Over the past twenty years, cyberattacks have caused more than $12 billion in direct losses in the financial sector alone. Cases like Robert Wesbrook highlight a recurring pattern: attackers often breach networks within days, then remain dormant for weeks or months before extracting highly sensitive data from critical infrastructure.
Despite this, penetration testing remains underutilized. Only 32% of organizations test annually or biannually, and just 28% do so quarterly. While regulations such as GDPR have increased adoption, over half of organizations still rely on third‑party pentesters, with many now building in‑house teams.
Those experts challenge the existing system. Their core activity involves experimentation, manipulation, and deliberate risk-taking. Yet most tooling and infrastructure choices prioritize isolation at the expense of ergonomics, performance, and workflow efficiency. In this article, we examine the limits of traditional pentesting setups, and whether bare‑metal approaches can restore all four without compromising safety.
Security Requirements, Not Tooling Preferences
Penetration testing requires building a setup that reduces data leak risks, simplifies retesting, and makes it easier to safely and confidently c. Unsurprisingly, setups are expected to follow three core security principles: strict isolation, easy reset capabilities, and reversibility.
Isolation as a Discipline and Its Practical Limits
When environments are isolated, cross‑contamination becomes much harder. Client data does not leak into internal tooling or unrelated engagements. One of the simplest ways to restore order in a pentester’s ecosystem is to separate test environments from client work in a deliberate, enforced way. For many pentesters, this isolation means carrying two workstations (air-gapping): one for email, reporting, and compliance‑related tasks, and a Linux-based one to conduct their testing on clients’ systems.
This setup remains when they want to test new tools in a safe testing lab. Some may have tried to install traditional virtual machines to reduce their physiotherapist bills, but common solutions usually lead to degraded performance. While they may provide rollbacks or snapshots, they often fall short in terms of performance, scalability, and stability.
As a result, despite the ergonomic and financial drawbacks, many pentesters still enforce strict physical isolation - quite literally, by the strength of their backs...and by the sweat of their brow when they must carry the machines.
Cleaning is part of the job
My father used to say that a proper kitchen should leave no trace of the meal that was just prepared. This rule applies to pentesting
For the client, this ensures confidentiality, prevents cross-contamination, and preserves a clean baseline for future tests. But it comes with a trade-off: before each new engagement, the pentester must reinstall and reconfigure the very tools they deliberately removed after the last one. Every mission starts fresh.
It’s not like erasing a drawing, it’s like tearing the entire sheet of paper apart, leaving nothing reusable behind.
Now imagine if animators had to work this way. Instead of building on previous drawings, they would have to redraw everything from scratch each time, for a single second of motion (which represents around 24 to 30 drawings). Fortunately, they can rely on tracing paper to avoid that. Pentesters, by contrast, don’t have that equivalent.
When a pentester starts a new mission, each environment has to be rebuilt piece by piece. This process is as meticulous, and sometimes as tedious, as clearing the last scraps of paper from a notebook after tearing out a page.
Next-Gen Virtualization: a safe option for Pentesting
Sometimes, solving a problem requires revisiting options that were previously dismissed. Virtualization was long considered impractical for pentesting. Type-2 hypervisors could not deliver strong proper isolation; approaches based on Type – 1 hypervisors were considered too rigid, too hard to reset. In the end, virtualization was dismissed as a serious option for secure pentesting.
Revisiting What We Discarded: Bare-Metal Virtualization
Recent technological advancements shone a new light on this bare-metal based technology, paving the way for next-gen virtualization like the logical hardware separation. Logical separation of physical hardware delivers strong security, near‑native performance, and true isolation.
By removing the emulation layer found in traditional virtualization, it allows operating systems to interact directly with hardware. The result is native OS‑level isolation and high performance without requiring changes to the isolated environments. Data can also remain local, without compromising security boundaries.
This fundamentally changes how pentesting environments are designed. This model makes it possible to run multiple environments on a single workstation. Pentesters could have, on the same laptop, one corporate environment for reporting, and one Linux environment for exploitation, which can be purged at the end of an engagement. One computer. Multiple environments fully isolated. No cross‑contamination and fewer back problems from carrying two laptops.
Environments can be created and torn down on demand, with confidence that nothing leaks between them. Tools persist where they should, along with their configuration, eliminating the need for constant reinstallation.
Next-gen virtualization approaches turn hygiene from a constant effort into a default state. Reporting no longer needs a second physical machine, and each environment is confined to its own virtual space. Exploitation stays contained, while reporting can happen without reconnecting to unstable testing infrastructure.
The Ultimate Win: Disposable Exploitation Environments
An exploitation environment needs to exist just long enough to serve its purpose. Once vulnerabilities are validated, impact is demonstrated, and evidence is collected, there is very little value in keeping that environment alive. On the contrary, keeping it around increases risk and cognitive load.
Logical hardware separation changes the relationship pentesters have with cleaning up the exploitation environment. Instead of manually chasing remnants of access, and temporary configurations, cleaning becomes a structural property of the setup. Destroy the environment, and everything goes with it. No lingering credentials, no forgotten tunnels, no half‑closed sessions waiting to cause trouble later.
Each test starts from a known, clean baseline, free of hidden residue from past engagements. An environment where the pentester can work confidently.
This may be what has been missing in how pentesting environments are usually approached. Most discussions focus on vulnerability detection, but not on what comes after.
But here’s the thing: pentesters already had the pencils they needed. What they were missing was tracing paper.
Good security isn’t just what you find, it’s how cleanly you work.
Pentesting is not defined solely by the vulnerabilities it uncovers, but by how cleanly, reliably, and responsibly the work is carried out. Findings that are difficult to reproduce, reports written in polluted environments, or engagements that leave behind unnecessary artifacts are symptoms of workflows that were never designed with the reality of the job in mind.
What pentesters need is not just better tools, but better conditions to use them. A stable space where reporting is not disrupted by a lingering shell, an expired session, or a misconfigured proxy. An environment where isolation is guaranteed, and cleanup is not an afterthought but a built‑in property.
We understood that pentesters never lacked the ability to draw. They just needed another type of paper. This is why we built a solution that enables them to reconcile isolation, confidentiality and reusability, without any friction for the end-user.
Does it sound too good to be true?
