Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Automated penetration testing tools sit in a sweet spot between vulnerability scanners and manual penetration tests. While nothing can take the place of the expertise and customized approach of a manual
penetration tester, automated pen testing tools excel at finding vulnerabilities that can be exploited through automated scripting, and they can be a worthwhile way to increase the frequency/value of automated checks between manual pen tests.
This piece explains the difference between automated scans and automated pen test tools and recommends ways to get the most from automated pen testing tools.
“Penetration testing” has always been a very nebulous category. The industry never provided a clear definition, and the offerings became even more fuzzy with labels such as vulnerability scanning, vulnerability assessments, application
testing, black box, grey box, white box, red teaming, purple teaming, PCI testing, etc. To complicate things further, vendors and consultants define each of these terms differently to address the latest marketing buzz.
What are the differences between automated scanning and manual testing:
READ: How to Use Pen-Test Reports to Improve Security
The gaps between automated scanning and manual testing have provided an opportunity for a hybrid offering known as “automated penetration testing.” Manual testing always involves some level of automated scanning to find the low-hanging fruit.
The results of these scans are then used to construct the attack plan for the manual testing. For example, experienced attackers will use the information from the scanner to choose the appropriate exploit, script and proper application.
Automated penetration testing works in a similar manner. It takes the results of vulnerability scans and constructs an applicable automated attack for the vulnerability identified (usually using information from tools like MITRE ATT&CK). Automated pen test tools provide a good way to increase the value of vulnerability scanners and the frequency of scripted penetration testing.
Automated vulnerability scanning capabilities are foundational to any information security program to identify known vulnerabilities across the environment. Over the past decades, we’ve seen numerous offerings in this space, but the market has leveled
While the network-and host-level scanners do a great job of addressing network and operating system vulnerabilities, testing applications at Layer 7 of the OSI model requires a different approach. As with network and host testing, application testing
starts with automated scanners, but often also requires manual testing and extensive experience to uncover related risks.
The challenge with web application scanners is there are often discrepancies in the findings based on the logic of the scanner. It is often wise to use multiple web application scanners to ensure optimal coverage.
As previously mentioned, “automated” penetration tools enable organizations to fill the gap of additional automation and scripting to exploit the vulnerabilities identified by the scanners without the need for manual expertise. It uses the
skill and expertise of annual pen testers and published frameworks such as MITRE ATT&CK to develop the methodology and automation to validate and demonstrate the risks of the vulnerabilities—without manual intervention.
Many experienced security professionals have strong opinions that penetration testing cannot, by definition, ever be fully automated, because anything that is fully automated is just a different type of vulnerability scanning. However, there is the opportunity
to bridge the gap between automated scanners and manual testing. To improve your chances of success with these tools, it’s important to understand:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.