When scoping a penetration test for a client, there is often a disconnect between “check-box” requirements and actual preparation for what real-world attackers might attempt. With an influx of major data breaches, organizations need to take ownership and realize that compliance is not a “silver bullet” and is subject to the implementation of the organization’s needs and requirements. Check-box security isn’t a bad start, but it’s just that--a start. Because it’s often required for compliance, it seems to be the main, or only driver for many security programs. This pushes companies to just meet the minimum requirements, can instill a false sense of security and can overshadow the entire view of their security posture. This talk will cover what we often see as pentesters in regards to scoping an assessment with a client and views/ways to help them broaden their understanding of attack methods that go far beyond the requirements of “check-box security” to hopefully help improve their security posture overall.