Skip to content

Offensive Security Basics — Trivia & Interesting Facts

Surprising, historical, and little-known facts about offensive security.

The term "penetration testing" dates back to 1967

The concept of deliberately trying to break into computer systems was first formalized in a 1967 RAND Corporation paper. The term "penetration" was used to describe unauthorized access to time-sharing systems, and by 1971 James P. Anderson had written the first formal methodology for government computer penetration testing.

The Morris Worm was written by the son of an NSA chief scientist

Robert Tappan Morris released the first major Internet worm on November 2, 1988. His father, Robert Morris Sr., was the chief scientist at the NSA's National Computer Security Center. The worm infected roughly 6,000 machines — about 10% of the Internet at the time — and caused an estimated $10-100 million in damages.

Metasploit started as a network game in 2003

HD Moore began Metasploit in 2003 as a portable network tool written in Perl. By 2007 it had been completely rewritten in Ruby and contained hundreds of exploits. Rapid7 acquired it in 2009, and it became the de facto standard penetration testing framework, with over 2,300 exploits in its database by the mid-2020s.

The most expensive zero-day ever sold was reportedly worth $2.5 million

Zerodium, a zero-day acquisition firm, has publicly offered up to $2.5 million for a full-chain, zero-click exploit for Android devices. Governments and intelligence agencies are believed to pay even more on the gray market. A single iPhone zero-click exploit chain has reportedly sold for over $2 million.

Kevin Mitnick was imprisoned for 5 years and banned from touching a computer

Kevin Mitnick, arguably the most famous hacker in history, was arrested in 1995 after a 2.5-year manhunt. He served 5 years in federal prison, 8 months of which were in solitary confinement because a judge was convinced he could launch nuclear missiles by whistling into a payphone. After release, he was banned from using any communication technology for 3 years.

SQL injection was first publicly described in a Phrack magazine article in 1998

Rain Forest Puppy (Jeff Forristal) published "NT Web Technology Vulnerabilities" in Phrack Magazine issue 54 in December 1998, describing what would become known as SQL injection. Despite being understood for over 25 years, SQL injection remained in the OWASP Top 10 continuously through 2021.

The Pwn2Own contest pays hackers over $1 million per event

Started in 2007 at the CanSecWest security conference, Pwn2Own has grown from offering a single laptop as a prize to awarding over $1 million per event. In 2023, contestants earned a combined $1.035 million in two days. The contest name comes from the original rule: if you "pwn" (hack) the device, you "own" (keep) it.

Social engineering attacks succeed over 90% of the time in controlled tests

Studies by organizations like SANS Institute and Positive Technologies consistently find that social engineering (phishing, pretexting, tailgating) succeeds in over 90% of penetration tests where it is attempted. In one notable 2019 study, 30% of phishing emails were opened, and 12% of targets clicked the malicious link.

The CIA triad was first formalized in a 1977 NIST publication

The Confidentiality, Integrity, Availability triad — the foundation of all security thinking — traces back to NIST's early work on computer security in the late 1970s. The specific acronym "CIA" became widely used in academic literature during the 1980s, and every offensive security assessment ultimately maps its findings back to violations of one or more of these three properties.

Buffer overflows were described as a security problem in 1972 but exploited routinely until the 2000s

The Computer Security Technology Planning Study published by the U.S. Air Force in 1972 explicitly described buffer overflow as a security threat. Despite being a known problem for over 30 years, buffer overflows remained the dominant vulnerability class through the early 2000s until ASLR, DEP, and stack canaries became widely deployed.

Red team exercises originated in Cold War military planning

The concept of "red teaming" — having a dedicated group play the adversary — comes from U.S. military exercises during the Cold War, where the "Red Team" simulated Soviet forces. The practice was adopted by cybersecurity in the late 1990s, and by the 2010s, most large enterprises had formal red team programs.