In the world of cybersecurity, the best defense is a proactive offense. But what does that look like in practice, especially for small and medium-sized businesses? We recently sat down with Valentina Flores, co-founder of Red Sentry and a former criminal investigator, to pull back the curtain on penetration testing services and why they matter more than ever for SMBs.
Valentina’s journey from chasing criminals through dark alleys to tracking them through firewalls gives her a unique perspective on the attacker’s mindset. In a recent episode of the Unraveling IT podcast, she shared why so many small businesses get security wrong and what leaders can do about it.
In this article:
- AI-empowered hackers are targeting SMBs at scale rather than focusing on a small number of enterprises.
- Even the best internal IT teams aren’t equipped to conduct unbiased penetration testing.
- Perfect security is unattainable, but SMBs should focus on the next step in becoming more secure.
The shift in hacker strategy: Why SMBs are the new enterprise target
One of the most persistent myths in cybersecurity is that hackers only go after the big fish. But as Valentina explains, that’s a dangerously outdated assumption. The modern cybercriminal is an efficiency expert, and small to medium-sized businesses are often the most efficient targets. ‘
“People still think that hackers are only going after these huge enterprises, but what hackers realized is instead of spending a year breaking into a Fortune ten, they can, in five minutes, break into three hundred law firms with the exact same technology stack.”
–Valentina Flores, Co-Founder, Red Sentry
This shift is driven by automation and scalability. For an attacker, it’s a simple numbers game. Why spend months on a single, highly-defended corporation when you can penetrate hundreds of less-secure SMBs in a fraction of the time? Yet, many business owners remain in denial.
“SMB owners still have this mindset, like, why would they hack me?” Valentina notes. It’s a question that often gets answered only after a breach occurs. As she puts it, “You never think it’s gonna be you until it is.”
What are penetration testing services? Understanding offensive security
Red Sentry’s tagline is “Hack before the hackers do,” a philosophy rooted in the concept of offensive cybersecurity. While defensive security involves building walls—firewalls, endpoint protection, access controls—offensive security is about testing those walls to see if they actually hold up under real-world attack conditions.
“What we do is we simulate real world attacks. We have a team of hackers. The only difference is, we have permission to hack in a much different intent. We hack into companies and show exactly where all the vulnerabilities are so that they can fix those vulnerabilities before a malicious attacker finds them.”
Penetration testing services move security from theory to reality. A client once told Valentina that “security that’s not tested is not security at all”—a sentiment she wholeheartedly agrees with. Without independent vulnerability assessment and ethical hacking, a company’s security posture is purely theoretical.
“No company is unhackable. There’s always room for improvement,” she emphasizes. Whether working with an SMB conducting their first security audit or a mature enterprise with a dedicated security team, every organization benefits from having their defenses challenged by professionals who think like attackers.
The penetration testing process: From scoping to your security roadmap
So, what does a real-world penetration test involve? It’s not a chaotic free-for-all. Professional penetration testing services follow a structured engagement that begins with a critical but often overlooked step: scoping.
“We always start with scoping,” Valentina explains, “and scoping is really figuring out not just what we’re gonna test, but the goal of the engagement.”
The scope varies dramatically depending on the organization’s maturity and objectives. An SMB pursuing SOC 2 compliance needs a different approach than an enterprise running a red team exercise. Some engagements focus on specific targets like web applications or cloud infrastructure, while others give ethical hackers broad latitude to find any vulnerability they can.
Once the rules of engagement are established, the security testing begins. Penetration testers look for entry points, attempt to move laterally through systems, and document what sensitive data or systems they can access. “We’re basically going in and seeing what we can do once we’re inside,” she says.
The findings are then compiled into a prioritized report that serves as a security roadmap. “When we hand that back over to that company, they know, alright, I have XYZ to do, but I need to start here. This is the highest priority, and then we’ll kinda build out our security road map.”
Real-world breach lessons: When the obvious gets overlooked
Valentina shared a compelling example that illustrates why third-party penetration testing services are so valuable for small businesses. A law firm had invested heavily in securing their client files, implementing robust access controls and encryption. The penetration testers couldn’t break in through the front door.
But they found another way in.
“They had forgotten that the camera in the conference room still had admin admin as the password. So we were able to get into the conference room cameras, which gave us full access to their client data.”
This scenario perfectly captures a fundamental truth about cybersecurity: you can’t test your own systems in an unbiased manner. Internal teams develop blind spots. They know what they’ve secured, but they may not think about the IoT devices, legacy systems, or forgotten access points that ethical hackers—and unethical hackers—specifically look for.
“I think it’s just what you forget about,” Valentina reflects. “You think you’re securing one thing, but this other thing is wide open.”
