What is it?

Penetration Testing a.k.a pen testing involves a team of cyber security experts who attempt to break into your company’s network to find and exploit weaknesses and vulnerabilities in your systems. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of.

What are types of pen test?

  • White box pen test - The hacker will be provided with some information ahead of time regarding the target company’s security info.
  • Black box pen test - This is one where the hacker is given no background information besides the name of the target company.
  • Internal pen test - The ethical hacker performs the test from the company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall.

What is Automated Penetration testing?

Automated penetration testing is much faster, efficient, easy, and reliable that tests the vulnerability and risk of a machine automatically. One thing about this technology is that it does not require any expert engineer. It can be run by any person having some knowledge of this field.

Why is Automated Pen testing good for small businesses?

Well, unlike large businesses who have the money and equipment to continuously hire experts to come in and do penetration testing, small businesses dont have this luxury.

Automated penetration testing helps small business to save money in three areas, which include:

  • not recurringly hiring experts to do the testing
  • the large hardware installations that come with it
  • the speed of detecting vulnerabilities increases

Top 3 Penetration Softwares for small businesses

Here is a list of pentesting software that majority of small businesses are using and they are not listed in rank order.

1) Intruder

Intruder is a cloud-based vulnerability scanner that finds cyber security weaknesses in your digital infrastructure, to avoid costly data breaches.

Find Your weaknesses, before the hackers do

issues-crit-high

Vulnerability Dashboard

vuln_dash

Network view- See how your systems look from an external perspective, and get alerts when exposed ports and services change.

network-view

2) SQL Map

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

sqlmap

3) Metasploit

Metasploit Pro is a penetration testing tool that increases penetration tester's productivity, prioritizes and demonstrates risk through closed-loop vulnerability validation, and measures security awareness through simulated phishing emails.

You can create a chain of tasks and automate them.

metasploit-remediate-product-use-case-img-3

lists of hosts that were scanned and the number of attacks and vulnerabilities

metasploit-gather-attack-information-product-use-case-img-1

This shows interactions, unique credentials captured, and hosts compromised.
metasploit-product-story-image

Feature Comparison

Intruder Sqlmap Metasploit
Automated Automated Automated
Enterprise grade security Supports 40+ databases 1800+ exploits
Continuous monitoring Six sql injection techniques 500+ payloads
Perimeter specific Specific Targeting Meterpreter module
Active target discovery Supports dumping database tables Import network data scan
Network View Automatic recognition of password hash formats Integrations via Remote API

In conclusion, penetration testing is often hard to implement but the goal of this article is to provide the necessary information to make the best decision to meet your companies needs.


Pierce Taylor, Software Engineer Intern at HacWare. HacWare measures risky cybersecurity behaviors and automates security education to help MSPs combat phishing attacks.

Learn more about HacWare at hacware.com