Year in review: 2023 on Pentest-Tools.com

What you're about to see is a blend of worn-out keyboards, stubborn research, gallons of coffee, and a dash of frustration, all catalyzed by listening closely to what you, our customers, really want.

Mix all of these and you get more than a product, more than a team that’s growing a company on its own terms.

the Pentest-Tools.com team at DefCamp 2023

You get a sidekick who wants to see you succeed, whether you’re looking to get a promotion, build your own business, or learn the ropes as a new member of the team.

Let’s see what was good in 2023!

Top 5 launches on Pentest-Tools.com in 2023

We rolled out hundreds of improvements through our monthly updates this year, but let’s boil them down to our top five:

1. New tool: the API Vulnerability Scanner

In April, the powerful API Vulnerability Scanner went live - a tool our team developed to help you analyze and optimize API endpoints for reliability, and security.

Built on the success of our custom Website Vulnerability Scanner, this tool delivers precise vulnerability detection and actionable insights for your APIs.

Here’s our colleague, Mihai, who worked on the API Scanner, unpacking what it does - and how:

NEW API Vulnerability Scanner on Pentest-Tools.com

2. New tool: the Cloud Vulnerability Scanner

In June, we launched the Cloud Vulnerability Scanner, which uses proprietary, up-to-date detectors developed in-house to assess targets across multi-cloud environments (AWS, GCP, Azure) – both from the outside and from within.

Hundreds of customers have used it since to discover and report exploitable vulnerabilities and misconfigs, bucket owners and users, interesting files in AWS S3 buckets (wp-config, backup, keys, etc.), and more.

Carina and Ioana, who also presented the research behind this tool at DefCamp 2023, explain how it works:

NEW Cloud Vulnerability Scanner on Pentest-Tools.com

3. New detections: 50 custom exploitation modules

In 2023, our research team developed 50 new exploitation modules for critical, complex CVEs that affect key technologies used worldwide.

These modules both provide precise detection through our Network Vulnerability Scanner and extract proof for validation through Sniper Auto-Exploiter.

This list of vulnerabilities includes exploits for:

CVE-2023-4966 aka Citrix Bleed, the Citrix NetScaler Memory Leak
CVE-2023-35078 - the Ivanti Endpoint Manager Mobile unauthenticated API access vuln (PoC exploit video)
CVE-2023-22515 - the Atlassian Confluence authentication bypass
CVE-2023-20273 - the RCE in Cisco IOS XE
CVE-2023-0669 - the RCE in GoAnywhere MFT
CVE-2023-46747 - the BIG-IP RCE
CVE-2023-29357 - the Microsoft Sharepoint authentication bypass, and many more.

Here’s David showcasing how one of these automatic exploits work vs manual exploitation:

How to get RCE in Confluence’s latest CVEs - CVE-2023-22515 & CVE-2023-22518

4. New detection engine: the Network Scanner also uses Nuclei

Making Nuclei one of the four engines of our Network Vulnerability Scanner brought with it the power of an entire community. It also expanded the list of CVEs the tool can detect to over 21.000!

NEW detection engine in our Network Scanner: Nuclei

Our security research team also gives back: it contributes to official Nuclei templates by improving and adding descriptions, as well as fixing false positives.

The Network Vulnerability Scanner also got a lot stronger this year with detectors we developed in-house for Rapid Reset, the MOVEit Transfer SQL Injection (CVE-2023-34362 ), and the notorious Exim RCE (CVE-2023-42115), and many others.

5. New free resource: vulnerable apps to test on Pentest-Ground.com

We know how difficult it is to find vulnerable apps you can hit again and again. So we built one - and launched it in August!

Pentest Ground simulates a realistic vulnerable system exposed to the internet, so you can use it to:

test your tools against vulnerable web apps and network services
try out your skills in detecting and exploiting CVEs in various technologies
teach others offensive security techniques.

Pentest Ground is free to use without authentication and deliberately includes vulnerabilities in technologies such as GraphQL, Redis, WebLogic, and more.

There’s one more, BIG bonus update at the end of the article. But don’t skip to it just yet!

1 scan every 6s in 2023 (and more Pentest-Tools.com numbers)

In 2023, our customers got over 7.5 million findings from more than 5 million scans. That’s 1 scan every 6 seconds!

They saved invaluable time with over 1.5 million scheduled scans and by running almost 680.000 scans through our API.

And they also enjoyed focused automation with over 470.000 scans executed with pentest robots. They preferred the:

Website Scanner - All Ports pentest robot
Network Scanner - Full (domain) pentest robot
Log4Shell Detector (CVE-2021-44228) pentest robot
Treasure Hunter (host) pentest robot
Full WordPress Scan pentest robot

Using the findings and results they got from our tools, customers downloaded almost 64.000 reports in their preferred formats: PDF, customizable DOCX, HTML, XLSX, CSV, and JSON.

