When should automated penetration testing be supplemented with manual pen testing?

Automated pen testing has become a very in-demand offering, but a full-service security firm must round it out with manual testing. In fact, most RFPs I've seen these days require some sort of manual effort; it's rare to find a client that can be wholly satisfied with a purely automated procedure without supplementing it with manual penetration testing.

Automated scanners are built from a variety of code -- both open source and custom -- and are often focused on a specific vulnerability, so you'll need to employ several tools to cover a wide range of threats. Every automated procedure needs manual verification for false alarms, manual scanning for client-specific vulnerabilities, and you'll need to update your tools to detect new threats as they develop.

Due diligence requires you to employ every resource you can to protect your customer, and this means automatic and manual testing.