How Far Should You Let Penetration Testers Go?

This report advocates allowing penetration testers to proceed beyond bare-minimum proofs-of-concept to uncover deeper issues, illustrating two web-application scenarios (SQL injection and weak credentials with unrestricted file upload) that escalate from simple findings to full system compromise vectors (data retrieval, plaintext/weak hashes, excessive privileges including xp_cmdshell, webshells, exposed connection strings, and reverse shells), and recommends applying least-privilege, defense-in-depth, improved monitoring, and egress filtering.