Understanding Automated vs. Manual Penetration Testing

During the scoping process of engagements, we often hear questions such as “what is a penetration test?” and “what does a team of penetration testers actually do?” The most straightforward answer is that we mimic what cybercriminals do to gain access to your network, except we show you what we did to break in and how to defend yourself against it. This process is important because cybercriminals can penetrate 93 percent of company networks[1]. There are two types of penetration test, automated and manual. To get a complete picture of your organization’s security posture, a combination of both testing procedures is recommended. Performing both types of tests will provide the best insights to prevent future issues.

An automated penetration test leverages tools and processes to scan systems for common vulnerabilities. However, it only provides a quick analysis of a website’s or network’s vulnerability status. A fully automated penetration test provides only limited insight into an organization’s threats. “A good penetration tester will use their instincts and, based on the results, may opt to go into testing further in an unexpected direction,” said Jon Oltsik, analyst at Enterprise Strategy Group, a division of TechTarget (Pros and cons of manual vs. automated penetration testing, 2022)[2].

Comprehensive penetration tests require time. While automated tools and techniques are used during these assessments, the most impactful findings are uncovered during the manual testing of systems. In fact, automated penetration testing remains limited in function and cannot be deployed for every testing scenario[2]. Expert analysis of penetration testing reports where only computerized tools (automated penetration test) are used expose stark limitations in discovery of vulnerabilities during an assessment. Mimicking the tactics, techniques, and procedures (TTPs) used by cyber criminals is the hallmark of a high-quality, effective manual penetration test.

The Cybersecurity team at Elliott Davis utilizes the NIST 800-115 standard and the Penetration Testing Execution Standard (PTES) for scoping and executing our services for our customers. These systematic approaches provide the framework for delivering high-quality, effective penetration tests. Our team further differentiates our services with quality customer interaction throughout the engagement. We provide active communication allowing customers to engage with the penetration testers directly, and we alert customers when critical issues arise. Many team members have been security practitioners in previous roles, we know that waiting for a report is the wrong approach for this information. We understand the timeliness of critical findings for our customers, and our customers appreciate our ability to relay issues with the proper technical depth for the audience. We invite you to connect with us to learn more about the value we bring to meet your Cybersecurity needs.

We Can Help

For more information on this and other topics related to Cybersecurity, contact a member of our team.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.


[1] https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=5c284edb7864

[2] https://www.techtarget.com/searchsecurity/feature/Pros-and-cons-of-manual-vs-automated-penetration-testing