A tale of enumeration, and why pen testing can’t be automated

During an external penetration test an open public directory exposed a zipped ArcGIS proxy.config containing plaintext credentials that allowed access to the client's ArcGIS instance and enumeration of Active Directory and Office 365 user information; the client removed the directory and rotated credentials, and the report recommends regular audits, stronger environment segregation, MFA, and use of secret managers.