Cloud red team engagements lack realistic initial access because clients refuse to authorize production phishing

The most critical phase of a cloud penetration test is initial access -- typically via phishing or credential stuffing against the production identity provider -- but 80%+ of clients exclude this phase from scope, restricting the test to 'assume breach' scenarios where the red team starts with valid credentials. This means the most common and dangerous attack vector (credential compromise via phishing) goes completely untested. This persists because phishing real employees disrupts business operations, creates HR liability if employees feel tricked, and risks triggering incident response processes that waste SOC time on a known-friendly exercise.