Home Events Pentest Robots – rocket fuel for pentesters, not their replacement

Pentest Robots – rocket fuel for pentesters, not their replacement

by Andra Zaharia

Reading time

9 minutes

Reading Time: 9 minutes

Let me say this from the start: full automation is the wrong approach for scaling penetration testing.

The whole “machines will replace humans” view doesn’t sit well with us. It’s too simplistic and it fails to capture the complexity and depth involved in security testing and the larger information security ecosystem.

So how come we launched pentest robots – an automation feature – at Black Hat Europe 2020?

Because we believe that automation shouldn’t be an all or nothing proposition.

Here’s our view, with personal remarks from Adrian Furtuna, our Founder and CEO, Adina Mihaita, our Customer Success Lead, Cosmin Tudor, one of our Software Developers who’s been focusing on the project for months, and Andrei Pitis, our Chairman of the Board, who captures the business context.

Crushing the automation cliché

People. Process. Technology.

These three components form the foundation of information security. You can’t have one without the others.

3 pillars of information security

However, what industry outsiders mostly see is the technology part. The majority of people want a magic bullet and hope that the right tech product will deliver it. But that’s not realistic, especially in infosec.

Security is such an intricate challenge, one so deeply dependent on human nature (people and the processes they design) that technology alone is insufficient. The much more viable and reliable approach is to automate the work that keeps humans from doing what they do best.

Here’s what we mean.

We know that penetration testers and highly skilled security pros deliver outstanding work because they use their subjective judgment to see what others don’t (assets, patterns, connections between security and business issues, etc.). There’s no way you can automate that.

The problem that technology can solve is one we’ve seen over and over again in the last 8 years of building Pentest-Tools.com: the huge volume of repetitive, manual work, waiting times, maintenance, writing scripts to chain tools, sifting through findings.

Because we don’t like to flaunt hype words and rather enjoy working quietly to solve pressing issues we know from experience, we’ve developed pentest robots to solve this problem.

The current state of Penetration Testing

The current state of Penetration Testing

 

Playing with the robots is so much fun, but there’s nothing more enjoyable for an engineer than the time saved for the users. I truly believe this feature will help specialists become even more efficient in their work.

Cosmin Tudor, Software Developer

What pentesters really need

What pentesters, consultants, and other specialists involved in security testing really need is more time.

More time to discover and exploit interesting vulnerabilities.

More time to design complex pentesting flows that combine tools according to their logic to surface unusual findings with high business impact. More time to develop exploits.

More time to find (better) clients and grow their business.

More time to read and do research. More time to train their teams.

More time to just let their minds roam free for a while. (And more time to sleep too!)

We’ve noticed that, despite their best efforts, some of our customers just don’t have time to take full advantage of some of our newer features, such as the Attack Surface view. Because they’re so pressed to solve specific issues, they sometimes focus on a single tool and don’t explore the full capabilities of our platform. We hope pentest robots will enable them to focus on more strategic areas of their work.

Adina Mihaita, Customer Success Lead

 

How we envision penetration testing

How we envision penetration testing

With pentest robots, we want to give our customers that invaluable time gain so they can experiment, grow, and level up in terms of skills and expertise. That’s why we’re helping them automate tasks and even processes to the extent they want.

The pentester in me is very happy to have such a toy to play with. While being fun to work with, pentest robots are actually a powerful automation feature which helps me decrease the repetitive work during a pentest and allows me to focus on the interesting aspects of the engagements.

Adrian Furtuna, Founder & CEO

In security testing, you can’t replace the critical thinker who uses their subjective judgment to identify unusual flaws or chain seemingly unrelated vulnerabilities to get elevated privileges.

A good pentester can never be replaced by a robot. But a robot can make them exponentially more effective. Here’s how.

Mainly, our clients want to automate or speed-up certain aspects of their work, such as vulnerability scans, or reporting. So far we’ve built scheduling and advanced reporting into the platform, constantly updating and improving them. With pentest robots, they can really leap in terms of productivity and efficiency.

Adina Mihaita, Customer Success Lead

Demo: how pentest robots work IRL

With this new feature, we continue to implement our vision of what viable, effective automation looks like in pentesting.

We just launched pentest robots at Black Hat Europe 2020 and they’re now available for all Pentest-Tools.com customers!

We have a unique advantage here in that we already have a range of pentesting tools integrated into our platform, tools which specialists previously had to run manually.

The pentest robots are a layer of automation that we added on top of these existing tools for an even smoother workflow. Building this feature was a natural step in the process of expanding and maturing our platform.

Adrian Furtuna, Founder & CEO

But enough of telling, it’s time to show you how this thing works!

In this demo, Adrian explains the why and how behind pentest robots, demonstrating exactly how to build and use pentest robots on a live target.

Before you hit play, here’s something to keep your eyes on, straight from inside the team:

The scalability and the speed of a recon robot might not be obvious at first, but the number of possible weaknesses it finds within minutes is truly impressive. It’s really fun to watch them digging around!

Cosmin Tudor, Software Developer


To get you started (and to honor our love for templates!), we’ve created 3 pentest robots you can use as soon as you log into Pentest-Tools.com. Here’s a quick recap of what they do:

  • Recon RobotDiscovers all subdomains of a target domain. Then it continues with full port scanning and service discovery. For each web port, it does recon to gather technologies and take screenshots. You can find all the data aggregated in the unified Attack Surface view.
  • Web Login Bruteforcer RobotIdentifies all the web ports of the target host. For each web port (80, 443, 8080, 8443, etc), it runs the URL Fuzzer using a list of common web interface URLs. For each login interface found, it runs the Password Auditor to find weak, common credentials.
  • Full Web Scanner Robot – Identifies all the web ports of a target host (80, 443, 8080, 8081, anything which speaks http/s). For each web port, it does a full Website Scan, searching for SQL injection, XSS, OS command injection, and all other vulns from OWASP Top 10 and more! Before it wraps up, this pentest robot produces an aggregated report with all the findings.

