{"id":"https://openalex.org/W4225608293","doi":"https://doi.org/10.1145/3514040","title":"Examining Penetration Tester Behavior in the Collegiate Penetration Testing Competition","display_name":"Examining Penetration Tester Behavior in the Collegiate Penetration Testing Competition","publication_year":2022,"publication_date":"2022-04-09","ids":{"openalex":"https://openalex.org/W4225608293","doi":"https://doi.org/10.1145/3514040"},"language":"en","primary_location":{"id":"doi:10.1145/3514040","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3514040","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5012425179","display_name":"Benjamin S. Meyers","orcid":"https://orcid.org/0000-0001-7053-6722"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Benjamin S. Meyers","raw_affiliation_strings":["Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA"],"raw_orcid":"https://orcid.org/0000-0001-7053-6722","affiliations":[{"raw_affiliation_string":"Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA","institution_ids":["https://openalex.org/I155173764"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5018064343","display_name":"Sultan Fahad Almassari","orcid":null},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Sultan Fahad Almassari","raw_affiliation_strings":["Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA","institution_ids":["https://openalex.org/I155173764"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030147937","display_name":"Brandon N. Keller","orcid":"https://orcid.org/0000-0002-4271-9318"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Brandon N. Keller","raw_affiliation_strings":["Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA","institution_ids":["https://openalex.org/I155173764"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5073112840","display_name":"Andrew Meneely","orcid":"https://orcid.org/0000-0002-4850-1408"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Andrew Meneely","raw_affiliation_strings":["Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA","institution_ids":["https://openalex.org/I155173764"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5012425179"],"corresponding_institution_ids":["https://openalex.org/I155173764"],"apc_list":null,"apc_paid":null,"fwci":2.8713,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.92083472,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":"31","issue":"3","first_page":"1","last_page":"25"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7410520911216736},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.726360023021698},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.696213960647583},{"id":"https://openalex.org/keywords/timeline","display_name":"Timeline","score":0.5955433249473572},{"id":"https://openalex.org/keywords/penetration","display_name":"Penetration (warfare)","score":0.5496387481689453},{"id":"https://openalex.org/keywords/plug-in","display_name":"Plug-in","score":0.45811668038368225},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4260813593864441},{"id":"https://openalex.org/keywords/operations-research","display_name":"Operations research","score":0.10756069421768188},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.10063892602920532},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.09309446811676025}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7410520911216736},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.726360023021698},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.696213960647583},{"id":"https://openalex.org/C4438859","wikidata":"https://www.wikidata.org/wiki/Q186117","display_name":"Timeline","level":2,"score":0.5955433249473572},{"id":"https://openalex.org/C80107235","wikidata":"https://www.wikidata.org/wiki/Q7162625","display_name":"Penetration (warfare)","level":2,"score":0.5496387481689453},{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.45811668038368225},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4260813593864441},{"id":"https://openalex.org/C42475967","wikidata":"https://www.wikidata.org/wiki/Q194292","display_name":"Operations