Pentest-Tools.com
Adrian Furtuna, Founder & CEO at Pentest-Tools.com
Automation is a hot and controversial topic in the information security industry.
We all know we need more automation to scale pentest operations in both volume and quality. But we also need to set realistic expectations for decision-makers, industry outsiders, and even for some of our peers. It's our responsibility to tell them "you can't automate everything."
In penetration testing, you can't replace the critical thinker who uses their subjective judgment to identify unusual flaws or chain seemingly unrelated vulnerabilities to get elevated privileges.
A good pentester can never be replaced by a robot. But a robot can make them exponentially more effective.
Enhancing automation with pentest robots
End-to-end automation is the wrong approach to scale pentesting, especially if you want to deliver outstanding work. I believe judicious automation is much more achievable and beneficial for everyone involved.
So what does that look like?
Boots on the ground, automation works really well for certain aspects of pentesting, like recon or identifying vulnerabilities. Stages focused on detecting known issues are the ones worth automating first. It's the fastest way to gain more time to work with complex attack vectors and assume an almost hybrid role that includes a business analyst's perspective.
We agree with Jason that "it's possible to automate tasks, but not the whole process."
This leaves a lot of potential untapped. So we looked at leveraging Robot Process Automation (RPA) to give pentesters the flexibility they need.
At Pentest-Tools.com, we envisioned pentesters could build visual testing flows to quickly automate their repetitive tasks and scale the power of their knowledge and expertise. So we built a custom RPA solution designed specifically for them.
Fast forward to today, pentesters can assemble and run custom software robots (which we call pentest robots) that deploy fully automated sequences to perform recon, password auditing, searching for known artifacts, full web scanning, and more. This means less time spent maintaining custom automation scripts. It means entire teams can use the robots to maintain consistency and quality across projects.
When mapping the attack surface and catching low hanging fruit are done automatically, pentesters have more time to dive into critical applications, multifaceted risks, and business implications.
Organizations with particularly valuable data assets need highly specialized penetration tests. They're often the ones with the highest complexity and the strongest regulatory context. To deliver the kind of high-end, focused testing they require, pentesters need all the help they can get. With our RPA-based pentest robots, they can automate as much as 80% of their pentesting tasks, so they can focus their expertise on the 20% that makes all the difference.
It's not just working with more complex, thrilling targets that's at stake. The pentesting market will be worth $4.5 billion by 2025, so there's huge potential for growth as well.
It's time for a more nuanced, judicious way to automate pentesting workflows. It's time to rely on pentesting robots to do the tedious work for you so you can do more of what really matters.