Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against them, and thus the penetration testing industry was born. Back then if an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial onset of penetration testing was derived from real world attacks, and we evolved the penetration testing concept but then stopped a few years ago. We quit mimicking real attackers. Why did we do this? It isn’t because as an industry we didn’t want to continue to advance it, but it was because it became too difficult. Why so difficult? Because the times have changed, and people don’t just give out things like they used to (Attackers especially). True attackers find a vulnerability/exploit and they treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money. When money got involved the penetration testing industry went in a different direction than real world attacks. Yes our tools replicate “bad” things on networks, but they don’t replicate everything. We will cover the not so common tactics, techniques, and procedures (TTP) scenarios from real world attacks and show the differences between true attackers and current penetration testers. This talk will focus on the binary and forensic aspects of these scenarios to show the significant differences of true attacks and penetration testers.