About six years ago, social engineering penetration tests became the norm for the A-Team. In many of these tests, our team would attempt as many as 10-20 unique exploits against various applications and operating system functions. This often included exploits against Flash, Java, Adobe Reader, MS Office and IE. While one or two exploit attempts may have succeeded, the majority would fail. When it came time to present our report to the client, it would inevitably focus on the successful compromises and their associated vulnerabilities. In almost every case, our clients would ask about the attacks that failed and what control(s) prevented them.