Penetration tests have always had gaps. It's unavoidable - you just can't do everything the bad guys can do, like installing malware with a worm component in production environments. But it strikes me that, with the popularity of SaaS these days, pentests might be missing entire environments. The term SaaS, environments like Salesforce, M365, Google Workspace, Okta never come up in this NetSPI report.
Working in product marketing for a SaaS security vendor, one of my challenges has been figuring out why SaaS security isn't higher on folks' priority lists, and I suspect this might be part of the reason why. I mean, I get it - folks still have NT4, Server 2003 on their networks (hell, they still have "networks"), and that's scary as hell. But an Okta/M365 admin takeover is pretty scary as well, no?
Is SaaS in scope for modern pen tests? Is it even on pen testers' radars?