft login flow. The phishing email looked like a shared Teams file—a very typical lure. The user clicked the link, landed on our Evilginx2 page, entered their username and password, and got a real MFA push on their phone. They approved it—and just like that, we had valid session cookies and full access to their Office 365 environment.
That meant email, OneDrive, SharePoint, Teams—everything. No alerts were triggered, and to the client, it looked like a normal login from a trusted location.
The client's reaction? Total shock. They had no idea their MFA solution could be bypassed so easily."
And this, fellow allies, is exactly the kind of revelation that transforms theoretical security discussions into urgent action items.
The real "magic" for the stakeholders involved happened after the Rogue’s team did the penetration testing.
"After the test, the client's IT team quickly moved to enforce WebAuthn with YubiKeys for high-privilege users and began a phased rollout company-wide. They also updated their IR runbooks to include cookie theft and session hijacking scenarios, and now they use TTXs to practice detection and response for these kinds of attacks,” the Rogue notes.
Incorporating penetration testing with TTX brings a transformative result to the table for stakeholders and consultants alike. This approach allows you to worldbuild, show immediate risk and value, and triple your ROI—driving loyalty, profit, and ongoing client relationships.
Ready to transform your tabletop exercises with high-impact, pentest-derived scenarios? Ally is offering IR consultants, MSSPs, and vCISOs free access to our platform for your next tabletop exercise. Sign up today, let Asa be your scribe, and discover why the most successful security consultants are making Ally their trusted companion in the battle against cyber threats.
About Ally Security
Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
