Penetration testing has long been a core practice in cybersecurity, but the way that organizations conduct these assessments is changing. In a recent webinar featuring cybersecurity expert Hector Monsegur, we discussed a critical shift: how combining automated penetration testing with attack path mapping and validation can elevate security operations.
Penetration testing has been around since the 1990s. Traditionally, the process involves several stages. First, identify assets, scan for open services and ports, and seek out misconfigurations or vulnerabilities. The next step would be an effort to validate the vulnerabilities, confirming that they can actually be exploited. The most advanced step in the process for manual penetration testing involves the correlation of vulnerabilities: A medium severity vulnerability combined with another medium could pose a critical risk if chained together. Often, this is a step missed by basic vulnerability scans.
While manual penetration testing provides valuable insights, it has significant limitations. The assessments are point-in-time and quickly become obsolete by the time the results are delivered. They are also time-consuming and resource-intensive, making them difficult to scale for large organizations. The lack of continuous visibility leaves security teams in the dark, struggling to keep pace with emerging threats.
"If I give you a report on January 1st, by January 5th, that report is obsolete."
- Hector Monsegur, Director of Research at Alacrinet
“60% of organizations will use automated penetration testing tools by 2025.” -Gartner
Due to the limitations of manual penetration testing, many organizations turn to automated penetration testing for speed, scalability, and continuous assessment. Automated penetration testing replicates real-world cyberattacks, scanning for misconfigurations, testing access controls, and assessing how an attacker could move within a network. These tools eliminate the manual effort of repetitive tasks, making testing more efficient.
“People often ask, 'What do you want to automate in pen testing?' The answer isn’t always clear, and that’s where the struggle begins."
- Gürsel Arıcı, Director of Solution Architect
While automated pen-testing offers numerous advantages, it’s not without its challenges. Similar to manual testing, automated penetration testing tools need to be updated frequently for emerging threats, zero-day vulnerabilities, and new adversary techniques.
One of the major challenges with automated penetration testing is the lack of context. Automated tools can generate lengthy reports, which can be overwhelming without context. You might get this 100-page report, but then you’re left wondering, 'What do I do with this?’ An automated report full of vulnerabilities doesn’t necessarily equate to meaningful security improvements.
That’s where attack path mapping comes in.
Attack path mapping visually represents how attackers move through a network, identifying the routes they could take to achieve their objectives. Unlike traditional scanning, which focuses on isolated vulnerabilities, attack path mapping looks at how weaknesses interact with each other, revealing critical choke points where multiple attack paths converge.
For example, a simple misconfiguration—such as failing to enforce Server Message Block (SMB) signing—might be rated as a medium severity issue in a vulnerability scan. However, combined with another misconfiguration, like an exposed broadcast protocol, it can become a critical attack vector. Without attack path mapping, these risks might not be properly visualized.
This approach moves security from a list-based view of vulnerabilities to an adversary-driven view, helping teams understand the full attack chain rather than just individual weaknesses.
However, simply mapping the attack paths alone is not enough. It’s one thing to visualize how an attacker could move through an environment, but would they actually succeed? Defenders need to verify these paths to determine whether or not they would actually be exploitable.
Attack path validation takes theoretical risks and applies real-world attack techniques to determine if security gaps can actually be exploited. This method combines automated penetration testing and attack path mapping, ensuring that teams are not wasting resources fixing vulnerabilities that pose no real risk; instead, they focus on those with the biggest impact.
Real-world adversaries don’t scan and exploit every vulnerability they find. They have a goal. Whether it’s gaining domain credentials, moving laterally to access critical systems, or deploying ransomware, their approach is calculated. Attack path validation reflects this objective-driven behavior, following the same strategies that real attackers use to achieve their objectives.
“The adversary only needs to be right once.”
– Hector Monsegur
This is why prioritization matters. Attack path validation ensures that defenders don’t waste time on every vulnerability that an automated test finds. Instead, it focuses on the high-risk attack paths that make the greatest impact.
A repeatable and focused approach to penetration testing ensures that organizations can maintain a strong security posture without being overwhelmed with large amounts of data, which is a game changer compared to traditional point-in-time assessments.
Security teams don’t have to struggle with outdated reports, limited testing resources, or complex security data with no clear direction. By leveraging Picus Attack Path Validation (APV), they can expand the scope of their testing, prioritize vulnerabilities, quantify risk, and validate what truly matters.
The question is no longer “What vulnerabilities exist in my environment?” but rather “Which of them truly matter?” The answer to that question will define defenders who act upon real risks.
Watch the webinar to hear the whole discussion, or try APV to see which attack paths need your attention.