A pentest should simulate realistic threats, not generic ones. 2. **Overlooking credential attacks** — They are the most common vector; test them thoroughly. 3. **Focusing only on technical vulnerabilities** — Social engineering and insider threats are equally important. 4. **Not using ATT&CK in rep