Penetration testing is not meant to be a replacement for your automated vulnerability scanning. Most organizations implement some form of scanning today, and it provides great benefits, from identifying vulnerable applications/systems to providing a high fidelity inventory system of active and live hosts/applications on the network. Vulnerability scans are so important, in pentesting it is used in the reconnaissance phase to help identify vulnerable or just plain interesting hosts/applications to focus our exploitation techniques against.
However, no matter how many different scanners you use, it will not provide a clearer picture of your environment’s exploitability than a report from a seasoned professional. Even with all those great dashboards and compliance reports, it is hard for an organization to determine what vulnerability is the most important to mitigate first. SI can help organizations make a more informed decision on what vulnerability to mitigate first by weighing the true exploitability of the weakness with the impact it will have on critical business operations.
Also, automated scanning will contain false positives. Our reports on the other hand, have zero false positives in it. This is because every finding is validated by hand with a proof of concept documented. This provides the information security team with concise data points to take the appropriate steps to mitigate the weakness and validate if it is still present.
As good as they are, automated scanners are not so automated. In every case a human needs to validate the findings and implement a fix to them. Luckily, SI is here to help with either of those tasks.