Automated vs. Manual Approach to Vulnerability Assessment, Penetration Testing (VAPT)

Published on : 24 Sep 2019

automated to manual approach to vapt

Before we go ahead with our topic to discuss Automated versus Manual Vulnerability Assessment, Penetration Testing(VAPT), let us first understand what is VAPT. Vulnerability Assessment and Penetration testing are security tests designed to identify and address cybersecurity vulnerabilities. While the Vulnerability assessment is a way of discovering security weaknesses within a system or an environment, the Penetration Testing checks for exploitable vulnerabilities, ease of exploitation, the extent of damage that can inflict after its exploitation within a system defined by the scope. In today’s article, we have discussed the pros and cons of automated versus manual approach to VAPT and which is the best method of approach to VAPT.

VAPT stands for Vulnerability Assessment and Penetration Testing. Vulnerability Assessment is a way of discovering and identifying security weaknesses within a system or an environment. Whereas Penetration Testing checks for exploitable vulnerabilities, ease of exploitation, the extent of damage that can inflict after its exploitation, etc within a system defined by the scope. The main distinction, however, could be a Vulnerability Assessment involves identifying as many vulnerabilities as possible, whereas a Penetration test is goal-oriented and is usually unconcerned with vulnerabilities which will exist.

Automated Approach to VAPT

The automated approach sounds enticing that only requires a tool to be deployed that runs in your environment and generates the result for you. However, with vulnerability assessment for assessing the networks or the systems is doable with a tool such as Nessus, which is a well-known commercial tool in the security industry which we use in our engagements. It’s plugins based tool which discovers vulnerabilities accordingly about the environment or the system. 

But for penetration testing the same cannot be said mostly, tools automatically can exploit the vulnerabilities they find but till what extent; will it try Denial of Service (DoS) on the system or offer a reverse shell back of an exploited system; Will it be able to exploit the vulnerability if found, but the payload is being blocked by an endpoint; will it be able to identify the change in parameter and keep exploiting until it gets exploited?

Let’s discuss some downfalls of automated tools, one thing to look out for is false positive running a tool which is improperly configured may or may not give the proper output that one expects. The worst-case scenario is the automated tool brings down the whole network or a critical system, which will not only halt the business but may cost them a lot of money due to downtime. Operating such tools also requires a knowledgeable person who can configure settings properly accordingly to their environment. It also requires the person to understand the report generated by the tool and makes some sense of it.

industry expert pen test

Manual Approach to VAPT

The manual approach depends purely on the ability of the tester. From one to another the skills may vary. This approach is the most common practice in the industry, as it brings out more of the business logic vulnerabilities rather than generic vulnerabilities which automated tools can also produce. This approach is time-consuming and costly, however, it is the most beneficial to an organization in finding business logic vulnerabilities were any automated tool cannot compete with.

In some high-security environments, where the consultant’s system may not be connected on the production network; Consultants may be provided with a system with a fresh copy of a pen-testing OS or you have limited tools to work it and not even automated tools. In such cases, it boils down to the capability of the tester and the years of experience a person has. However, false positives are not a concern in this approach as they are validated before giving in the report. Advantages to this approach are reliability and are focused on the scope of concern. Also, it can be stopped at any time, the tester is given clear and concise instructions to what extent the exercise shall be conducted. Example: a manual pen test can be stopped at any given moment or to what extent the tester can go; if a payload is getting blocked a tester can try encoding it differently in which case, the endpoint may probably fail to recognize and block the payload resulting in the command being executed successfully. Similarly, zero-day vulnerabilities can be discovered using this approach which is absolutely critical.

Downfalls; an inexperienced tester could miss out on vulnerabilities given to the client and later if the client gets hacked or has performed this exercise from another vendor and they give more result than the previous vendor, it might deteriorate a firm’s brand and more importantly, it would give the client a false sense of security. Here the tester can test as per his knowledge which is to an extent and miss out on things. This approach is time-consuming and not all assessments need to be done manually.

Best of Both Worlds

However, all assessments cannot rely on the automated approach or the manual approach exclusively. For example, each discovered vulnerability cannot be verified manually whether the patch or update is missing… this is an impossible task and also time-consuming. Hence automated tools came in place which discovers vulnerabilities and later is manually verified to find if any false positives were found in them.

Both have their pros and cons but realistically combining both approaches produce the best results: a result from an automated tool and a skill of the pen tester to identify the vulnerability to validate or exploit further carefully is the way. The automatic approach will cover most to all the well-known vulnerabilities in a short period than a tester can do manually, meanwhile, the tester can focus on the business logic vulnerabilities and later verify the vulnerabilities given by the automated tool. This approach saves both time and money for engagements and produces reliable results.




In our years of experience as a pen testing and consulting firm, the best of both worlds is a way to go. The manual approach will always be there no matter how much we look into the future. Surely Artificial Intelligence (AI) or automated tools can be a thing which will automate the drawbacks that but for certain assessments, it may be.

Our recommendation for a company newly doing a VAPT must hire an external firm to assess their environment or systems, these firms will give an accurate report about the security posture of your company. and where the data is critical, having an internal team can be in place for frequent assessments so no new if so, as quickly as possible before any harm can befall. Whereas for the smaller business that doesn’t have enough budget to spend on security can hire external firm once a while and harden their network and systems from any threats lurking. Another important aspect is that the manual pen testers need to upgrade their skill sets regularly and get security training periodically.

Having said that, in the end, if an organization needs to get compliant as per a regulatory standard then deciding which approach to use or having an internal team within an organization with the required tools is not applicable. As all regulatory standards mandates organizations to get assessed through a third-party assessor, an external pen testing firm, both the automated and manual approach to give the organization the effective output from the engagements. 

Have more questions Contact Vista InfoSec to speak to one of our Information Security Specialists.
If you need more information, feel free to visit (and subscribe) our YouTube Page.
Stay Connected

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.