This article was written to provide readers with an overview of a selection of our pentest results from the last 15 months. This data was gathered toward the end of September 2025. Shockingly, the data does not differ much from our prior analyses conducted at the end of 2022 or 2023.

The post Why You Got Hacked – 2025 Super Edition appeared first on Black Hills Information Security, Inc..

by Jordan Drysdale and Kent Ickler tl;dr: BHIS does a lot of penetration testing in both traditional and continuous penetration testing (CPT) formats. This top ten style list was derived […]

The post The Top Ten List of Why You Got Hacked This Year (2023/2024)  appeared first on Black Hills Information Security, Inc..

The new year has begun, and as a penetration tester at Black Hills Information Security, one thing really struck me as I reflected on 2023: a concerningly large number of […]

The post Revisiting Insecure Direct Object Reference (IDOR) appeared first on Black Hills Information Security, Inc..

Isaac Burton // For as long as we have known about prototype pollution vulnerabilities, there has been confusion on what they are and how they can be exploited. We’re going […]

The post Hit the Ground Running with Prototype Pollution   appeared first on Black Hills Information Security, Inc..

Job hunting? Looking for a career change? Still in college and want to know how to get started now in your career? If you answered yes to any of these […]

The post Webcast: How to Hunt for Jobs like a Hacker appeared first on Black Hills Information Security, Inc..

Justin Angel // Penetration testing and red team engagements often require operators to collect user information from various sources that can then be translated into inputs to support social engineering […]

The post Collecting and Crafting User Information from LinkedIn appeared first on Black Hills Information Security, Inc..

In this BHIS podcast, originally recorded as a live webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens.  We cover how to […]

The post BHIS PODCAST: Tracking attackers. Why attribution matters and how to do it. appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // tl;dr Cisco Smart Install is awesome (on by default)…for hackers… not sysadmins. So, you Nessus too? Criticals and highs are all that matter! Right??? Until this beauty […]

The post Cisco Smart Installs and Why They’re Not “Informational” appeared first on Black Hills Information Security, Inc..

Scott Worden* // So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track.   The 3 […]

The post What to Expect After a Pen Test appeared first on Black Hills Information Security, Inc..

David Fletcher// The following blog post is meant to expand upon the findings commonly identified in BHIS reports.  The “Server Supports Weak Transport Layer Security (SSL/TLS)” is almost universal across […]

The post Finding: Server Supports Weak Transport Layer Security (SSL/TLS) appeared first on Black Hills Information Security, Inc..

David Fletcher// The weak password policy finding is typically an indicator of one of two conditions during a test: A password could be easily guessed using standard authentication mechanisms. A […]

The post Finding: Weak Password Policy appeared first on Black Hills Information Security, Inc..