30 years at the frontline of cyber security

Thirty years ago this month, a team at DERA (QinetiQ’s predecessor) carried out some of the very first penetration testing. 

Known as pen testing (or ethical hacking), it’s a simulated cyberattack conducted by experts to identify security vulnerabilities in networks, applications and infrastructure. By mimicking real-world attackers, it helps organisations find and fix vulnerabilities before they can be exploited.

Today, it’s a cornerstone of organisational resilience but thirty years ago, ‘cyber security’ wasn’t the boardroom priority it is now. 

The internet was in its infancy, firewalls were new and penetration testing was driven more by curiosity than compliance. 

The early days: Curiosity, craft and command lines

In the mid-1990s, penetration testing involved dial-up modems, physical access attempts and manually crafted exploits. Reporting was lean, tooling was minimal and every test required deep technical intuition.

“Back then, there were no established certifications, limited frameworks and little regulatory pressure. But the lessons we learnt in those early days have helped shape methodologies that are now industry standards.”
Stephen Dean, Principal Security Consultant, QinetiQ

Our expertise helped companies to realise that often the simplest misconfigurations caused the biggest breaches and that trust, once broken, is costly to rebuild. Over time, with our input, penetration testing has matured into a regulated and structured profession.

The modern landscape: Cloud-based, ransomware and AI

The emergence of cloud-first infrastructure, ransomware, supply chain attacks and AI-assisted attack techniques mean that penetration testing is no longer a once-a-year event. It is continuous, intelligence-led and aligned with threat modelling.

As our customers have moved from reactive security to proactive resilience, we’ve evolved to offer red teaming, purple teaming, cloud security assessments and adversary simulation to help keep pace with the relentless and unprecedented risks organisations face.

Every year, our experts carry out hundreds of penetration tests across every major industry sector, putting QinetiQ at the heart of countering emerging threats.

Our teams play an active role in:

• Supporting critical national infrastructure organisations across the UK
• Helping financial institutions strengthen defences against increasingly sophisticated threats
• Contributing to vulnerability research and responsible disclosure initiatives
• Mentoring and training the next generation of UK penetration testers

Future trends

The pace of change shows no sign of slowing down and as well as helping our customers protect themselves against risks, we’re also looking at what the future threats could be.

Adversaries at machine speed

With attackers using AI to accelerate reconnaissance, vulnerability discovery and exploitation, penetration testing will have to match this pace, combining human expertise with AI to uncover complex attack paths faster.

Human expertise remains critical

Despite automation, human creativity and critical thinking remain essential. The most valuable insights come from experienced professionals who can identify non-linear attack paths and think strategically.

Rise of threat-led testing

Organisations are moving toward intelligence-driven testing that simulates real-world attackers. Threat-led and red team exercises are becoming standard practice, reflecting sector-specific threats and adversary behaviour.

If you’d like to find out more about how QinetiQ’s team of experts can help your organisation get in touch.