Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!