Skip to main content

Automated Vulnerability Discovery

5 min read
Pentest

Pentest

Automation handles the commodity vulns. Your value is the stuff that requires thinking.

Automated Vulnerability Discovery

TL;DR

  • Research shows automated approaches significantly outperform manual: 69.5% vs 47.6% success. LLM-assisted tools like Incalmo compromised 37/40 emulated environments vs 3/40 for prior state-of-the-art.
  • Your differentiation: business logic flaws, chained exploits, novel attack paths. Automation doesn't go there. Interpretation and reporting—translating agent findings for stakeholders—stay human.
  • Use automation to clear the noise. Reserve your time for the high-value, human-only work.

If a scanner can find it, it's not your differentiator. Your job is what happens after the scanners run.

What Automation Finds

  • Known CVEs. SAST, SCA, vuln scanners. Fast, broad. Clients expect this.
  • Common misconfigs. Open buckets, default creds, weak TLS. Automated checks cover these.
  • Overt injection points. SQLi, XSS in obvious inputs. Fuzzers and AI payload gens find many.
  • Outdated software. Version matching, CVE lookup. Commodity.

This isn't worthless. It's baseline. Clients get it from vendors and internal tools. You add the layer they don't have.

What Automation Misses

  • Business logic. "Can I apply a coupon twice?" "Can I access another user's order?" App-specific. No generic scanner finds this.
  • Chained attacks. Vuln A gives info. Vuln B gives access. A + B = compromise. Requires reasoning.
  • Context-dependent issues. "This endpoint is admin-only—but what if we hit it from this other path?" Topology and flow matter.
  • Novel techniques. Zero-days, creative misuse. Automation trains on known patterns.
  • Partial fixes. "They patched the CVE but left the underlying pattern." You spot the remnant.

The New Pentest Model

Phase 1: Let automation run. Scanners, AI-assisted checks. Clear the known issues. Triage and report.

Phase 2: Human deep-dive. Business logic, auth flaws, chaining. Things that need reasoning and context.

Phase 3: Validate and report. Separate "automation found" from "we found." Clients pay for the latter. Make that clear.

Spend hours triaging scanner output. Manually generate and test payload variants. Incalmo-era research: 3/40 emulated environments compromised by prior tools.

Click "With Automation + Human Deep-Dive" to see the difference →

Quick Check

Incalmo compromised 37/40 emulated environments vs 3/40 for prior state-of-the-art. What remains human-critical in vulnerability discovery?

Do This Next

  1. Audit your last engagement. How much time on scanner triage vs. manual exploitation? Target: shift more time to manual, use AI/automation to speed triage.
  2. Create a "beyond automation" checklist for each engagement type: business logic areas, auth boundaries, chaining opportunities. Use it to focus your manual effort.