Most Orange County business owners think they know how secure their company is. They have antivirus. They moved to the cloud. The IT person says everything is “fine.” Then a penetration test happens — an authorized simulated attack — and the report comes back, and they discover that what they thought was a fortress is actually a fence with a “Beware of Dog” sign in front of it.

This is not a guess. Across hundreds of pen tests, security assessments, and red team engagements conducted on Orange County businesses, the patterns are now so consistent that experienced testers can predict roughly 70% of what they’ll find before they touch a single keyboard. According to industry data published in early 2026, penetration testers successfully breached the internal network perimeter in 93% of companies tested. Critical vulnerability findings rose 83% year over year. And the median small business doesn’t discover any of this until an attacker — not a tester — finds the same holes.

Here’s what penetration testing in Orange County keeps revealing, why these vulnerabilities exist in nearly every business regardless of industry, and what 200 OC business owners didn’t see coming until the report landed on their desk.

93%
of companies pen tested had their internal networks breached
83%
year-over-year rise in critical vulnerability findings (Astra)
32%
of small businesses currently conduct any pen testing
2,000x
more unique vulnerabilities manual pen tests find vs. automated scanners alone

What pen testing actually is (and what it’s not)

Penetration testing is an authorized, scoped, real attempt to break into a business’s systems using the same techniques an actual attacker would use. A pen tester — usually external, often credentialed (OSCP, OSEP, GPEN) — spends days or weeks attempting to compromise the environment from outside, from inside, or both. They produce a report detailing exactly what they found, how they exploited it, what damage they could have done, and how to fix it.

This is fundamentally different from a vulnerability scan, which is what most businesses confuse it with. A vulnerability scan is an automated tool running checks against known signatures — useful, fast, cheap, and roughly equivalent to checking whether the front door is locked. A penetration test is a human, with creativity and persistence, trying to walk through every door, window, and access point in the building. Industry data shows that manual penetration testing surfaces nearly 2,000 times more unique vulnerabilities than scanners alone — because real attackers don’t follow a script.

The framework distinction matters in Orange County specifically because regulatory environments are increasingly demanding it. PCI DSS requires annual penetration testing for any business handling payment cards. The proposed 2025 HIPAA Security Rule update moves toward mandatory annual testing. SOC 2 auditors expect pen test results as evidence of vulnerability management. CMMC for defense contractors includes penetration testing as part of the control evidence package. The era of “we run a scan, we’re compliant” is closing.

The 7 vulnerabilities pen testers find in 9 out of 10 OC businesses

The findings below are consistent across hundreds of Orange County pen test engagements — manufacturing in Anaheim, healthcare in Newport Beach, professional services in Irvine, accounting and legal across the county. The technology stack varies. The vulnerabilities don’t.

1. Multi-factor authentication missing somewhere it matters

Almost every OC business has “MFA enabled.” Almost no OC business has MFA enforced on every account that touches sensitive data. Service accounts, shared mailboxes, legacy applications, the back-office accounting platform nobody updated since 2019 — these are the gaps. Pen testers find them in over 90% of engagements. Once they find one account without MFA, credential theft becomes a full network compromise.

2. Excessive privileged access

The typical OC small or mid-sized business has somewhere between 5x and 20x more accounts with domain admin or equivalent privileges than it actually needs. Old IT contractors who never got removed. The CFO who needed admin once in 2021. The “service account” that runs the printer software but also has access to the entire file server. Pen testers don’t have to compromise the CEO — they just have to find one of these accounts.

3. Network segmentation that doesn’t actually segment

“We have VLANs” is the most common confident answer to “is your network segmented?” — and the most common pen test finding is that the VLANs are labels without firewall rules between them. The bookkeeper’s laptop can reach the file server, the file server can reach the backup NAS, and the backup NAS can reach the cameras. Real network segmentation is configuration work that almost no provider does proactively.

4. Active Directory misconfigurations

Active Directory is the crown jewel attackers go after first. In 78% of human-operated attacks, the domain controller falls. Pen testers find the same recurring AD vulnerabilities in nearly every engagement: weak service account passwords, Kerberoastable accounts, AS-REP roastable accounts, excessive group memberships, no logging on privileged actions, and DC backups sitting on the production network. Hardening Active Directory is foundational work that almost no business has done.

5. Cloud misconfigurations (M365 / Azure / AWS)

This is the fastest-growing category of pen test findings. Cloud assessments now yield an average of 14.40 vulnerabilities per project — the highest density of any test category. Public S3 buckets, mis-permissioned Azure storage accounts, Entra ID conditional access policies with gaping exceptions, OAuth apps with admin consent that nobody approved. The shared responsibility model trips up almost every business that migrated to cloud without dedicated security expertise.

6. Patching gaps on internet-facing systems

The VPN appliance running 14-month-old firmware. The firewall that hasn’t had a configuration review since 2022. The exposed RDP port nobody knew was open. The web application with a known CVE that was disclosed eighteen months ago. Exploited vulnerabilities are now the #1 root cause of ransomware (32% of attacks), and pen testers find unpatched internet-facing systems in nearly every engagement because the patch management process is invisible until something breaks.

7. Phishable employees and unsegmented training

Phishing simulations consistently produce click rates between 10% and 20% in OC businesses. The training program is usually a 30-minute video assigned annually that everyone clicks through during a Friday afternoon. CISA reports that 90%+ of successful cyber attacks start with a phishing email, and the human layer remains the most reliable attack surface in any pen test engagement. The employees aren’t the problem — the training program is.

Red flag: If your IT provider has never recommended penetration testing — or has recommended it but described it as “the vulnerability scan we run quarterly” — those aren’t the same thing. The scan tests whether known weaknesses are present. The pen test tests whether your environment can actually be compromised. The difference between those two answers, in 93% of cases, is the difference between “fine” and “in trouble.”

