By Sila Ozeren Hacioglu, Safety Analysis Engineer at Picus Safety.
It’s a narrative the security neighborhood is aware of effectively. You usher in a shiny new automated penetration testing instrument, and the primary “run” is a revelation. The dashboard lights up with vital findings, lateral motion paths you did not know existed, and a “Gotcha!” second involving a legacy service account.
The Pink Staff appears like they’ve discovered a power multiplier; the CISO appears like they’ve lastly automated the “human ingredient” of security.
However then, the honeymoon ends.
On common, by the fourth or fifth execution, the “new” findings dry up. The instrument begins reporting the identical stale points, and the once-shiny dashboard turns into simply one other display delivering noise. This is not only a lull in exercise; it is the Validation Hole – the widening distance between what organizations really validate and what they report as validated.
In the event you’ve began to really feel like your automated pentesting instrument is overpromising and underdelivering, you’re experiencing a shift out there. The business is waking as much as the truth that whereas automated pentesting is a strong characteristic, it’s an more and more harmful technique when utilized in isolation.
The POC Cliff: The place Discovery Goes to Die
This sample of thrilling first run with considerably diminishing returns by run 4, isn’t anecdotal.
Safety practitioners name it the Proof-of-Idea (PoC) Cliff: the steep drop in new findings quantity as soon as the instrument has exhausted its fastened scope. It’s not a tuning downside.
By design, automated pentesting options ship their finest ends in the primary run. Inside a number of cycles, exploitable paths inside their scope are exhausted. However that doesn’t imply your setting is safe. It simply means the instrument has reached its limits, whereas deeper points stay untested.
That is the structural ceiling of a instrument working in opposition to a deterministic floor. It’s an architectural limitation, not an operational one.
Automated pentesting chains its steps. Step B will depend on Step A, and Step C will depend on Step B. When you patch the particular path the instrument favors, it is blocked at Step A, and Steps B by means of Z by no means execute. The instrument would possibly be capable of check 20 lateral motion methods, but when it will get caught early within the chain, these methods keep darkish. You get the false sense of “mission achieved” whereas the remainder of your assault floor stays unprobed.
That is the place Breach and Attack Simulation (BAS) attracts a tough line.
BAS does not chain; it runs 1000’s of unbiased, atomic simulations. Every method will get its personal clear execution. A blocked exfiltration check over DNS does not stop testing exfiltration over HTTPS subsequent. A failed lateral motion method does not cease the instrument from testing 19 others.
One checks the trail. The opposite checks the protect.
Automated pentesting maps assault paths. Picus validates the opposite 5 surfaces: detection guidelines, prevention controls, identification, cloud, and AI.
Findings out of your current instruments get normalized right into a single prioritized queue. No rip and change. See it reside.
Request a Demo
Clearing the Air: BAS vs. Automated Pentesting
To raised perceive the “why” of the PoC Cliff, we have to handle a rising level of confusion within the business. Whereas Breach and Attack Simulation (BAS) and automatic penetration testing share the broad purpose of validation, they use totally different strategies to reply totally different questions.
Consider BAS as a sequence of unbiased measurements. It repeatedly and safely emulates adversarial methods, malware payloads, lateral motion, and exfiltration, to confirm in case your particular security controls (firewalls, WAF, EDR, SIEM) are literally doing their jobs.
Its main mission is to check in case your defenses are blocking or alerting on recognized menace behaviors. Every check stands alone as a verify of your defensive energy.
Automated Penetration Testing, against this, is directional. It takes a extra surgical, adversarial method by chaining vulnerabilities and misconfigurations collectively the way in which an actual attacker would. It excels at exposing complicated assault paths, comparable to Kerberoasting in Energetic Listing or escalating privileges to achieve a Area Admin account.
Although each are sometimes regarded as “validation strategies,” the two are essentially totally different in mission and outcomes. One tells you ways sturdy your particular person defenses are; the opposite tells you ways far an attacker can journey despite them.
The “Simplicity” Lure: Why Pentesting Is not BAS
Lately, some distributors have proposed the concept automated pentesting can, and will, change BAS. On paper, it sounds nice.
In actuality, this is not an improve; it’s a protection regression disguised as a simplification.
