Year in review: 2023 on Pentest-Tools.com

What you're about to see is a blend of worn-out keyboards, stubborn research, gallons of coffee, and a dash of frustration, all catalyzed by listening closely to what you, our customers, really want.

Mix all of these and you get more than a product, more than a team that’s growing a company on its own terms.

You get a sidekick who wants to see you succeed, whether you’re looking to get a promotion, build your own business, or learn the ropes as a new member of the team. 

Let’s see what was good in 2023! 

Top 5 launches on Pentest-Tools.com in 2023

We rolled out hundreds of improvements through our monthly updates this year, but let’s boil them down to our top five:

1. New tool: the API Vulnerability Scanner

In April, the powerful API Vulnerability Scanner went live - a tool our team developed to help you analyze and optimize API endpoints for reliability, and security. 

Built on the success of our custom Website Vulnerability Scanner, this tool delivers precise vulnerability detection and actionable insights for your APIs. 

Here’s our colleague, Mihai, who worked on the API Scanner, unpacking what it does - and how:

2. New tool: the Cloud Vulnerability Scanner

In June, we launched the Cloud Vulnerability Scanner, which uses proprietary, up-to-date detectors developed in-house to assess targets across multi-cloud environments (AWS, GCP, Azure) – both from the outside and from within.

 Hundreds of customers have used it since to discover and report exploitable vulnerabilities and misconfigs, bucket owners and users, interesting files in AWS S3 buckets (wp-config, backup, keys, etc.), and more. 

Carina and Ioana, who also presented the research behind this tool at DefCamp 2023, explain how it works:

3. New detections: 50 custom exploitation modules

In 2023, our research team developed 50 new exploitation modules for critical, complex CVEs that affect key technologies used worldwide.

These modules both provide precise detection through our Network Vulnerability Scanner and extract proof for validation through Sniper Auto-Exploiter.

This list of vulnerabilities includes exploits for:

• CVE-2023-4966 aka Citrix Bleed, the Citrix NetScaler Memory Leak

• CVE-2023-35078 - the Ivanti Endpoint Manager Mobile unauthenticated API access vuln (PoC exploit video)

• CVE-2023-22515 - the Atlassian Confluence authentication bypass

• CVE-2023-20273 - the RCE in Cisco IOS XE 

• CVE-2023-0669 - the RCE in GoAnywhere MFT 

• CVE-2023-46747 - the BIG-IP RCE

• CVE-2023-29357 - the Microsoft Sharepoint authentication bypass, and many more. 

Here’s David showcasing how one of these automatic exploits work vs manual exploitation: 

4. New detection engine: the Network Scanner also uses Nuclei

Making Nuclei one of the four engines of our Network Vulnerability Scanner brought with it the power of an entire community. It also expanded the list of CVEs the tool can detect to over 21.000!

Our security research team also gives back: it contributes to official Nuclei templates by improving and adding descriptions, as well as fixing false positives.

The Network Vulnerability Scanner also got a lot stronger this year with detectors we developed in-house for Rapid Reset,  the MOVEit Transfer SQL Injection (CVE-2023-34362 ), and the notorious Exim RCE (CVE-2023-42115), and many others. 

5. New free resource: vulnerable apps to test on Pentest-Ground.com

We know how difficult it is to find vulnerable apps you can hit again and again. So we built one - and launched it in August! 

Pentest Ground simulates a realistic vulnerable system exposed to the internet, so you can use it to: 

• test your tools against vulnerable web apps and network services 

• try out your skills in detecting and exploiting CVEs in various technologies 

• teach others offensive security techniques. 

Pentest Ground is free to use without authentication and deliberately includes vulnerabilities in technologies such as GraphQL, Redis, WebLogic, and more. 

There’s one more, BIG bonus update at the end of the article. But don’t skip to it just yet! 

1 scan every 6s in 2023 (and more Pentest-Tools.com numbers) 

In 2023, our customers got over 7.5 million findings from more than 5 million scans. That’s 1 scan every 6 seconds!

They saved invaluable time with over 1.5 million scheduled scans and by running almost 680.000 scans through our API. 

And they also enjoyed focused automation with over 470.000 scans executed with pentest robots. They preferred the: 

1. Website Scanner - All Ports pentest robot

2. Network Scanner - Full (domain) pentest robot

3. Log4Shell Detector (CVE-2021-44228) pentest robot

4. Treasure Hunter (host) pentest robot

5. Full WordPress Scan pentest robot

Using the findings and results they got from our tools, customers downloaded almost 64.000 reports in their preferred formats: PDF, customizable DOCX, HTML, XLSX, CSV, and JSON.

Now let’s talk about the top tools they used to make this happen. 

