Back to Blog Home

Penetration testing, Chicken Guns, and Mike Tyson

July 22, 2020

Here at OnX, we do quite a few pentests every year.

I’ll note for my readers that the term is an abbreviation for penetration tests.

It’s funny how many folks think the “pen” is an acronym and spell it as “PEN test,”.

So let your friendly neighborhood pentester set you straight:

A graphic denoting acceptable spellings for penetration tests abbreviations

So what is a penetration test? Why does it sound so menacing and borderline inappropriate? Let me explain by referencing 1950s aerospace engineering.

Penetration testing explained

In the 50s, fleets of aircraft were in use all over the world, but facing a dangerous problem: running into birds in midair. This led to technical advances in building new windshields and new engines, but engineers needed to ensure that their designs would satisfy their requirements. So how do you make sure your windshield stands up to a bird hitting it? You hit it with a bird!

This is how the “chicken gun” was born: a compressed-air cannon that would fire a dead chicken into a target. Over the following decades, several aircraft manufacturers developed these tools as a way to test the resilience of their safety measures.

Penetration tests are the chicken guns of the IT and information security field.

Think about how much effort you put into defending your organization and computing environments from attacks. You stack up security software on your endpoints, place box after box in a pile between your users and the Internet, write pages of policy—but are you actually sure those defenses and controls will stop the threats about which you are concerned, beyond what they promise on paper?

Penetration testing is ultimately the only way to make sure.

We test whether we can penetrate your network, your database, your cloud environment, and so on.


They are simulated cyber attacks, performed in controlled conditions by trained, ethical hackers, and the intention is to mirror actual attacker tools, tactics, and procedures.

They’re mandatory for a lot of security frameworks and regulatory compliance requirements because they demonstrate the actual effectiveness of the entirety of the security strategy.

The bottom line is, if you want to know if your organization’s security strategy will truly stop your threats, a penetration test is essential. As the great philosopher Mike Tyson reminds us, “Everyone has a plan until they get punched in the mouth.”

It sounds like a straightforward idea, so why isn’t everyone doing them?

There’s a fear aspect, with leadership and technical folks uneasy with the idea of someone using attacker tools on them. To this we say: Attackers are out there! They’ll use their tools on you, whether you’re comfortable or not. Why not let some friendly faces do it first and tell you how to fix what they found?

There are also budgetary challenges as it can seem extravagant to spend money on an assessment like this. Again, we would say that you’re going to incur cost if your defenses fail to stop an attacker. This may be much more substantial than the cost of the test. The cost of lost business, fines, ransom payments, legal fees, brand impact, and the like can stack up pretty quickly.

If you’d like to learn more about penetration tests, and specifically what a test designed for your business and environment would look like, we’d be happy to dream up one with you. We’ll leave the chickens at home!

Previous Post:

Making sense of the U.S H1 visa suspension and what it means for IT staffing

Next Post:

How to build an effective patch management program