WEEK 1 · INVENTORY

Read your last pen test as a system, not a list.

Attackers don't exploit single vulnerabilities anymore. They chain them.

Submitted by Neil Watkins · Burns & McDonnell

May 15, 2026

The mean time to chain three findings into full compromise is under two hours. Not the headline criticals — three "low" and "medium" issues that nobody flagged, stitched together into a single path. That's how most real breaches actually happen, and it's the part your vulnerability report is worst at showing you.

Here's the problem with how we triage. CVSS scores rate findings in isolation. A score tells you how bad one weakness is on its own, assuming nothing else around it exists. But attackers don't operate in isolation — they operate in paths. An information disclosure rated 3.1 means almost nothing by itself. Wire it to a misconfigured service rated 5.4, then to a set of reused credentials rated 4.9, and suddenly those three "minor" issues are a clean walk from the public internet to your domain controller. No single finding on that path would have woken anyone up at 2 a.m. Chained, they own you. So the most useful thing on your desk isn't the list of criticals. It's the path hiding inside the list of everything else. Your real risk register isn't a ranked column of severities — it's a map of what those findings look like once you connect them.

Try this. It takes about an hour. Pull your most recent pen test or vulnerability scan. Set the criticals aside for ten minutes — genuinely ignore them. You already know about those; they have tickets, owners, and a deadline. Instead, read every "low" and "medium" finding, in order, top to bottom. Don't skim for the worst one. Read all of them, the way an attacker reading recon notes would. Then ask a single question: which of these, chained together, would get an attacker to a crown-jewel asset? A crown jewel is whatever ends the conversation if it's lost — your customer database, your source code, your identity provider, your finance systems. Trace the path out loud or on paper. Start at something externally reachable. What does it expose? What does that let you reach next? Keep going until you either hit a dead end or hit something that actually matters.

You will find at least one path that nobody scored, because no scoring system scores paths. That's the gap. Every finding on it was visible. The line connecting them was not. It's a 60-minute exercise, but it doesn't stay a one-time exercise — it changes how you read every report after it. Once you've watched a full compromise get assembled out of "acceptable" risk, you stop reading severity columns and start reading reachability. You ask "what does this unlock?" instead of "how bad is this alone?" That single shift is most of the difference between defending findings and defending your actual attack surface.

Block the hour this week. Ignore the criticals. Read the lows. Comment with what you find — I'm curious how many of you uncover a path that was sitting in plain sight the whole time.

Friday Follow-Up

The Path Nobody Scored

You've had the week. Let's talk about what actually happened when you sat down and tried it.

Submitted by Neil Watkins · Burns & McDonnell

May 22, 2026

twenty minutes to start and two weeks to fully reckon with. What MondayMove couldn't tell you, until now, is what happened.

The gap between intent and outcome

Security and IT leaders are surrounded by frameworks, maturity models, and best practice guides. What they're short on is ground truth. What did this actually surface? How long did it take? What did I find that I wasn't expecting? What did my team push back on, and why? That's not a framework problem. That's a feedback loop problem. FridayFollowUp is the feedback loop. Each Friday, we publish a short report on the week's move: what practitioners found when they ran it, what surprised them, where the real friction was. Not sanitized case studies -- field notes. The kind of thing you'd hear if you could call ten peers who ran the same exercise this week and ask them what they found.

What it includes

Each FridayFollowUp is built around three questions:

  • _What did people find?_ A summary of what the MondayMove actually surfaced: common patterns, outliers, things that showed up more than expected.
  • _Where did it get hard?_ The spots where people got stuck, skipped a step, or found the action harder in practice than it sounded on Monday morning.
  • _What's worth doing next?_ One concrete follow-on: not a second move, just the natural next step for the people who completed this one and want to push further.

Why Friday

Monday is for starting. Friday is for reckoning. By Friday you've had four days with the move. Either you did it and learned something, or you didn't do it and learned something about that too. Either way, Friday is when the information is real. When the week's noise has settled and you can see clearly what actually moved. FridayFollowUp lands in your inbox Friday morning. It's short -- under five minutes. It's honest. And it's only useful if you took the Monday Move seriously enough to have something to compare against.

How to get it

FridayFollowUp is included with MondayMove. If you're already subscribed, you're already enrolled -- the first one arrives this Friday. If you're not subscribed, this is the reason to be. The moves are useful on their own. With the follow-up, they're a system. > One action every Monday. One honest accounting every Friday. That's the loop.

Week 1 - You've had the week. So, let's talk about it.

Not a recap of what you were supposed to find. Not a hypothetical about what an attacker might do. Just an honest check-in on what actually happened when you sat down and tried it. Did you run the exercise? Here's what I want to know:

On getting started:

  • Did you actually block the hour, or did the week happen to it?
  • Was the hardest part ignoring the criticals, or was it something else entirely?
  • Did you do this alone or pull someone else in?

On what you found:

  • Did you find a chain? If so, how long did it take?
  • How many findings were in it, and what were their individual severity scores?
  • Did it lead somewhere that actually matters -- a crown jewel asset -- or did it dead-end?
  • Was the path a surprise, or somewhere in the back of your mind did you already half-know it was there?

On the data:

  • Was your scan report detailed enough to trace reachability, or did you hit a wall because the context just wasn't there?
  • Were findings tied to specific assets and network segments, or were they floating without enough environment context to connect them?

On the uncomfortable part:

  • Did you find something that should have had a ticket a long time ago?
  • Is there a finding on that chain that multiple reports have flagged, and nothing has moved on?
  • What's actually blocking remediation -- priority, ownership, resources, or something else?

On changing the habit:

  • After doing this once, does the way you read a scan report feel any different?
  • Would you run this exercise again in your next review cycle, or does it feel like a one-time thing?

Drop your answers in the comments -- sanitized, no need for specifics. What I care about is the shape of what you found, not the name of the system. And if you didn't get to it this week, that's worth saying too. What got in the way? The exercise only takes an hour, but that hour has to come from somewhere, and where it gets cut says something real about how security work is actually prioritized day to day. > No correct answers here. This is practitioner-to-practitioner. The more honest the responses, the more useful this gets for everyone reading on Monday morning.

See you then.

1 comment

Tim Winter

I like the intent of looking across all levels of vulnerabilities and identifying the commonalities between them, especially in the wake of Mythos AI and the growing focus on how low-severity issues can be chained together to create high-impact outcomes. Attackers do not experience our environment as a severity table. They experience it as a graph. A low-severity issue may not matter much alone, but when chained with another low, a medium, a weak credential, and an exposed management interface, it can become a high-impact business scenario. Running through this exercise showed how many lower-severity findings were materially reduced or eliminated by remediating the higher-leverage issues. That is an important lesson: we are not only reducing vulnerabilities; we are breaking attack chains. On a related note, I continue to see tremendous value in having a third party perform penetration testing. The value is not just the report or the list of findings. It is the ability to take real scenarios from our own environment and use them with executives to show what is possible right now. That creates a much stronger risk conversation than hypothetical examples or vulnerability counts alone. It is often eye-opening because it connects technical issues to real-world business impact.