There is a significant difference between the techniques and methodologies used by attackers who have significant time and resources, to those used by penetration testers with strict timeframes. These two types of techniques identify very different vulnerabilities in the client’s security controls. The challenges are how to provide value to the client in a strict timeframe when only short term techniques can be employed, and how to help the client defend against long term techniques that can’t be realistically simulated. This chapter not only discusses these issues in detail, but also provides practical advice for overcoming them.