Testing security controls is the only way to know if they are truly defending your organization. With many different testing frameworks and tools to choose from, you have lots of options.
But what do you specifically want to know? And how are the findings relevant to the threat landscape you face at this moment?
“Decide what you want to know and then choose the best tool for the job.”
Security teams typically use several different testing tools to evaluate infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.
While vendor-provided tools test a specific security solution—whether it’s a web application firewall (WAF), EDR solution, or something else—pen testing is frequently used to verify that controls meet compliance requirements, such as PCI DSS regulations, and by red teams as part of broader testing assessments and exercises.
Automated pen tests help answer the question, “can an attacker get in?” They can help identify vulnerable or high-risk pathways into an environment, but they usually don’t cover the entire kill chain. They can emulate multiple threat…