Penetration Testing Tools Overview
Application Security Testing is a key element of ensuring that web applications remain secure. Various tools and managed services exist to provide continuous testing, besides application security platforms that include app testing as part of their functionality. Penetration Testing (Pen Testing) Tools provide means to conduct authorized, ethical hacking of applications in production, to locate vulnerabilities that may be exploited by hackers.
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Wireshark is an open source network troubleshooting tool.
Metasploit is open source network security software described by Rapid7 as the world’s most used penetration testing framework, designed to help security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness.
The Burp Suite, from UK-based alcohol-themed software company PortSwigger Web Security, is an application security and testing solution.
HackerOne is a hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited, from the company of the same name in San Francisco. The service is used for vulnerability location, pen testing, bug bounty, and vulnerability triage services.
Synack in Redwood City, California offers the Synack Crowdsourced Security Testing Platform, which they describe as providing a comprehensive, continuous penetration test with actionable results, and a sense of the adversarial perspective.
SecPoint Penetrator is a vulnerability scanning virtual or hardware appliance that simulates how a hacker could penetrate a given system and reveal vulnerabilities, used for penetration testing and vulnerability assessments.
San Jose-based company Appvance offers Appvance IQ, an AI driven testing solution designed to deliver productivity gains in both test creation and execution, the former through AI scripting and codeless test creation, the latter through unified functional, performance and security (e.g. penetration)…
The vendor states Spirent SecurityLabs’ services are structured to produce high-impact results with minimal impact on the client organization. Their team of security professionals offer comprehensive scanning, penetration testing and monitoring services for networks, applications and devices, as wel…
SecPoint Portable Penetrator is a WiFi Pen Testing TooI which the vendor says is capable of improving the security of business wireless networks and devices, specifically for WiFi protection.
Austin-based cybersecurity company Praetorian is the developer of Diana, a bug bounty and application security testing platform, with limited availability (2020) in anticipation of full release in the near future.
Defensics fuzz testing is presented by Synopsys as a comprehensive, automated black box solution that enables organizations to effectively and efficiently discover and remediate security weaknesses in software. By taking a systematic and intelligent approach to negative testing, they state Defensics…
Claranet headquarteredin London offers web, mobile, and infrastructure penetration testing services, approved by CREST, aiming to help clients find security issues before others do. Additionally, Claranet cybersecurity awareness training is offerd to protect users from the threats of sophisticated …
SimplyEmail is an open source email recon tool used for security and penetration testing.
Hashcat is a password recovery tool that can also be used in security testing (e.g. password cracking, exposing flaws).
John the Ripper is a penetration testing tool used to find and crack weak passwords.
Hydra is a password cracking tool used for penetration testing.
Aircrack-ng is an open source tool to test wifi network security through packet capture, attacks (e.g. packet injection), and cracking (e.g. WEP).
Nikto is an open source fast (not stealthy) vulnerability testing tool that can be used in penetration testing or purple team exercises.
FuzzDB is an open source database introduced by Mozilla developers, supplying attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. It’s most often used testing the security of web applications.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a detection engine and features for the ultimate penetration tester and a range of switches lasting from database fingerprin…
The BreachLock Cloud Platform, from BreachLock in New York, provides continuous penetration testing and vulnerability scanning with actionable results for public cloud, applications, or networks.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code …
Intruder, from Intruder Systems in London, is a cloud-based vulnerability scanner that finds cyber security weaknesses in digital infrastructure, to avoid costly data breaches.
Intigriti is an ethical hacking and bug bounty platform oprating primarily in the European Union, allowing users to carry out research and conduct security evaluations.