For ages, the industry has tried time and time again to improve its ability to defend by battening down the hatches. We have relied on playing vulnerability “whack-a-mole” and realized that even the most secured and patched system can be used in a full-scale attack. As a response, we have attempted to create better sparring partners to attack the environments and bring light to ways to sink the ship. While that approach has had limited success it still does not scale to the rapid deployment and expansion of today’s enterprise. Combined with the growing shortage of testing talent, this method will have to change in order to break through the barrier of testing debt. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the aging strategies of Penetration Testing and the evolution of value. No more scan based reports. No more waiting to finish the engagement before improvement begins. No more secrets. It is time we change the strategy to work as a team and end the engagement more secure than we started, EVERY TIME.