In a recent report, Rapid7 found that two thirds of penetration test engagements were not discovered at all by the organization being tested. The detection rates were nearly identical between large and small organizations and among different industries. This would be a great concern. Unlike pen tests which were short-term, rapid-fire and sometimes loud, real attacks were usually long-term, slow and quiet. This meant if organizations could not detect a penetration test, it would be impossible to detect real cyber attacks. Part of the problem was that organizations couldn’t or didn’t track their event logs daily. Penetration testing was gradually evolving. Bug bounty programs were rising and tended to shape the nature of some pen testing. Many organizations with bug bounty programs, especially technology companies including Facebook, Yahoo!, Google, Reddit, Square and Microsoft, were shifting focus to more focused and challenging engagements.