In Episode 11 of Hack Dissection, Mike Lisi and Graham O’Donnell reunite in person after a brutal Q4 to break down what they’re seeing across penetration testing, external assessments, web apps, and internal networks heading into 2026.

The conversation dives into why Q4 is always chaos in cybersecurity, how compliance deadlines shape client behavior, and why traditional external pen tests may be giving way to continuous monitoring and more practical security validation. Mike and Graham also unpack the real-world tradeoffs of scoping engagements, why collaboration with clients leads to better results, and the common misconceptions organizations still have about realism, downtime, and what offensive testing is actually meant to prove.

Along the way, they share stories from the field — including strange external exposures, recur ...