Now let’s talk about the top tools they used to make this happen.

Top most used pentesting tools in 2023 - free and paid

Out of the 20+ penetration testing tools on the platform, our customers constantly relied on these 10 to do their job - and knock it out of the park:

Top paid pentest tools on the platform

Network Vulnerability Scanner - over a million scans!
TCP Port Scanner - almost 900.000 scans
Website Vulnerability Scanner - almost 650.000 scans
Subdomain Finder
SSL/TLS Vulnerability Scanner
Website Recon
Sniper: Auto-Exploiter
Domain Finder
WordPress Scanner
URL Fuzzer

And when it comes to our free arsenal, over 1 million people turned to these free pentest tools to level up their projects:

Top free pentest tools on the platform

Website Vulnerability Scanner - with over 550.000 free scans
TCP Port Scanner - with almost 400.000 free scans
Subdomain Finder - with over 230.000 free scans
URL Fuzzer
Network Vulnerability Scanner
Whois Lookup
Find Virtual Hosts
Domain Finder
WordPress Scanner
SSL/TLS Vulnerability Scanner

Keep in mind these are the numbers until now, and 2023 isn’t over yet!

We spent a lot of time this year beefing up our platform under the hood so it can successfully run the new features we’re launching in 2024, so keep an eye out for what’s coming!

We cast our net far and wide to extract practical wisdom from our team members and the offensive security community.

Your reading preferences showed us, once again, that your appetite for specific methods to elevate your work - and thinking - are what you need.

In November we also launched the We think we know podcast, a great resource to expand your mindset and skills with input from some of the best hackers in the world:

We think we know - A Pentest-Tools.com podcast

Top “what you can do with Pentest-Tools.com” videos in 2023

Because tools are only as powerful as how you use them, we created more guides about how to max out Pentest-Tools.com. (We’re doubling down on this next year!)

In June we also started doing monthly video updates - along with the email versions our customers get. Options - you got ‘em!

Product updates June 2023 - new on Pentest-Tools.com

2023 events and community support

OffensiveCon 2023 in Berlin

Supporting and sponsoring OffensiveCon 2023 this year was a thrilling deep-dive into the world of ethical hacking and vulnerability research!

Some of the key moments for us include:

watching Dave Aitel deliver an awe-inspiring keynote, delving deep into the pivotal role of ethical hackers in today's ecosystem
spotting a fellow enthusiast proudly donning a Pentest-Tools.com T-shirt he got at DefCamp 2022, featuring one of our most beloved taglines

OffensiveCon attendees wearing the Pentest-Tools.com T-Shirts

exchanging greetings with the legendary Marc Rogers from DEF CON
meeting Maddie Stone IRL and basking in the awesomeness of her research
personally experiencing Yarden Shafir's remarkable teaching abilities
meeting fellow ethical hackers with exceptional talent, experience, and focus.

our team attending OffensiveCon OffensiveCon was an immersive experience that not only stayed true to hacker culture but also provided unrivaled exposure to cutting-edge vulnerability research.

If you're interested in this space or actively work in offensive security, we encourage you to make attending this event an absolute priority in 2024!

DefCamp #13 in Bucharest

DefCamp is always one of the best opportunities to reconnect with the cybersecurity community!

From meeting old friends and making new ones to levelling up with top-notch research from all over the world - it’s an unmissable event.

our team on the DefCamp stage

We joined speakers and attendees from 40 countries both on-stage and off, we talked to dozens of peers and demonstrated the cool stuff we've been building, and gave away a lot of cool, exclusive merch.

It’s been a pleasure to sponsor this event for years and definitely a streak we intend to keep!

DefCamp #13 - lucky breakthroughs, not so random encounters & exclusive merch

Bonus: we launched our free plan!

If you’re one of the 1 million+ people who use our free tools every year and ever wanted to:

see all of them in the same place
keep a list of assets to scan
store your results for up to 30 days
and run 2 scans in parallel

Now’s your chance!

We’ve made this happen with our free plan for which anyone can sign up!

A free account gives you access to our arsenal of tools and features - with some limitations, of course.

Create your free Pentest-Tools.com account

Try it out now

Let’s dig deeper, pop shells, and have fun in 2024!

And there you have it - a rollercoaster of a year at Pentest-Tools.com!

Thanks for joining us on this hack-tastic journey.

Here's to more exploits, more coffee, and yes, even more keyboard wear in 2024.

Until then, have a peaceful end of your year!