During testing you find indicators that a REAL attacker is already inside the client's environment. What now?
Short answer
Discovering an active intrusion is an out-of-band emergency: the rules of engagement should define an escalation path, so invoke it immediately, preserve evidence, and avoid contaminating an active incident. Continuing to test can interfere with the real attacker or destroy the very evidence responders need. Trying to evict the attacker yourself is out of scope, risky, and may tip them off. Waiting until the final report could mean days of ongoing breach and data loss.
A penetration test is a planned exercise; an active, real-world intrusion is not. The moment you find genuine indicators of compromise that aren't yours, the situation changes from testing to incident response, and your responsibilities shift accordingly.
Why stopping, preserving, and escalating is correct
A good engagement contract anticipates this exact scenario: the rules of engagement name an emergency contact and an out-of-band escalation path. Invoke it immediately. Stop activity that could overwrite logs or alter the affected systems, preserve what you found (notes, timestamps, indicators), and hand off to the client so they can trigger formal incident response. Speed matters — every hour a real attacker stays in the environment can mean more data stolen or more systems compromised. Your job is to raise the alarm cleanly, not to investigate or fight.
Why the other options are wrong
- Keep testing. Continuing risks colliding with the attacker's activity, contaminating evidence, and making it impossible for responders to separate your actions from theirs. "Not my job" ignores the duty of care you owe a client whose data is actively at risk.
- Evict the attacker yourself. This is outside your scope, untrained territory, and dangerous: you might tip off the attacker (who could then destroy data or burn their access), corrupt forensic evidence, or take down systems. Eviction is a coordinated IR operation, not a solo move.
- Wait for the final report. Sitting on an active breach for days is indefensible. It guarantees continued damage and exposes both you and the client to serious legal and reputational fallout.
What an interviewer is probing
They want to see you recognize a mode switch — from offense to emergency notification — and that you know the RoE should already contain the escalation mechanism. The signal is calm, fast, evidence-aware escalation, not heroics.
Likely follow-ups
- What pre-defined contact and process in the RoE covers an unexpected real incident?
- How do you avoid contaminating evidence once you suspect a live intrusion?
- How do you distinguish your own test activity from the real attacker's in the logs?