diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml
index 7e53f75b2..9f61bfc9c 100644
--- a/rules-unsupported/win_mal_service_installs.yml
+++ b/rules-unsupported/win_mal_service_installs.yml
@@ -33,6 +33,6 @@ detection:
         ServiceName: 'Java(TM) Virtual Machine Support Service'
     condition: selection and 1 of malsvc_*
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: critical
 status: unsupported
\ No newline at end of file
diff --git a/rules/application/django/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml
index bedcfb1d6..233cc72d6 100644
--- a/rules/application/django/appframework_django_exceptions.yml
+++ b/rules/application/django/appframework_django_exceptions.yml
@@ -30,7 +30,6 @@ detection:
     condition: keywords
 falsepositives:
     - Application bugs
-    - Penetration testing
 level: medium
 tags:
     - attack.initial_access
diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml
index c69a917af..bb06459da 100644
--- a/rules/application/python/app_python_sql_exceptions.yml
+++ b/rules/application/python/app_python_sql_exceptions.yml
@@ -19,7 +19,6 @@ detection:
     condition: exceptions
 falsepositives:
     - Application bugs
-    - Penetration testing
 level: medium
 tags:
     - attack.initial_access
diff --git a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml
index 45682035c..2a058bb7c 100644
--- a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml
+++ b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml
@@ -23,7 +23,6 @@ detection:
     condition: keywords
 falsepositives:
     - Application bugs
-    - Penetration testing
 level: medium
 tags:
     - attack.initial_access
diff --git a/rules/application/spring/appframework_spring_exceptions.yml b/rules/application/spring/appframework_spring_exceptions.yml
index df34f0402..fe97e056c 100644
--- a/rules/application/spring/appframework_spring_exceptions.yml
+++ b/rules/application/spring/appframework_spring_exceptions.yml
@@ -22,7 +22,6 @@ detection:
     condition: keywords
 falsepositives:
     - Application bugs
-    - Penetration testing
 level: medium
 tags:
     - attack.initial_access
diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml
index 47b45e159..1deec3354 100644
--- a/rules/generic/generic_brute_force.yml
+++ b/rules/generic/generic_brute_force.yml
@@ -18,7 +18,6 @@ fields:
   - user
 falsepositives:
   - Inventarization
-  - Penetration testing
   - Vulnerability scanner
   - Legitimate application
 level: medium
diff --git a/rules/network/net_susp_network_scan_by_ip.yml b/rules/network/net_susp_network_scan_by_ip.yml
index ab443fc66..86f3d9b20 100644
--- a/rules/network/net_susp_network_scan_by_ip.yml
+++ b/rules/network/net_susp_network_scan_by_ip.yml
@@ -19,7 +19,6 @@ fields:
 falsepositives:
   - Inventarization systems
   - Vulnerability scans
-  - Penetration testing activity
 level: medium
 tags:
   - attack.discovery
diff --git a/rules/network/net_susp_network_scan_by_port.yml b/rules/network/net_susp_network_scan_by_port.yml
index e3cc1f862..8037e1b0a 100644
--- a/rules/network/net_susp_network_scan_by_port.yml
+++ b/rules/network/net_susp_network_scan_by_port.yml
@@ -18,7 +18,6 @@ detection:
 falsepositives:
     - Inventarization systems
     - Vulnerability scans
-    - Penetration testing activity
 level: medium
 fields:
     - src_ip
diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml
index 9c1cd0f55..368ddf6ec 100644
--- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml
+++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml
@@ -18,7 +18,6 @@ detection:
   condition: selection
 falsepositives:
   - Scanning from Nuclei
-  - Penetration Testing Activity
   - Unknown
 tags:
   - attack.initial_access
diff --git a/rules/web/web_path_traversal_exploitation_attempt.yml b/rules/web/web_path_traversal_exploitation_attempt.yml
index 498eb27da..5eeeed755 100644
--- a/rules/web/web_path_traversal_exploitation_attempt.yml
+++ b/rules/web/web_path_traversal_exploitation_attempt.yml
@@ -17,7 +17,6 @@ detection:
   condition: selection
 falsepositives:
   - Happens all the time on systems exposed to the Internet
-  - Penetration testing activity on internal systems
   - Internal vulnerability scanners
 tags:
   - attack.initial_access
diff --git a/rules/windows/builtin/security/win_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_mal_wceaux_dll.yml
index d88704d0f..7ebec9faa 100644
--- a/rules/windows/builtin/security/win_mal_wceaux_dll.yml
+++ b/rules/windows/builtin/security/win_mal_wceaux_dll.yml
@@ -21,7 +21,7 @@ detection:
     ObjectName|endswith: '\wceaux.dll'
   condition: selection
 falsepositives:
-  - Penetration testing
+  - Unknown
 level: critical
 tags:
   - attack.credential_access
diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml
index b3b0a67c2..e1025f86f 100644
--- a/rules/windows/builtin/security/win_security_mal_service_installs.yml
+++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml
@@ -29,5 +29,5 @@ detection:
         ServiceName: 'javamtsup'
     condition: selection and 1 of malsvc_*
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: critical
\ No newline at end of file
diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml
index 15cb35d23..03e8fb6e9 100644
--- a/rules/windows/builtin/system/win_susp_sam_dump.yml
+++ b/rules/windows/builtin/system/win_susp_sam_dump.yml
@@ -17,7 +17,7 @@ detection:
     - '.dmp'
   condition: selection and all of keywords
 falsepositives:
-  - Penetration testing
+  - Unknown
 level: high
 tags:
   - attack.credential_access
diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
index 6adae36db..b490bffdb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
@@ -26,5 +26,5 @@ tags:
     - attack.t1069.002
     - attack.t1069
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
index 937652d74..b45c6ed55 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
@@ -118,5 +118,5 @@ detection:
             - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
     condition: select_Malicious and not false_positives
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
index f107fce3f..619d40b01 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
@@ -90,5 +90,5 @@ detection:
             - FakeDC
     condition: Nishang
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml
index ea11ff858..673b9d38d 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml
@@ -29,8 +29,7 @@ fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - DataSvcUtil.exe being used may be performed by a system administrator. 
+    - DataSvcUtil.exe being used may be performed by a system administrator.
     - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-    - Penetration Testing
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml
index 67dc8ab32..7e08a32ab 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml
@@ -31,8 +31,7 @@ fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - Pnputil.exe being used may be performed by a system administrator. 
+    - Pnputil.exe being used may be performed by a system administrator.
     - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-    - Penetration Testing
 level: medium