Thanks for the feedback. Actually, I think that the role of pentesting fits very well into a view of this. While doing an assessment, you can very easily articulate your findings into probabilistic phrases.

  • “Given an active adversary on a laptop on our network, I predict a 30% chance that this unpatched server will be found.”
  • “If these 6 vulnerabilities are fixed by my next engagement, I predict a 15% likelihood that I can move into the production subnet. If they are not fixed, I predict a 90% chance of success.”
  • “I predict a 1% detection rate of an adversary on this network, given that I have not seen any centralized logging or network detection infrastructure”.

Participating in things like the Good Judgement Open helps practice that phrasing.

Written by

Writing about risk, security, and startups.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store