Application penetration tests take real time, real money, and real effort from your team. If you are going to do one, it should tell you something useful about your risks.

Modern applications aren’t just custom code and a database. They often rely on third-party APIs, external services, and, in some cases, AI-driven features. At the same time, testing approaches are changing, with some vendors relying more heavily on automation and AI-assisted techniques. Both realities affect what gets tested and how to interpret the results.

The difference between a helpful test and a frustrating one often comes down to fundamentals. Scope. Expectations. Communication. And knowing what questions to ask before the test starts and after the report lands.

In this virtual session, Dan Petro, a long-time application tester and lead researcher at Bishop Fox, walks through how application pen tests work in practice and where they often fall short. He’ll share what experienced testers look for at each phase of an engagement and what makes a test worth the investment.

This session is useful whether you are running your first test or trying to get more consistency and value out of an established program.

We’ll cover:

• What a good application pen test actually includes
• Questions to ask before, during, and after the engagement
• How to evaluate vendors, especially those using AI-powered testing
• How modern application features, including AI-driven functionality, can affect scope and results

This is a straightforward conversation about running better application penetration tests, focused on practical outcomes and real-world tradeoffs.