Pentests Don't Map Shadow Currents. Attackers Do.

Pentests check visible channels. The attack paths that matter flow through cracks tested on different days by different teams, or never tested at all. As we've traced throughout this series, shadow currents don't exploit single vulnerabilities -- they chain small gaps together across domains. Pentesting finds the gaps. It rarely maps the chains.

This isn't a criticism of penetration testing. It's a structural reality that every security team relying on annual assessments needs to understand clearly.

Before examining the gaps, credit where it's due. A well-executed pentest delivers real value: it finds vulnerabilities within defined scope, validates specific security controls, satisfies regulatory requirements from PCI DSS to HIPAA, and produces documented findings that drive remediation. The global penetration testing market reached $2.74 billion in 2025 and is growing fast, reflecting genuine organizational investment in security validation.

pentests work. They just don't work the way attackers work.

Every pentest begins with rules of engagement: here's what you test, here's the time window, here are the systems in scope. Production environments, legacy systems, third-party integrations and high-uptime industrial systems are commonly excluded. The rules exist for good operational reasons. But they create a fundamental asymmetry.

Attackers won't politely respect scope boundaries. They'll breach corporate infrastructure to access application data through the path of least resistance. Testers follow pre-defined paths. Attackers discover their own.

The result is security drift: a growing gap between what's been tested and what's actually running. According to Pentera's 2025 State of Penetration Testing report, 96% of organizations make changes to their IT environment at least quarterly. Most test annually. Every deployment, configuration change and new cloud workload between tests represents exposure your pentest never saw. Horizon3.ai's research found that over 40% of organizations report their pentest results are invalid by the time the report is delivered.

Third-party access paths compound this further. As we traced in Blog 9, vendor and partner connections create shadow current channels that span organizational boundaries -- and pentest scopes rarely include them. Temporary remote access, contractor connections and air gaps are exactly the kind of paths that look absent on test day but exist in practice.

IT environments get tested by IT security teams using IT security tools. OT environments get tested separately, during maintenance windows, with specialized tools, by specialists who understand Modbus and Profinet protocols. And the boundary between them -- the path most attackers actually use -- often never gets tested at all.

This is the IT to OT shadow current we mapped in Blog 3 -- the strongest channel in most industrial environments, and the one most consistently left out of scope. According to Dragos' OT Cybersecurity Year in Review, approximately 70% of OT-related incidents originate from within the IT environment. Yet IT and OT remain almost universally tested as separate domains.

The Colonial Pipeline attack illustrates what this costs. The 2021 breach entered through a compromised password for an inactive VPN account that wasn't running MFA. Dormant accounts frequently fall outside pentest scope because testers work from current asset inventories that don't include deprecated access points. The attacker didn't need to touch OT systems directly. Colonial shut down 5,500 miles of pipeline because, lacking visibility into OT security status, they couldn't determine what the attackers had accessed. CISA's post-incident analysis identified the core problem: no clear, enforceable boundary between IT and OT networks.

An inactive credential. A scope gap. A cross-domain path. That's how shadow currents flow.

Even if scope were perfect, timing wouldn't be. The fastest 25% of intrusions reached data exfiltration in 72 minutes in 2025, down from 285 minutes the previous year, according to Unit 42 research. Annual pentesting produces a compliance document. It provides no defense against a threat that completes its entire kill chain before your security team's morning standup.

Attackers operate continuously. They don't wait for your testing window.

When you examine what major breaches actually exploited, a pattern emerges. The Change Healthcare 2024 attack used stolen credentials to move laterally through connected systems. SolarWinds used supply chain trust relationships to bypass defenses at organizations whose individual systems had passed security reviews. According to Verizon's 2025 DBIR, 22% of breaches began with stolen credentials. These aren't vulnerabilities within a single system. They're paths between systems.

XM Cyber's State of Exposure Management 2024 analysis of more than 40 million exposures found that 80% of organizational risk comes from misconfigurations, not CVEs. Less than 1% came from CVEs. Traditional pentests focus on vulnerability exploitation. The actual attack surface has shifted toward trust relationships, credential flows and lateral movement across domain boundaries.

This is where continuous validation closes the gap. pentesting finds vulnerabilities in view. Shadow current mapping finds the flows between them. You need both.

Gartner projects that by 2026, organizations prioritizing security investments based on a continuous threat exposure management (CTEM) program will realize a two-thirds reduction in breaches. Forrester's Total Economic Impact research found a 90% reduction in likelihood of severe breach for organizations with proper CTEM implementation, with ROI reaching 400%.

PhishCloud's Cyber Fusion Center delivers continuous situational awareness across IT and OT domains simultaneously, correlating signals in real time across the same boundaries attackers actually cross. Where a pentest captures a moment, the CFC captures the flow.

Your next pentest will tell you what your environment looked like within a defined scope on a specific date. That's genuinely useful. But shadow currents don't stop at scope boundaries, and they don't wait for scheduled testing windows. Understanding both what pentests reveal and what they structurally cannot see is the starting point for real visibility into your attack surface.

Pentests miss shadow currents because they test at one point in time. But there's another temporal dimension worth examining: change windows. During maintenance, upgrades and routine operational changes, shadow currents that didn't exist yesterday suddenly open. That's what we'll explore in the next installment.