Red team and targeted external assessments should incorporate application security expertise to better simulate modern adversaries.