How I Work with Applications, OT/IoT, and Physical Security When the Attack Surface Is Broad and the Demand for Realism Is High

When I think about penetration testing, I do not think only about servers and firewalls. Many of the most important risks are found in the parts closest to the actual business: applications, industrial environments, connected devices, and physical security.

This is also where I think a test must be both technically strong and practically grounded. If the attack surface is broad, the testing must be focused enough to produce clear results, but realistic enough to say something meaningful about the real world.

Application testing has to start from how the application is actually used

When I test an application, I do not want to look only for generic flaws. I want to understand how the application is used, which function it has in the business, which data it handles, and which flows are most critical. That applies whether it is a web application, client application, or mobile application.

For me, it is important to test things that truly matter: authentication, authorization, session handling, data flows, error handling, client-to-server logic, exposed APIs, and the kinds of weaknesses that could lead to access to sensitive information or unauthorized functionality.

A good application test must give the development team something useful to work with

For me, an application test is not fully successful if the result stays only within the security function. It must also be usable for those who will fix the problem. That is why I want the findings and recommendations to be written in a way that helps developers, system owners, and technical leads understand what needs to change.

OT and IoT environments require respect for the business

When it comes to OT and IoT environments, I think testing must be particularly thoughtful. These are not environments where you simply apply the exact same approach as in a normal office network. Here I pay special attention to segmentation, supplier connections, communication protocols, exposed interfaces, industrial components, and how well the environment tolerates active and passive testing within safe limits.

Physical security must not be forgotten

Physical security can easily be overlooked in digital security work, but it is often part of the real attack surface. If physical access can bypass other controls, that matters.

I see the whole attack surface as one context

I like to view applications, connected devices, industrial systems, and physical access as parts of the same broader picture rather than isolated areas.

I want the result to be practical, not only impressive

The customer should be left with something useful: a clearer understanding of risk, evidence of what matters, and recommendations that can actually improve the environment.

That is how I want to work with applications, OT/IoT, and physical security: realistically, carefully, and with a strong focus on what matters in practice.