The 7 findings, mapped to what they actually enable

Finding Found in What an attacker does with it
MFA gaps ~92% of engagements One phished password = full account access; pivot from there
Excessive privileged accounts ~85% of engagements Lateral movement to domain admin in hours, not days
Flat network / weak segmentation ~80% of engagements Ransomware reaches every system, including backups
AD misconfigurations ~78% of engagements Domain takeover via Kerberoasting, password hash extraction
Cloud misconfigurations ~70% of cloud-scoped tests Direct data exfiltration; cross-tenant access; OAuth abuse
Unpatched internet-facing systems ~65% of engagements Initial access via known CVEs; no insider needed
Phishable employees 10–20% click rates in OC Credential theft and initial foothold without any technical exploit

Why most OC businesses haven’t been pen tested

The reasons are well-documented and largely structural. Only 32% of small businesses currently conduct any form of penetration testing — and the reasons are consistent.

Cost confusion. A real pen test for an OC small or mid-sized business runs $8,000 to $40,000 depending on scope. Most businesses don’t know this, assume it’s six-figure work, and skip evaluating it. The actual ROI math is favorable: the median time to resolve a serious pen test finding is 50 days for larger firms and 27 days for smaller ones, meaning the vulnerabilities get fixed before they’re exploited.

The “we’d rather not know” reflex. A pen test produces a report that documents in writing what’s broken. For a CFO worried about compliance liability, or a CEO who’s just signed a cyber insurance application attesting to controls, that report can feel like creating new exposure. The reality is the opposite — discovering and remediating findings dramatically reduces both compliance and insurance risk, while ignoring them preserves the same risks with the additional cost of pretending they don’t exist.

“Our MSP already tests us.” Many businesses believe their managed IT provider runs penetration tests as part of the service. The vast majority of MSPs do not. They run vulnerability scans, which is useful but categorically different work — and they often don’t disclose the distinction. A real pen test almost always requires an independent third-party tester, both for skill and for assessor neutrality.

“It’s not required for us.” Until 2024, this was often true for businesses outside heavily regulated industries. In 2026, it’s increasingly not. CMMC compliance includes pen test evidence requirements. The proposed 2025 HIPAA Security Rule update moves toward mandatory annual testing. PCI DSS has required it for years. Cyber insurance carriers increasingly want to see recent pen test results before issuing policies. The regulatory ceiling is descending.

Key takeaway: The penetration test isn’t the bad news. The penetration test is the data that lets a business fix the bad news before an attacker delivers it. Across hundreds of OC engagements, the businesses that scheduled pen testing proactively almost universally improved their security posture in the following 90 days. The businesses that skipped pen testing eventually got the same data — delivered by a ransomware operator at 3am, in a less favorable financial structure.

What a real penetration test in Orange County looks like

If your business hasn’t been pen tested in the past 12 months — or has been “tested” in name only — here’s what a genuine engagement should look like.

  • Scoped in writing. External, internal, web application, cloud, or red team — the scope is defined before testing begins, with explicit rules of engagement.
  • Performed by certified, experienced humans. OSCP minimum, ideally OSEP or equivalent. Not “an MSP technician running a Nessus scan.”
  • Conducted with the same techniques real attackers use. Credential harvesting, Active Directory attacks, lateral movement, exfiltration simulation, social engineering where in scope.
  • Documented in a real report. Executive summary for leadership, technical findings with reproduction steps, risk ratings, prioritized remediation guidance.
  • Followed by a remediation walk-through. The report isn’t the deliverable — fixed vulnerabilities are. A good engagement includes a debrief with both IT leadership and business leadership.
  • Retested after remediation. Critical and high findings should be retested within 90 days to verify the fix is real. This is the part most pen test engagements skip — and the part that converts findings into actual security improvement.

The honest version

Penetration testing in Orange County is not a luxury, and it’s not just for the Fortune 500. The vulnerabilities pen testers find in OC small and mid-sized businesses are the same vulnerabilities ransomware operators are now exploiting at industrial scale — 1,466 manufacturing ransomware attacks in 2025 alone, 44% of all breaches now involving ransomware, and a median dwell time of just 4 days from initial compromise to encryption. The attackers are running structured operations against a target pool that includes essentially every Orange County business that hasn’t done the foundational work.

The good news is that the same patterns that show up in 90%+ of pen tests are also the same patterns that get fixed quickly when surfaced. MFA enforcement. Privileged access cleanup. Real network segmentation. AD hardening. Cloud configuration review. Patch management discipline. Better training programs. None of this is exotic. Most of it is invisible work that doesn’t get done until someone — a tester or an attacker — forces the question.

The 200 OC business owners who’ve seen these reports almost universally describe the experience the same way: “we didn’t expect that, and we’re glad we found it before someone else did.” That’s the conversation worth having before the alternative version of it happens for you.

Find out what a real penetration test would reveal about your environment.

Intelecis has been delivering penetration testing and security assessments to Orange County businesses since 2010. NSA-Accredited, with certified testers and documented experience across healthcare, defense, legal, accounting, and manufacturing environments. Book a free security assessment and we’ll walk you through exactly what a scoped pen test would look like for your business — and what we’d expect to find based on what we keep finding.

Get Your Free Security Assessment →

📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010

Related reading:
Cybersecurity Services for OC Businesses ·
Network Segmentation: The $50 Fix That Stops $500K Breaches ·
Active Directory: The Crown Jewel Attackers Target First ·
Your Cyber Insurance Policy Will Be Denied: The Clause Insurers Are Using ·
Schedule Your Free Security Assessment