As we’ve simply seen, automated pentesting and BAS instruments reply essentially totally different questions. To safe a contemporary enterprise, you want the solutions to each:
-
BAS asks: “Are my firewalls, EDRs, WAFs, and SIEMs really doing their jobs throughout your complete MITRE ATT&CK framework?” It focuses on the effectiveness of your defensive controls.
-
Automated Pentesting asks: “Can an attacker get from Level A to Level B utilizing recognized exploits?” It focuses on the success of particular assault paths.
In the event you swap BAS assessments for automated pentesting, you cease validating your prevention and detection stack.
You would possibly know that an attacker can’t attain your database through one particular exploit, however you’ve gotten zero visibility into whether or not your EDR would even blink in the event that they tried a unique, non-exploitative method.
The Six Blind Spots of the Fashionable Attack Floor
Whereas advertising and marketing supplies promise “complete” protection, the truth is that automated pentesting sometimes solely scratches the floor of infrastructure and utility paths.
As proven above, two surfaces get no protection from automated pentesting. 4 get partial protection at finest. Not a single floor is totally lined. That is 0 for six utterly validated. This creates a large validation hole the place right now’s breaches are literally occurring:
-
Community & Endpoint Controls: Exploit paths are recognized, however there isn’t any affirmation if firewalls, WAF, IPS, DLP, or EDR are literally blocking the threats they’re configured to cease. Controls fail silently, and “configured” is mistakenly equated with “efficient.”
-
Detection & Response Stack: Automated pentesting has no visibility into whether or not SIEM guidelines and EDR detection logic really hearth. The instrument runs because the attacker, it can not observe the defender. Detection protection is assumed, not measured.
-
Infrastructure & Software Attack Paths: These checks usually hit a “POC cliff.” Whereas infrastructure paths are mapped, complicated application-layer assault chains differ in protection and sometimes keep open and accessible to adversaries.
-
Id & Privilege: Present paths are traversed, however there isn’t any systematic validation of Energetic Listing configurations, IAM insurance policies, and privilege boundaries.
-
Cloud & Container Environments: Dynamic Kubernetes insurance policies and cloud security controls regularly stay darkish and un-revalidated as configurations drift.
-
AI & Rising Expertise: Vital guardrails for inner LLMs in opposition to jailbreaks, immediate injection, and adversarial manipulation stay utterly unvalidated.
The Intelligence Layer: Publicity Validation & Prioritization
This cross-cutting layer unifies these silos. Matching theoretical CVEs in opposition to reside security management efficiency strips out noise, turning the 60%+ of findings falsely labeled as excessive or vital all the way down to the ~10% which can be genuinely exploitable, decreasing false urgency by over 80%, to provide one defensible, prioritized motion record.
The Three Questions You Must Ask
Understanding this hole is one factor; fixing it requires holding your validation distributors to the next normal. To chop by means of the advertising and marketing hype and discover out what a instrument really delivers, all the pieces distills all the way down to three basic diagnostic questions.
Carry them with you to each vendor assembly, each renewal dialog, and each funds assessment. They work as a result of they’re structural, not subjective. Any instrument that solutions all three with specificity and proof deserves critical analysis; any instrument that can’t has simply proven you the place your hole is.
-
Which of my six validation surfaces does your instrument cowl, and at what scope inside every?
-
How does your platform distinguish exploitable vulnerabilities from theoretical ones, particularly utilizing my reside security management efficiency knowledge?
-
How does your platform normalize findings from my different instruments right into a single, deduplicated, prioritized view and motion record?
The distinction between “we selected to not validate this floor” and “we did not notice it wasn’t being validated” is the distinction between threat administration and publicity.
The Backside Line
Your assault floor does not care which vendor’s brand is on the instrument.
It solely cares whether or not it has been examined. In case your present automated pentesting deployment is leaving vital surfaces at nighttime, it is time to remap your technique.
Our newest practitioner’s information, The Validation Hole: What Automated Pentesting Alone Can’t See, supplies the whole diagnostic framework you’ll must audit your individual protection, diagnose the place your protection plateaus, and construct a unified validation structure.
Begin with the six surfaces. Rating your individual protection. Figuring out the place your instruments cease is the way you determine the place to go subsequent.
Sponsored and written by Picus Safety.