The AI dilemma: A tool for both ethical hackers and cybercriminalsÂ
No conversation about penetration testing is complete without discussing artificial intelligence. AI is a powerful force multiplier in cybersecurity, but it’s available to everyone—including the attackers. That’s especially critical for small businesses, as AI allows attackers to scale up their efforts to hit a wide number of companies.
Valentina believes that while AI enhances security testing, it can’t yet replace the creativity and logic of human ethical hackers. “AI has not come far enough to fully mimic a pen test,” she states. “We still do human-led pen testing, but we are using automation to streamline the things that don’t need humans.”
However, she warns that small businesses are inadvertently creating new vulnerabilities by implementing AI without proper safeguards. Chatbots integrated into websites and applications can be manipulated to reveal sensitive information. “Every time we do a web application now or even like a website, you know, your normal website, there’s a chatbot,” she explains. “We can use that to ask it questions, and it’ll tell us more about you than you want it to.”
Her advice for small businesses adopting AI is straightforward and critical:
“As you’re implementing AI, AI is incredible. It’s wonderful. I’m really excited to see where it goes. Just do it intentionally. Why are you putting this in? What does it actually need access to? We talk about the principle of least privilege. Like, only give this to people that need access to it, and you should treat AI the exact same way.”
On the flip side, AI has also changed the threat landscape for defenders. Phishing attacks that were once easy to spot—riddled with spelling errors and poor grammar—are now perfectly crafted. “We’re seeing that even non-native English speakers can leverage AI-assisted tools to write perfectly convincing phishing emails,” Valentina notes.
The result? Both attackers and defenders are in an AI arms race. “The hackers are always gonna be ahead of us, you know, slightly,” she admits. But that doesn’t mean small businesses are helpless. It means they need to be more intentional, more proactive, and more willing to test their defenses through professional penetration testing services.
Beyond technology: Building a security culture through leadership and diversity
Ultimately, tools and penetration testing services are only part of the solution. Real, lasting security is built on a foundation of culture, and that culture must be driven by leadership.
Valentina is passionate about the role of cognitive diversity in building effective security teams. “Hackers exploit blind spots,” she says. “And the more diverse your team is, the fewer blind spots you have.”
Her own leadership team exemplifies this principle, including an engineer, a former teacher, and a marine veteran. “Everyone sees risks differently,” she explains. While this diversity can lead to vigorous debates, it also ensures that security decisions are examined from multiple angles. “Being able to capture that three sixty from all those different angles is so valuable as a leader.”
This diversity of thought extends beyond the security team. Valentina emphasizes that cybersecurity isn’t just an IT problem—it’s a leadership conversation that needs to happen across the entire organization. During Cybersecurity Awareness Month, she argues, the focus shouldn’t just be on awareness. “We’re all aware that getting hacked is bad,” she points out. “The problem is not enough companies take that and create action plans from it or get traction. So maybe we should call it cybersecurity traction month.”
Taking the first step: Practical advice for business leaders
For business leaders wondering where to start, Valentina offers concrete, actionable advice. The first step isn’t necessarily investing in expensive tools or hiring a full security team. It’s about having the conversation and understanding your current state.
“Download a free template for an incident response plan,” she suggests. “And just have that initial meeting with your leaders and figure out what those gaps are and just list them out.”
She also shared a memorable analogy that reframes how businesses should think about cybersecurity: “I love the phrase, you don’t have to outrun the bear. You just have to outrun the person next to you. And that’s really what cybersecurity is.”
The goal isn’t to become unhackable—that’s impossible. The goal is to make your organization a harder target than the alternatives. “You don’t have to be better than the hackers because you’re not gonna be,” she says. “But every little step you take leads them to go somewhere else.”
For many organizations, especially SMBs, that first step might be a focused penetration test on a specific system or application. “You don’t have to do this all at once,” Valentina reassures. “What’s the most important piece that we need to start with? And that’s where we start.”
The bottom line: Security testing is no longer optional
The landscape has changed. Hackers aren’t just targeting enterprises anymore—they’re going after SMBs with the same sophisticated tools and techniques, but at scale. Penetration testing services have evolved from a nice-to-have for large corporations to a critical component of any business’s security strategy.
As Valentina’s journey from law enforcement to ethical hacking demonstrates, understanding the attacker’s mindset is essential to building effective defenses. And the only way to truly know if those defenses work is to test them before the bad guys do.
Whether you’re pursuing compliance, responding to a board’s security concerns, or simply trying to protect your customers and your business, the message is clear: security that’s not tested is not security at all.
Ready to test your defenses?
Reach out to schedule a consultation with our penetration testing specialists.
