PlexTrac Blog

For decades, security programs have been shaped by a familiar dynamic: red team versus blue team. Red teams think like attackers, probing systems through attack simulation to uncover weaknesses. Blue teams defend, detect, and respond, working to validate vulnerabilities, remediate risk, and keep the business running. In theory, this tension is healthy. In practice, it often creates friction.

Penetration testing is a crucial part of cybersecurity and involves finding and exploiting vulnerabilities in networks, applications, systems, or physical environments before the bad actors can. Penetration testing also plays a key role in continuous threat exposure management. Point-in-time testing is no longer enough, and continuous penetration testing is key to effectively identifying and mitigating…

Most security teams invest in pentesting with the expectation that it will lead to real risk reduction. Skilled testers identify meaningful attack paths, validate impact, and provide remediation guidance that is technically sound. In most organizations, the quality of the pentest itself is not the problem. The friction starts after the report is delivered. Security…

Let’s raise a glass to 2025! A year of major product innovation, industry recognition, and global community growth at PlexTrac. Here’s a look back at some of the highlights that made 2025 such a memorable year for PlexTrac.

One of the most common challenges CISOs and security leaders report today is managing disconnected and siloed pentest and vulnerability data. Penetration tests are delivered as static reports while vulnerability scanners run continuously in separate tools. Remediation workflows vary based on where the findings originate.  These silos slow response, obscure risk, and extend exposure time….

Software supply chain vulnerabilities are becoming one of the most unsettling challenges in modern cybersecurity with increasingly creative attackers. To explore these issues, our founder, Daniel DeCloss, sat down with Jonathan Leitschuh, an open source security researcher known for uncovering high-impact vulnerabilities, advancing responsible disclosure practices, and pushing the industry toward more secure-by-default software.

Why Every Security Program Needs a Mobilization Coordinator Pentests rarely fail because testers miss something critical. In fact, that part usually goes pretty well. The breakdown almost always happens after the report is delivered. Findings sit untouched. Some get half-fixed. Others disappear under the weight of sprint deadlines, operational noise, or the vague hope that…

Security feels a lot like Whac-A-Mole these days. Between cloud-native architectures, microservices, APIs, and rapid deployment cycles, cybersecurity threats are constantly popping up and redefining how software is built and delivered. Yet penetration testing, which is a proven method for identifying exploitable weaknesses, remains a point-in-time snapshot.In some cases, annual penetration tests don’t even happen….

If you’ve been around vulnerability management for a while, you probably saw the news: Cisco is sunsetting Cisco Vulnerability Management (fka Kenna Security). This may come as a surprise to some, but it reflects a broader shift already underway. Risk-based vulnerability management is no longer just about scoring vulnerabilities—it’s about understanding exposure, orchestrating remediation, validating fixes, and continuously aligning teams around what actually matters.

Take the Pain Out of Pentest Delivery With Automation For many security teams, traditional pentest delivery still relies on static PDFs, spreadsheets, and email threads. Findings sit idle while reports are compiled, manually entered into Jira or ServiceNow, and passed between teams. Meanwhile, critical vulnerabilities remain unaddressed. As testing frequency increases and organizations adopt continuous…

Software supply chain vulnerabilities are becoming one of the most unsettling challenges in modern cybersecurity with increasingly creative attackers. To explore these issues, our founder, Daniel DeCloss, sat down with Jonathan Leitschuh, an open source security researcher known for uncovering high-impact vulnerabilities, advancing responsible disclosure practices, and pushing the industry toward more secure-by-default software.

On a recent PlexTrac Friends Friday Podcast, our founder, Daniel DeCloss, sat down with Paul Nieto III, a seasoned red team operator at Royal Caribbean, to unpack how his organization built and scaled a purple teaming program that runs continuously, not just once a year.