From legacy to cloud: How pen testing validates security
As legacy systems linger cloud-native platforms take over, hybrid IT has become the norm. This reality demands a dynamic, adaptable approach to security and penetration testing. Here’s why:
As organisations accelerate digital transformation, their infrastructure footprints have grown increasingly complex. Some environments remain tethered to ageing, on-premises systems, while others are racing ahead with modern SaaS, IaaS, and containerised applications.
The result? A sprawling, hybrid ecosystem where old assumptions about trust, access, and control no longer hold.
To secure this mixed terrain, and build resilience in the face of evolving threats, static strategies no longer cut it. Penetration testing must evolve.
So, whether it’s uncovering privilege escalation paths in outdated Active Directory environments or spotting misconfigured IAM roles in Microsoft 365 or AWS, modern pen testing is the best way to validate your security posture across all fronts, before attackers do.
Pen testing can be a great way to get visibility of the ‘unknown unknowns’ in your systems. We know what the common security issues are, and we’re passionately motivated to dig through systems to find the vulnerabilities.
Why pen testing still matters in cloud-first environments
Certainly, the move to cloud-first hasn’t made penetration testing obsolete. Instead, it’s just reshaped the battlefield.
Cloud-native environments are more likely to have solid security defaults, modern features like Single Sign-On (SSO), phishing-resistant Multi-Factor Authentication (MFA), and (ideally) good documentation. However, they also involve a vast array of services and highly granular roles, permissions, and privileges to manage.
The state of security in platforms like Microsoft 365, AWS, and Google Workspace/GCP evolves rapidly. What was considered best practice six months ago may already be outdated or deprecated. Meanwhile, defenders face a heavy workload managing secure configurations (due to the volume of apps and services) and mitigating identity risks (such as assigning appropriate permissions and preventing account compromise).
In the cloud-native space, it’s essential to apply phishing-resistant MFA to every account and manage admin privileges with extra care. Monitoring is equally important, as account compromise is a matter of when, not if. That’s why strict adherence to the principle of least privilege is critical. Otherwise, for example, adversaries could compromise a receptionist’s account and use it to access pen testing reports.
Modern penetration testing adapts to these realities. As the nature of cloud risk shifts from software flaws to misconfigurations and identity misuse, pen testing remains one of the few ways to truly validate your defences.
Rather than relying on automated scans alone, it mimics real-world attacks to uncover hidden risks, from misconfigured IAM roles to exploitable privileges. This hands-on approach offers actionable insights and a clear view of your true exposure.
Legacy systems: Testing for known vulnerabilities and patch gaps
When it comes to security, legacy infrastructure poses a very different challenge, one that many businesses still struggle to manage.
Legacy infrastructure often isn’t secure by default. It lacks modern security features and may have extensive information publicly available on how to exploit it. Much of it was built on the assumption that the corporate network was inherently secure, meaning any device inside that network could be trusted. If attackers got inside, it was game over.
Technologists need to understand the vulnerabilities of these legacy systems and, if decommissioning isn’t an option, ensure they’re isolated from the internet and the broader corporate network.
These systems are often out of support, unpatched, and built on outdated software stacks, making them prime targets for attack.
Penetration testing in legacy environments focuses on identifying:
- Unpatched vulnerabilities, often missed due to inconsistent or manual patch management.
- Outdated software, including unsupported operating systems and applications.
- Exposed services, such as open ports or legacy protocols that shouldn’t be publicly accessible.
- Weak network segmentation and authentication mechanisms, allowing lateral movement once inside.
Cloud environments: Testing configurations, permissions and identity
Penetration testing in cloud environments demands a different mindset. The goal isn’t to brute-force software flaws, it’s to think like an attacker with valid credentials and explore how far they can go.
A lot of cloud security issues stem from excessive permissions or poor separation of duties, says one of Interactive’s penetration testers. We look for ways to escalate privileges from one identity to another and test how far we can move laterally through the environment.
According to the Cloud Security Alliance, 43% of organisations have experienced at least one security incident caused by a SaaS misconfiguration. This figure highlights how configuration drift and excessive permissions can quietly open the door to attackers.
These identity risks are at the core of cloud-based penetration testing. A single over-permissioned account, often overlooked during setup, can unlock access to sensitive systems, customer data, or even pen test reports themselves. Slipstream Cyber’s team regularly tests for:
- Cloud misconfigurations
- IAM role weaknesses
- SaaS security control gaps
- Misapplied zero trust policies
Cloud-based infrastructure was designed from the start to be exposed to the horrors of the internet, the tester explains. It’s not about patching bugs; it’s about taking over legitimate accounts and abusing their access.
