We get asked more than one would think about the ability to run an “automated penetration test”. Today, we discuss what can be automated vs. what can not be automated and what you should consider before subscribing for automated penetration testing.
What is an “automated penetration test”?
We have seen plenty of companies touting automated penetration tests but this should make you a little skeptical. Often times, what you are getting is essentially a vulnerability scan. Now don’t get me wrong, the technology is definitely improving and we are getting closer to automating more aspects of a standard penetration test. But we have yet to see the ability to fully automate a penetration test, as the most important part of that testing is the analysis and approach of the tester themselves.
These automated penetration tests scan your network, applications, etc. and look for common vulnerabilities, unpatched versions of software, outdated operating systems, and so on. This is certainly a starting point for less mature companies or companies with no dedicated security team. Oftentimes, this could even check your box for an audit or third party vendor assessment. However, this approach lacks the manual aspect of a typical penetration test, which is where you really get your bang for your buck to truly evaluate your risk from an attacker’s perspective.
What is the difference between a traditional penetration test?
Generally speaking, 25% of our penetration tests are automated by leveraging tools and custom scripts that help speed up the process and the other 75% is manual. The manual aspect is truly what separates a real penetration test from the automated penetration test, as this includes things such as custom password attacks, chained exploits, manual investigation/analysis, spoofing attacks, and truly emulating a threat actor, as opposed to a machine that is only as smart as what it is told to do based on a series of if/else statements.
Ultimately, every auditor, third party vendor, compliance assessor, consultant, etc. will have a different opinion on what satisfies a penetration testing requirement. If you are looking to check a box, then an automated penetration test could be an option for you. But if you are truly looking to gauge your risk, we highly recommend having a professional penetration tester or team engaged on your project to perform a real penetration test with the traditional manual elements.
We certainly believe in the usage of technology enhancements and automation to streamline parts of assessments. These tools can help ensure a tester follows the same process every time, doesn’t miss anything, weeds out false positives, completes a test efficiently, etc. We do not see penetration testing being fully automated any time soon, where you’d get equivalent results to a traditional test.
Have questions or want to discuss a penetration test? Reach out today and we would be happy to assist.