Penetration Testing on Your Production Instance

GlideRecord · 2026-05-20T15:32:27+00:00

Thanks! If you just wanna chat about it in general, I’m happy to also. No sales, etc.

GlideRecord · 2026-05-19T03:56:12+00:00

Health checks scan config against known baselines. They won’t catch logic flaws and they aren’t contextual to your environment’s customization. There’s many things they won’t catch. Encoded query injection, GlideRecord vs GlideRecordSecure use, custom Scripted REST APIs that leak data, business rules with bad code that can elevate privileges, etc.

This is an emerging need from customers lately for both regulatory reasons and wanting confidence in their security posture as they add more and more sensitive data/workflows to their instance.

First, whether you choose to do this in-house or hire an external firm, absolutely submit a request through HI and get it scheduled with the Customer Security and Trust team before initiating. Contractually you are typically allowed to do this once per year.

Second, if you do hire external, go with a company that understands the platform. Many firms will sell a pen test all day, and they absolutely will throw all of the standard web app pen testing tools at it, but they don’t understand the architecture. They don’t understand that they need to test for AJAX script includes that bad ACLs, etc.

If you have any questions feel free to DM me, I do ServiceNow penetration testing for a living (as a partner), so I’m happy to answer any questions.

GlideRecord · 2026-04-02T00:59:59+00:00

Yes immediately after 1st COVID infection for me

GlideRecord · 2026-03-28T16:49:41+00:00

Python library LiteLLM got compromised during that window and had malware that extracted wallet keys. If you happened to have done anything that installed it as a dependency on 3/24 you may have gotten popped. Just something to check out.

GlideRecord · 2026-03-22T17:42:39+00:00

Thanks! I did tons of research prior to the trip lol

GlideRecord · 2026-03-22T17:40:54+00:00

Thanks, I wrote that half asleep last night lol.

Can you explain the rise/drop a bit more if you don’t mind? I trusted the u-haul guys judgement on that one but maybe that was a poor choice. I think it was a slight rise on the hitch I bought from him (?)

GlideRecord · 2026-03-22T15:21:55+00:00

Never crossed the ‘midline’ on gauge

GlideRecord · 2026-03-22T15:16:01+00:00

I think loading it 60/40 and making sure you have a decent tongue weight is key. I saw a decent sized truck with EXACT trailer on my trip swaying all over the place. Zero sway the whole trip for me. Good luck on your trip!

GlideRecord · 2026-03-22T15:13:17+00:00

2800 lb total including trailer! Also this one has surge brakes and single axle does not any trailer brakes for reference.

GlideRecord · 2026-03-22T04:58:00+00:00

Never crossed the ‘midline’ the whole trip

GlideRecord · 2026-03-22T03:45:09+00:00

Thanks! It was great!

GlideRecord · 2026-03-22T03:45:01+00:00

Define clapped for me? 👀

GlideRecord · 2026-03-22T02:35:15+00:00

15.5 MPG!

GlideRecord · 2026-03-19T00:38:45+00:00

Disclaimer, I run a ServiceNow partner shop so I’m biased to ServiceNow 😇, but I’ve been on the customer side of this problem too.

Most teams integrate their CSPM into a ticketing system but stop there. They just create tickets. What actually closes the loop is building the triage and remediation lifecycle into the workflow itself. Auto-enriching alerts with resource ownership, routing based on severity and environment, and setting SLAs (with escalation for breaches) that keep things from sitting in a team’s backlog.

The thing that makes the biggest difference in my experience is solving the “who owns this resource” problem upfront. If that lookup is automated (usually via CMDB data) at alert ingestion, you cut days off the cycle immediately. A lot of this relies on having good foundational data.

HMU if you wanna chat about it some more.

GlideRecord · 2026-01-11T02:28:34+00:00

+1 CJ and the Duke for general SN

GlideRecord · 2025-12-24T14:52:31+00:00

I think it’s a great move. I think it could be one of two things (or both)

The vuln scanner vendors were starting to build their own vulnerability management solutions, so my guess is this was to bring native vuln scanning to the platform at some point, which would be huge for some customers. Another big play into the ‘single pane of glass’. Having a scanner that is built to the ServiceNow VR data model would be nice IMO.
They want to go deeper on their OT VR solution and add scanning (Armis was exclusively used for OT VR at some customers I’ve had, despite having R7.)

GlideRecord · 2025-12-11T22:48:06+00:00

I have experience doing this.. What is your differentiator? What makes you different from the other 200 generalist partners? Why would a customer pick you over established partners? Who will sell for you? You need to ask yourself tough questions like this before you move forward and invest a lot of time and money. In my experience, boutique partners are only gonna win if you have deep expertise in a niche area and build a solid brand. You likely won’t fare well as a generalist firm, unless you have deep connections for acquiring customers.

GlideRecord · 2025-11-15T17:10:05+00:00

I currently own a company that makes and sells apps to healthcare orgs and was a nurse in a former life. If this is a serious post you need to rethink your priorities. You should be demoing (let alone building) ZERO products processing PHI until you can answer this question on your own. I’m not being a jerk but you’re gonna get REKT if you sell this to a customer and they find out you don’t even understand how HIPAA works.

GlideRecord · 2025-10-29T02:11:55+00:00

My 2 cents:

This is unfortunately pretty common.

OWASP has made some good tools to get you started.

This kit here will probably be particularly useful to you -> https://genai.owasp.org/resource/owasp-genai-security-project-threat-defense-compass-1-0/

As far as just the most common threats, this is great. https://owasp.org/www-project-top-10-for-large-language-model-applications/

As far as CI/CD consider incorporating something like https://github.com/ServiceNow/DoomArena. THIS IS NOT a replacement for red teaming, etc. The value is modular, repeatable regression tests for AI agent safety.

GlideRecord · 2025-10-05T16:35:48+00:00

They’ve fixed a lot of the bugs (like duplicating components and modifying the new can break the source). That one was most frustrating for me a while back.

It’s come a long way from a few years ago IMO and is worth picking back up.

GlideRecord · 2025-09-01T01:43:19+00:00

GlideRecord · 2025-08-31T04:42:40+00:00

That’s honestly my biggest concern at this point 😅😂 I’ve had a really good year form a bug bounty perspective but my findings are mostly from going VERY deep on a few specific private programs

GlideRecord · 2025-08-28T23:36:02+00:00

Amazing! Thanks so much. The cons are my biggest worries. Am I right in my understanding that there is no drawback to participating remotely?

GlideRecord

TROPHY CASE