As you analyze vulnerability scan results and observe the target environment, you will encounter recurring conditions and/or common themes. These can be:

  • Lax physical security.
  • Employees not following corporate policy or best practices.
  • Lack of adequate cybersecurity training.
  • Lack of software patching and updating.
  • Lack of operating system hardening.
  • Poor software development practices.
  • Use of outdated networking protocols.
  • Use of obsolete cryptographic protocols.
  • And more.

By identifying common themes like these, you may stumble on a pattern of behavior. This pattern could extend to assets that you haven't yet tested or hadn't planned on testing. If you plan on testing them in the future, you can make certain educated guesses and assumptions that can make your job easier, or lead you down certain paths that you otherwise wouldn't have taken. Ultimately, identifying common themes provides you with a more complete picture of your target environment and its weaknesses.