“What can organizations do to make your job harder?” the National Cyber Security Centre (NCSC) asked a cohort of penetration testers it works with — and published the testers’ answers on July 1 as practical advice for defenders.
Secure-by-design: the pen testers’ primary demand
The pen testers told the NCSC that secure-by-design systems both raise the bar for attackers and make discovered vulnerabilities easier to remediate. The NCSC set out specific, concrete practices it defines as secure by design:
- Using threat modelling during the development process
- Mandating strong authentication (phishing-resistant multi-factor authentication) for privileged users, which is opt out
- Changing default passwords in tools
- Validating input data as early as possible, and handling errors in a clear and secure way
- Securely storing credentials and avoiding hard-coded credentials in the software
- Protecting sensitive data at rest and in transit, if there’s a risk of unauthorized access
Segmentation and IT/OT separation: make lateral movement harder
“Pen testers also hate network segmentation,” the NCSC reported, and advised several practical approaches to achieve it: high-level network design, the use of VLANs or firewalls, and management of users or groups with separate accounts for different network areas. The NCSC explicitly recommended that “OT systems should be separated from IT networks, to prevent lateral movement and avoid loss of availability.”
The NCSC emphasised that segmentation is more than a simple split: “Segmentation is not just about separating IT from OT; it is about controlling what crosses that boundary. Cross-domain thinking helps define zones of trust and tightly manage data flows between them.” It also recommended standardised, hardened connectivity and the use of privileged access workstations (PAWs): “Secure OT connectivity should minimize exposed connections, standardize access routes, and harden boundaries, while privileged access workstations (PAWs) provide trusted devices for privileged administration, reducing shortcuts and making lateral movement harder.”
Credentials, defaults and privileged accounts
Several of the NCSC’s recommendations focus on credentials and privileged access hygiene. Beyond mandating phishing-resistant multi-factor authentication for privileged users, the guidance calls for changing default passwords in tools, avoiding hard-coded credentials in software, and securely storing credentials. These measures aim to close straightforward avenues attackers and pen testers commonly exploit.
Logging, monitoring and exercising incident response
The NCSC closed with a blunt reminder about detection and response: “We can’t stress enough that even the best logging and monitoring capability is useless unless an organization collects the right data, and responds to that data in the right way.” The centre urged defenders to ensure alerts are properly investigated and to build incident response plans that are “regularly communicated, and exercised with your teams.” Good logging and monitoring, coupled with practiced response, make both a pen tester’s — and therefore a malicious hacker’s — job harder.
What this means for security teams, OT managers, and adversaries
- Security teams: Implement threat modelling, adopt phishing-resistant multi-factor authentication for privileged users, change default credentials in tools, and ensure credential storage avoids hard-coding — then validate those controls with logging and tabletop exercises, the NCSC advises.
- OT managers: Separate OT from IT, minimise exposed connections, standardise access routes and harden boundaries; consider privileged access workstations to reduce risky administration shortcuts that enable lateral movement.
- Adversaries and pen testers: The measures described — segmentation, secure-by-design controls, hardened credential management, robust logging and exercised incident plans — are precisely the obstacles the testers said make their work harder.
The NCSC’s consultation with penetration testers converges on a familiar but precise point: make systems harder to attack through design, limit what can move across network boundaries, and be ready to detect and act when something goes wrong. Those are operational prescriptions with immediate implementation steps — and, the centre concludes, they are only effective if organisations collect the right data and follow up on it.