research","level":1,"score":0.10756069421768188},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.10063892602920532},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.09309446811676025},{"id":"https://openalex.org/C166957645","wikidata":"https://www.wikidata.org/wiki/Q23498","display_name":"Archaeology","level":1,"score":0.0},{"id":"https://openalex.org/C95457728","wikidata":"https://www.wikidata.org/wiki/Q309","display_name":"History","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3514040","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3514040","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":29,"referenced_works":["https://openalex.org/W173606538","https://openalex.org/W1584091223","https://openalex.org/W1978394996","https://openalex.org/W1983758807","https://openalex.org/W2044715809","https://openalex.org/W2045856890","https://openalex.org/W2077937403","https://openalex.org/W2293328109","https://openalex.org/W2294973055","https://openalex.org/W2583132862","https://openalex.org/W2897111212","https://openalex.org/W2907851756","https://openalex.org/W2984798626","https://openalex.org/W3008793678","https://openalex.org/W3031020798","https://openalex.org/W3047439256","https://openalex.org/W3114846425","https://openalex.org/W3158798940","https://openalex.org/W3160415515","https://openalex.org/W4210320858","https://openalex.org/W4231440932","https://openalex.org/W4248611294","https://openalex.org/W4254461327","https://openalex.org/W4256531287","https://openalex.org/W4299522686","https://openalex.org/W4365806382","https://openalex.org/W4393565079","https://openalex.org/W6762027449","https://openalex.org/W6927399971"],"related_works":["https://openalex.org/W2331043530","https://openalex.org/W3122267592","https://openalex.org/W2042616262","https://openalex.org/W17195039","https://openalex.org/W3015380456","https://openalex.org/W4313255991","https://openalex.org/W4386004672","https://openalex.org/W4317526616","https://openalex.org/W2430357810","https://openalex.org/W4200107337"],"abstract_inverted_index":{"Penetration":[0,101],"testing":[1,56],"is":[2,176],"a":[3,59,177],"key":[4],"practice":[5],"toward":[6],"engineering":[7],"secure":[8],"software.":[9],"Malicious":[10],"actors":[11],"have":[12],"many":[13],"tactics":[14,25],"at":[15],"their":[16],"disposal,":[17],"and":[18,67,83,112,136,155],"software":[19],"engineers":[20],"need":[21],"to":[22,65,132,145,166,186],"know":[23],"what":[24],"attackers":[26],"will":[27],"prioritize":[28],"in":[29,51,196],"the":[30,69,78,87,98],"first":[31],"few":[32],"hours":[33],"of":[34,71,80,89,109,122,184,194],"an":[35],"attack.":[36],"Projects":[37],"like":[38],"MITRE":[39,137],"ATT&amp;CK\u2122":[40],"provide":[41],"knowledge,":[42],"but":[43],"how":[44],"do":[45],"people":[46],"actually":[47],"deploy":[48],"this":[49,74],"knowledge":[50],"real":[52],"situations?":[53],"A":[54],"penetration":[55,123,182],"competition":[57],"provides":[58],"realistic,":[60],"controlled":[61],"environment":[62],"with":[63,86],"which":[64],"measure":[66],"compare":[68],"efficacy":[70],"attackers.":[72],"In":[73],"work,":[75],"we":[76],"examine":[77],"details":[79],"vulnerability":[81,92,110],"discovery":[82,111],"attacker":[84],"behavior":[85],"goal":[88],"improving":[90],"existing":[91],"assessment":[93],"processes":[94],"using":[95],"data":[96],"from":[97],"2019":[99],"Collegiate":[100],"Testing":[102],"Competition":[103],"(CPTC).":[104],"We":[105,125,139],"constructed":[106],"98":[107],"timelines":[108],"exploits":[113],"for":[114],"37":[115],"unique":[116],"vulnerabilities":[117,128,143,164,195],"discovered":[118,153],"by":[119,130,181],"10":[120],"teams":[121],"testers.":[124],"grouped":[126],"related":[127,144,165],"together":[129],"mapping":[131],"Common":[133],"Weakness":[134],"Enumerations":[135],"ATT&amp;CK\u2122.":[138],"found":[140],"that":[141],"(1)":[142],"improper":[146,167],"resource":[147],"control":[148,169],"(e.g.,":[149,170],"session":[150],"fixation)":[151],"are":[152],"faster":[154],"more":[156],"often,":[157],"as":[158,160],"well":[159],"exploited":[161],"faster,":[162],"than":[163],"access":[168],"weak":[171],"password":[172],"requirements),":[173],"(2)":[174],"there":[175],"clear":[178],"process":[179],"followed":[180],"testers":[183],"discovery/collection":[185],"lateral":[187],"movement/pre-attack.":[188],"Our":[189],"methodology":[190],"facilitates":[191],"quicker":[192],"analysis":[193],"future":[197],"CPTC":[198],"events.":[199]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}