A report on common attack vectors used during 100 pen test engagements at 75 different organizations between 2013 and 2016. Common objectives include achieving a sitewide compromise and/or access to sensitive information the client requested we gain access to. Weak domain passwords were the number one attack path, with Pass the Hash, locating cleartext passwords in memory, and taking advantage of weak network access controls. All of the techniques in the report are design flaws in the environment, the report says. The report also includes advice for dealing with them.”]