Imagine picking your targets, clicking “Scan with robot”, and tackling your backlog of tasks ( or taking a much-deserved break!) while they do all that work for you. How does that sound?

A reliable starting point for the Robots was the fact that Pentest-Tools.com possesses a great arsenal of tools. The Discovery Tools also play a huge role in the dynamic of a pentest robot. Pair that with the Vulnerability Scanners and you have a complex pentesting recipe.

Cosmin Tudor, Software Developer

And what really gets us excited is picturing how our customers will use their creativity, know-how, and experience to build robots that we probably never would’ve thought of!

Pentesters will be surprised to discover that the robots allow them to create some unique testing flows by combining the various tools, filters, and conditions available. For instance, they can create robots which test specific ports, targeted on specific technologies, containing only certain URLs or being owned by a specific company.

Adrian Furtuna, Founder & CEO

Pentest robots cater to that inner control freak inside every hacker out there (ourselves included). Combining deep customization with maximum efficiency is what we aimed for and continue to build towards. Pentest robots have just landed but the fun we can have with them is truly only starting!

How we’re developing pentest robots further

We like to keep things simple, realistic, and transparent. So we’re not shying away from admitting that, while the current type of pentest robots works for most pentesters, some specialists might want even more flexibility.

Improvements are already on our product roadmap and we’ll be rolling them out each month!

There is still some work we have to do to make creating pentest robots more intuitive.

Cosmin Tudor, Software Developer

At the moment, the logic blocks used to combine the tools are pretty basic (filters, AND/OR conditions) but we’re working on adding more logic capabilities so platform users can create more complex robots.

Adrian Furtuna, Founder & CEO

pentest-tools.com BH2020 Robot Creation

And it’s not just pentest robots that we’re working to enhance, as you can see in our monthly platform updates.

We get a lot of questions about notifications because our customers want to get alerts only if scan results meet certain criteria. They need more tools that can run without their supervision. So we’re working on improving and expanding our alerts to further reduce noise and save them more time.

Adina Mihaita, Customer Success Lead

How we actually do this is that we constantly get feedback from our customers and from the community. We also use the platform ourselves and keep our finger on the pulse of the industry. With an eye on the big picture and one on the details that make a difference, we strive for true performance.

It’s not an easy feat, but we love a good challenge!

What we’ve learned from building pentest robots

No matter how many years of experience you have under your belt, infosec always keeps you on your toes. That’s why we cultivate the student’s mindset, constantly learning, experimenting, and sharing what we know with the community.

We’re not afraid to admit that we sometimes struggle to find the ideal solution, but we always do our very best to deliver on our promise. Our customers’ trust in our business is something we deeply treasure, so we hold ourselves accountable for cultivating it.

There were a lot of challenges since the pentest robots represent an innovation in the security testing market. As any innovation, you don’t know if it’ll work or not from the start.

However, the main challenge for me was to design an intuitive robot creator tool (using an RPA-like, graphical approach) that enables a powerful combination of pentesting tools and functionality, while being easy to use and understand by all our customers.

Adrian Furtuna, Founder & CEO

Gain more time, but also more $$$

Now that we’ve geeked out about the new pentest robots, let’s talk business.

There’s a lot of untapped potential pentesters and other specialists involved in security testing can unlock with the right tools.

Pentesters and consultants are not just security specialists – they often wear the business owner hat too. We know they need more time to connect with business decision-makers who don’t see as far into the risk landscape as they do. It’s not just about writing compelling reports (although that’s a big part!), it’s about developing relationships built on trust and mutual respect.

Pitching services, getting budgets for pentests, approving payments for new tools – they all require clear and compelling communication. That’s the basis for progress and growth.

Information security becomes a foundational element for each and every business in the world. Starting with ever-changing data privacy compliance requirements and continuing with businesses becoming more digital – the security aspect encompasses almost every business decision. Good security brings not just peace of mind but also more business opportunities.

Andrei Pitis, Chairman of the Board

To deliver the kind of high-end, focused testing organizations require nowadays, pentesters need all the help they can get. Pentest robots provide that help, automating as much as 80% of manual pentesting tasks so specialists can focus their expertise on the 20% that makes all the difference.

The most pressure on our customers comes from the increasing demand for services from their own clients (internal or external). We aim to help them meet this demand without overhead by providing them with a range of options to automate repetitive tasks so they can focus on the ones that matter most.

Adina Mihaita, Customer Success Lead

It’s not just working with more complex, thrilling targets that are at stake. The pentesting market will be worth $4.5 billion by 2025, so there’s huge potential to generate more revenue and expand as well.

I believe in the mission of Pentest-Tools.com to supercharge the pentester’s powers with tools and workflows – like an exoskeleton of sorts. I also trust Adrian’s values as I’ve known for more than 10 years, back when we both worked at Ixia. I have accepted to serve as Chairman of the Board to help him grow the company even further.

Andrei Pitis, Chairman of the Board

As you can tell, we feel pretty strongly about our work and mission. That reflects in our team’s daily work which is focused on helping you deliver (better) work you genuinely enjoy.

 

Let us know how we’re doing!

Email your feedback

Related Posts

Pentest-Tools.com at Hackathon Innovation Labs

Why we continue to support young people find their way in infosec

Black Hat Europe 2019 Highlights

0 comments

Comments