Most organizations’ external perimeter is pretty buttoned up. But once you make it inside it’s still pretty weak. It’s a pretty quick operation to go from social engineering to exploit somebody’s workstation, to pivoting in the environment and escalate all the way to an administrator where you can access anything.
But the perimeter is more secure, applications are being developed more securely, developers are more knowledgeable about different types of classes of attacks and how to use tools to prevent those. Most organizations still struggle to patch clients, which can be attacked using phishing or other social engineering techniques.
