During an Identity Suite implementation, the customer conducted multiple penetration testings and discovered many issues that standard QA testing had missed. One type of issue QA testing often misses and penetration testing is good at catching is elevated admin access. I was surprised many such findings were direct results from the mistakes in the scoping in either IdM or IdP. During the process resolving these problems, I also learned a tool that penetration testers often rely on to do their work which is Burp Suite. Using a proxy server, Burp Suite will allow the tester to capture and repeat requests that being submitted to IdM and at the same time making changes to the requests to test the boundaries within the product. For example, tester captured a self-service modify my profile request and then repeated the request by changing the Login ID to another user. As the result, it changed the information of another user. It turned out that the Action of the modify my profile task was set to Modify instead of Self-Modify. When realize such a simple setting in the product can make or break a security boundary, we can really appreciate the value of penetration testing. I am keeping Burp Suite in my toolbox and hopefully you do too.