As a pen tester, what do you do when trying to hack into the external web perimeter of a massive company when the scope entails over 100,000 domains and machines to inspect? All the low-hanging CVE fruit has long been picked clean by automated scanners, so there are no obvious ways in. Yet they exist, even if you don't know exactly what you're looking for. You know it when you see the kind of page that will still bear fruit: some old-looking custom web app that can be exploited, some administration page with a login that could be brute-forced, something "interesting." But how do you get to the "interesting" more quickly?