Region-based restrictions? Easily bypassed by sourcing an IP address from an allowed location. Outdated role assignments? A ticking time bomb. These are the subtle, but powerful risks that often go unnoticed, until someone tests for them.
The reality is that the only way to gain absolute certainty that your security protocols work is to experience a data breach. But that’s an outcome no organisation can afford to learn from. Penetration testing offers the closest thing to certainty without suffering a breach. We test against live environments, or ones that closely replicate production, and we exploit what we find. It’s definitive proof of vulnerability, not just theoretical risk.
Beyond identifying flaws, cloud pen testing also validates whether your security controls are actually working. In many cases, clients use a baseline test to identify gaps, spend months remediating, then engage Slipstream again to measure improvement and confirm the effectiveness of changes.
This process strengthens defences and builds confidence in cloud transformation initiatives. We’ve had clients discover how insecure their on-prem AD really was based on our reports. It pushed them to accelerate their move to Entra ID and modernise their environment.
Hybrid IT: Why one-size testing doesn’t work
In practice, most organisations are hybrid. Even companies that consider themselves cloud-native often have pockets of legacy infrastructure still in play. It could be an old file server, a dormant domain controller, or an unsupported third-party app.
This is where Slipstream’s flexible, adaptive approach stands out.
Slipstream tailors its testing techniques to suit each environment, whether it’s a legacy system buried deep in a physical data centre or a multi-cloud architecture spanning SaaS, IaaS, and container platforms. There’s no one-size-fits-all: every test is grounded in the reality of how that specific environment operates.
Penetration testing is about clarity. In a hybrid environment, it’s the best way to uncover the ‘unknown unknowns’ — things you didn’t realise were exposed or misconfigured.”
Because Slipstream’s testers work directly with production-like environments, they don’t just simulate threats, they prove them. That means business leaders and cyber teams can prioritise real issues, validate recent investments, and build a defensible roadmap with confidence.
Penetration testing is one of the most realistic ways to gain certainty about actual vulnerabilities in a digital system, short of being compromised in a real incident.
That’s because we test against live environments, either in production or (ideally) ones that closely replicate production conditions. We actively exploit the vulnerabilities we find, providing definitive proof of their existence. It’s a direct look at technical reality, where more theoretical security reviews often fall short.
It’s also a powerful tool for validating the effectiveness of security controls implemented as part of a broader cybersecurity program.
For example, after experiencing an incident, an organisation might establish an internal cybersecurity function. The head of cyber may commission a pen test to establish a baseline understanding of existing vulnerabilities. Following a remediation period and rollout of new controls, a follow-up pen test can then measure how effective those changes have been.”
Real-world example: Catching a critical misconfiguration before it was exploited
Slipstream Cyber recently worked with an organisation struggling with a fragmented hybrid estate: a mix of old on-prem systems and newer cloud workloads. During testing, the team uncovered severe vulnerabilities in the client’s on-prem Active Directory setup. These included insecure trust relationships, lateral movement paths, and weak authentication mechanisms.
But the real turning point came when testers discovered a cloud-based identity misconfiguration: an admin account in Microsoft 365 with excessive permissions and no MFA enabled. The account had been set up for a short-term integration project but had never been decommissioned. It was a ticking time bomb.
The report was a wake-up call. It helped the client accelerate their move to a pure cloud model with Entra ID, which they’d been delaying. The pen test helped trigger meaningful change.
This case highlights how penetration testing is about more than just bugs and identifying risks. It reveals structural weaknesses, both in legacy systems and modern identity-driven environments, and provides clear, actionable evidence. In the cloud, that often means uncovering over-permissioned accounts, poor session management, or stale access tokens that could be exploited for lateral movement.
Slipstream’s approach adapts to each environment, proving risks, not just theorising them, and helping clients make measurable security improvements across both legacy and cloud platforms.
The Slipstream Approach
At Slipstream Cyber, penetration testing is about delivering clarity, confidence, and real-world resilience, no matter where your infrastructure lives.
Our team adapts its methodology to suit your environment, whether that means assessing container vulnerabilities, uncovering identity risks in SaaS platforms, or exposing patch gaps in legacy systems.
Every engagement is customised to reflect the real-world conditions of your infrastructure, from physical data centres to SaaS-heavy, multi-cloud ecosystems.
We provide detailed findings, remediation advice. Most importantly, we unpack the “why” behind each issue, so your team can make informed decisions and act decisively.
Whether you’re managing cloud misconfigurations, dealing with legacy risk, or somewhere in between, penetration testing remains one of the most effective ways to reduce uncertainty and improve your overall cyber posture.
Ready to see what your environment is really made of?
Explore our penetration testing services or visit Slipstream Cyber for more insights.
