When should automated penetration testing be supplemented with manual pen testing?

Automated pen testing is a helpful tool, but if you aren't rounding it out with manual testing, you may be missing client-specific vulnerabilities.

Russell Dean Vines

Published: 21 Feb 2007

I offer automated penetration testing to my customers. How and where should I supplement the automated pen testing with manual pen testing?

Automated pen testing has become a very in-demand offering, but a full-service security firm must round it out with manual testing. In fact, most RFPs I've seen these days require some sort of manual effort; it's rare to find a client that can be wholly satisfied with a purely automated procedure without supplementing it with manual penetration testing.

Automated scanners are built from a variety of code -- both open source and custom -- and are often focused on a specific vulnerability, so you'll need to employ several tools to cover a wide range of threats. Every automated procedure needs manual verification for false alarms, manual scanning for client-specific vulnerabilities, and you'll need to update your tools to detect new threats as they develop.

Due diligence requires you to employ every resource you can to protect your customer, and this means automatic and manual testing.

Dig Deeper on Cybersecurity risk assessment and management

automated testing Automated testing is a process that validates if software is functioning appropriately and meeting requirements before it is released into production.

How to build an enterprise penetration testing plan Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe.

pen test (penetration testing) Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Backup testing: What to test, when to test, how often to test We run the rule over what’s involved in backup testing in virtual and physical server environments, how often you should test and the key pitfalls to avoid

AWS penetration testing secrets for success AWS penetration testing must be done in both cloud and on-premises infrastructures. Cloud security expert Rob Shapland offers pointers for conducting a successful AWS pen test.

An intro to automated penetration testing In this exploratory article, expert Mike Chapple explains what automated penetration testing is, why it is useful and how to start building an enterprise penetration tester toolkit.

Related Q&A from Russell Dean Vines

Security for mobile broadband

While some SMBs are not securing their mobile broadband, there is good reason to do so, even if a customer has only a small amount of data to protect. Continue Reading

Understanding smurf attacks

A smurf attack can slow down a network to the point of shutting it down completely. Learn how to understand a full-scale smurf attack and how to ... Continue Reading

What are the network security risks of streaming video?

Streaming video and audio sites are frequently visited on both home computers and work computers. Learn about streaming video security risks and what... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our IT Channel experts

View all IT Channel questions and answers

MicroscopeUK

Barracuda enjoys MSP growth

The firm has seen its MSP business improve over the last year and there are no signs that will slow down in the short-term

Lenovo lifts lid on SME demands for more flexibility

The vendor has found that a significant number of staff working for SMEs would like to get access to mobile and cloud computing ...

Brother pushing the security message

Printer vendor is educating partners around the need to cover off the security conversation with customers

SearchSecurity

DOJ takes action against Dridex malware group, Evil Corp

The U.S. Justice Department indicted two alleged members of the Russian threat group behind the Dridex banking Trojan, known as ...

Session cookie mishap exposed HackerOne private reports

A security researcher used a mishandled session cookie to access private HackerOne bug reports with an account takeover attack ...

NSS Labs drops antitrust suit against AMTSO, Symantec and ESET

NSS Labs dropped its antitrust suit against the Anti-Malware Testing Standards Organization, Symantec and ESET, ending a ...

SearchStorage

Samsung V-NAND SSDs designed for high capacity, speed, efficiency

Samsung's V-NAND chip breaks through existing 3D NAND cell stacking limits with the industry's first 100+ layers in a move ...

Portworx ships backup, capacity management for containers

Portworx's storage product tacks on PX-Backup and PX-Autopilot for Capacity Management modules for enterprises building stateful ...

Computational storage for IoT and other potential use cases

IoT is the main application for computational storage. Another potential use case is inside scale-out server architecture, but ...

SearchNetworking

Assess the Wi-Fi 6 features available in Wave 1 and Wave 2

Catch up on the different features available with the first wave of Wi-Fi 6, including OFDMA and Target Wake Time, and find out ...

3 networking startups rearchitect routing

Networking startups Arrcus, DriveNets and Volta Networks help service providers redefine routing in the data center and at the ...

A deep dive into the differences between 4G and 5G networks

Yes, 4G and 5G network architectures will differ, but organizations may not see change for some time. This feature explores 4G ...

SearchCloudComputing

Review these Azure Service Bus best practices

When applications talk, you need to listen. Learn about Microsoft's cloud messaging service, its main features, best practices to...

Instill cloud change management best practices

Automation is essential to change management in the cloud. Discover the best practices that ensure your IT team is in sync and ...

How much cloud does an IT disaster recovery plan need?

It's not easy to get the right mix of traditional and cloud-based DR resources. Here's how to strike a balance between what's ...

SearchDataManagement

Amazon cloud database and data analytics expand

AWS expands its Redshift data warehouse capabilities including managed storage and query acceleration at the re:Invent 2019 ...

Vendors move away from open source database software licensing

While open source is a key to success for many database vendors, it can also potentially lead to a competitive threat from a ...

Oracle looks to grow multi-model database features

Decade after decade, Oracle continues to be relevant in the database market as it pivots to include an expanding list of ...

SearchBusinessAnalytics

Sisense analytics platform update features AI, data prep tool

Augmented intelligence features and an in-warehouse data prep tool highlight Sisense's latest update, its second since acquiring ...

Operation Fistula uses data to treat childbirth injuries

Aided by an analytics stack developed by Exasol, nonprofit Operation Fistula is working to end obstetric fistula in targeted ...

Automated tools broaden the future scope of data science

Automated data science tools may make their way into the data science process, but are unlikely to ever be able to do everything ...

When should automated penetration testing be supplemented with manual pen testing?

Automated pen testing is a helpful tool, but if you aren't rounding it out with manual testing, you may be missing client-specific vulnerabilities.

Dig Deeper on Cybersecurity risk assessment and management

Related Q&A from Russell Dean Vines

Security for mobile broadband

Understanding smurf attacks

What are the network security risks of streaming video?

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

MicroscopeUK

Barracuda enjoys MSP growth

Lenovo lifts lid on SME demands for more flexibility

Brother pushing the security message

SearchSecurity

DOJ takes action against Dridex malware group, Evil Corp

Session cookie mishap exposed HackerOne private reports

NSS Labs drops antitrust suit against AMTSO, Symantec and ESET

SearchStorage

Samsung V-NAND SSDs designed for high capacity, speed, efficiency

Portworx ships backup, capacity management for containers

Computational storage for IoT and other potential use cases

SearchNetworking

Assess the Wi-Fi 6 features available in Wave 1 and Wave 2

3 networking startups rearchitect routing

A deep dive into the differences between 4G and 5G networks

SearchCloudComputing

Review these Azure Service Bus best practices

Instill cloud change management best practices

How much cloud does an IT disaster recovery plan need?

SearchDataManagement

Amazon cloud database and data analytics expand

Vendors move away from open source database software licensing

Oracle looks to grow multi-model database features

SearchBusinessAnalytics

Sisense analytics platform update features AI, data prep tool

Operation Fistula uses data to treat childbirth injuries

Automated tools broaden the future scope of data science

Dig Deeper on Cybersecurity risk assessment and management

Related Q&A from Russell Dean Vines

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.