Top most used pentesting tools in 2023 - free and paid 

Out of the 20+ penetration testing tools on the platform, our customers constantly relied on these 10 to do their job - and knock it out of the park:

Top paid pentest tools on the platform

1. Network Vulnerability Scanner - over a million scans! 

2. TCP Port Scanner - almost 900.000 scans

3. Website Vulnerability Scanner - almost 650.000 scans

4. Subdomain Finder

5. SSL/TLS Vulnerability Scanner

6. Website Recon

7. Sniper: Auto-Exploiter

8. Domain Finder

9. WordPress Scanner

10. URL Fuzzer

And when it comes to our free arsenal, over 1 million people turned to these free pentest tools to level up their projects: 

Top free pentest tools on the platform

1. Website Vulnerability Scanner - with over 550.000 free scans 

2. TCP Port Scanner  - with almost 400.000 free scans 

3. Subdomain Finder - with over 230.000 free scans 

4. URL Fuzzer

5. Network Vulnerability Scanner

6. Whois Lookup

7. Find Virtual Hosts

8. Domain Finder

9. WordPress Scanner

10. SSL/TLS Vulnerability Scanner

Keep in mind these are the numbers until now, and 2023 isn’t over yet! 

We spent a lot of time this year beefing up our platform under the hood so it can successfully run the new features we’re launching in 2024, so keep an eye out for what’s coming!

Top 5 most read pentesting guides on the blog in 2023

We cast our net far and wide to extract practical wisdom from our team members and the offensive security community. 

Your reading preferences showed us, once again, that your appetite for specific methods to elevate your work - and thinking - are what you need.  

1. Securing your Laravel application: a comprehensive guide

2. Pro tips from 10 ethical hackers for stellar reports

3. Thinking outside the box: 3 creative ways to exploit business logic vulnerabilities in pentests

4. Phishing a company through a 7-Zip misconfiguration

5. 3 initial access tactics to simulate in your penetration tests

In November we also launched the We think we know podcast, a great resource to expand your mindset and skills with input from some of the best hackers in the world:

Top “what you can do with Pentest-Tools.com” videos in 2023

Because tools are only as powerful as how you use them, we created more guides about how to max out Pentest-Tools.com. (We’re doubling down on this next year!) 

1. Every way to generate a scan report from Pentest-Tools.com

2. Internal security assessment with Pentest-Tools.com

3. Manage your pentest findings like a smooth operator

In June we also started doing monthly video updates - along with the email versions our customers get. Options - you got ‘em!  

2023 events and community support 

OffensiveCon 2023 in Berlin

Supporting and sponsoring OffensiveCon 2023 this year was a thrilling deep-dive into the world of ethical hacking and vulnerability research!

Some of the key moments for us include:

• watching Dave Aitel deliver an awe-inspiring keynote, delving deep into the pivotal role of ethical hackers in today's ecosystem

• spotting a fellow enthusiast proudly donning a Pentest-Tools.com T-shirt he got at DefCamp 2022, featuring one of our most beloved taglines

• exchanging greetings with the legendary Marc Rogers from DEF CON

• meeting Maddie Stone IRL and basking in the awesomeness of her research

• personally experiencing Yarden Shafir's remarkable teaching abilities

• meeting fellow ethical hackers with exceptional talent, experience, and focus.

OffensiveCon was an immersive experience that not only stayed true to hacker culture but also provided unrivaled exposure to cutting-edge vulnerability research.

If you're interested in this space or actively work in offensive security, we encourage you to make attending this event an absolute priority in 2024!

DefCamp #13 in Bucharest 

DefCamp is always one of the best opportunities to reconnect with the cybersecurity community! 

From meeting old friends and making new ones to levelling up with top-notch research from all over the world - it’s an unmissable event.  

We joined speakers and attendees from 40 countries both on-stage and off, we talked to dozens of peers and demonstrated the cool stuff we've been building, and gave away a lot of cool, exclusive merch.

It’s been a pleasure to sponsor this event for years and definitely a streak we intend to keep! 

Bonus: we launched our free plan! 

If you’re one of the 1 million+ people who use our free tools every year and ever wanted to:

• see all of them in the same place

• keep a list of assets to scan

• store your results for up to 30 days 

• and run 2 scans in parallel

Now’s your chance! 

We’ve made this happen with our free plan for which anyone can sign up! 

A free account gives you access to our arsenal of tools and features - with some limitations, of course.

Let’s dig deeper, pop shells, and have fun in 2024! 

And there you have it - a rollercoaster of a year at Pentest-Tools.com! 

Thanks for joining us on this hack-tastic journey. 

Here's to more exploits, more coffee, and yes, even more keyboard wear in 2024.

Until then, have a peaceful end of your year!