What is our primary use case?
My main use case for Pentest-Tools.com is primarily utilizing the tool for vulnerability assessment, external attack surface analysis, and security validation activities. The platform is useful for my project for quickly identifying security weaknesses in internal-facing, internet-facing, and externally-facing assets and supporting pen testing workflows without any kind of extensive setup or infrastructure.
The types of assets I am focusing on are both internal assets and external assets. For internal assets, I have used vulnerability management solutions, carried out vulnerability assessments, and gathered vulnerability details so that I can prioritize the vulnerabilities. For external assets or internet-facing assets, the criticalities of the vulnerabilities are very severe, and that is why a pen test is required to showcase the exploitation of the vulnerabilities and also to create a pen test report, which demonstrates how external attacks can happen on those assets. For that purpose, I have used Pentest-Tools.com.
Apart from vulnerability assessments, I also focus on network security validation, web application security testing, and reconnaissance and asset discovery, which have all been accomplished using that tool.
What is most valuable?
The best features that Pentest-Tools.com offers include vulnerability scanning, which I have used extensively. The platform provides scanning using useful templates for all assets, whether internal or external-facing. Additionally, it can deliver external attack surface visibility, allowing me to get proper visibility of the assets and identify potential exposures of risks in the external attack surface. Furthermore, I have included some web applications in my project scope, and the platform offers useful web application testing capabilities that can help identify common application security weaknesses and follow the OWASP Top 10 to identify vulnerabilities and weaknesses, which are the primary use cases I have utilized in my project using that tool.
Pentest-Tools.com has positively impacted my organization in two significant ways. First, asset discovery and reconnaissance help provide all of the weaknesses and data of the applications under CMDB, as well as the state of the applications or servers in scope, which is very useful when preparing a plan for a vulnerability assessment. Second, exposure management or external attack surface management is valuable for external assets or internet-facing assets, helping gather all the vulnerabilities and weak points while providing a comprehensive report that assists the remediation team in acting on the vulnerabilities as soon as possible.
What needs improvement?
Pentest-Tools.com could improve in a couple of areas. First, the reporting flexibility could be enhanced. Second, there should be additional automation for remediation tracking since it currently lacks automation for this, requiring me to track remediations manually using the reports. Third, deeper integration with vulnerability management workflows could be beneficial, as I should have more options for integrating the tool with other security pen testing or application scanning tools.
Regarding Pentest-Tools.com's AI capabilities, I believe there should be proper boundaries managed by their team in terms of governance and security, especially when the tool provides false positive vulnerabilities. These should also be detected on the governance side and resolved within the tool rather than manually, indicating an area for improvement in governance and compliance.
In terms of the accuracy and reliability of Pentest-Tools.com's AI-generated output, I feel it can provide comprehensive output and reports. However, as it is AI-generated, the pentester or user should thoroughly check and validate the output before presenting it to stakeholders or the remediation team.
For how long have I used the solution?
I have used Pentest-Tools.com for almost one year for an offensive security project.
What do I think about the stability of the solution?
In my experience, Pentest-Tools.com is quite stable, and I have had a good experience using the tool without any significant downtime or reliability issues.
What do I think about the scalability of the solution?
Pentest-Tools.com's scalability is impressive. It has handled more than 50,000 assets effectively, and although I am unsure how it will perform with an asset count exceeding 100,000 or 200,000, my experience indicates that it is quite good and scalable.
How are customer service and support?
I have not worked on the implementation side of Pentest-Tools.com, but I have contributed from the operations perspective. Regarding customer support, I have reached out to them for assistance with some false positive issues, and they have been very cooperative and supportive in resolving those issues, indicating a good and helpful customer support experience.
Which solution did I use previously and why did I switch?
I have used many solutions for various project engagements, including Qualys, Tenable, Rapid7, and
InsightVM, but I have not changed anything. The decision to adopt Pentest-Tools.com was based on customer requirements, leading to the implementation of this tool in my project.
Which other solutions did I evaluate?
I have not evaluated any other options before choosing Pentest-Tools.com, as it was the client's expectation for me to adopt this tool.
What other advice do I have?
My advice for others considering Pentest-Tools.com is that if you are working in vulnerability management or any kind of offensive security project with numerous internet-facing applications alongside internal applications, and you want to highlight the risks in real-time, you can adopt this tool to protect your organization and focus on managing the risks effectively. I would rate Pentest-Tools.com a seven out of ten based on my experience with various vulnerability solutions. I choose a seven because Pentest-Tools.com is pretty good, but there are some flaws, such as the integration issues and the lack of automation for remediation tracking, which lead me to reduce three points from a perfect score of ten.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?