With the engineers and breaching tools delivered to the castle, exploitation is where the attacker now needs to press the advantage home. The engineers will have to work to get through the wall. They find the area with the shallow foundations and start to dig under it. 

The exploitation phase is where security teams generally invest the most time and effort. Detecting and defeating a threat actor in the act of exploitation is very difficult; there are too many potential points of failure in a system to monitor effectively. Checking against every signature in existence would be so slow that it would limit the organization's ability to conduct business as usual. This is particularly important for industries which gain advantage of near real-time service. Such businesses must balance the organization's business priorities against the risks. (We covered this in the The incident response plan section of Chapter 7, Roles and Responsibilities During an Incident.)

Organizations can work proactively to minimize the risk of exploitation by monitoring the threat landscape and deciding which threats may impact the organization's existing and future infrastructure. For example, when new tunneling technology is developed, they can reevaluate the depth of their walls; if new, taller, siege ladders are made, they may review the height of their walls; if a major flaw were found in Java, they might have to find a patch or decrease the viability of these exploit kits by adding further layers of defense.