Automated Pentesting: Close the gap between compliance and real security

Annual penetration tests and noisy vulnerability scanners no longer reflect how modern attacks unfold. In response, many organisations are shifting toward Automated Pentesting with Service providers as a continuous security validation approach. Analysis from Horizon3.ai, based on more than 50,000 real-world production tests, shows attackers chaining exposures at machine speed, exploiting credentials at scale, and moving faster than traditional testing cycles can detect.

In this environment, organisations that rely on a single annual penetration test, often referred to as a pentest or pen testing exercise, leave critical gaps open for months at a time. Australian organisations, in particular, need continuous, offensive validation that focuses on identity exposure, cloud access, and rapid remediation rather than periodic compliance snapshots.

Key Findings Driving the Shift to Automated Pentesting

Horizon3.ai’s large-scale dataset highlights why traditional approaches are falling behind.

Automated testing platforms achieved critical impacts in an average of 14 hours, while organisations using continuous models tested environments every six days on average. By contrast, most organisations still perform manual penetration testing once per year.

The data also shows that attackers do not wait for audit cycles. Credential-based attacks dominate breach paths, and weaknesses are often exploited long before scheduled testing occurs.

Why Compliance Checklists Are Not the Same as Readiness

Many security programmes still equate compliance with readiness. In practice, they are not the same.

Traditional penetration testing approaches, while highly effective, still rely on point-in-time assessments, supplemented by vulnerability scanners. While these tools have value, Horizon3’s data shows they create predictable windows of exposure. Only 26 percent of organisations conduct pentests more than once per year, yet 84 percent experienced a security incident in the same period.

Vulnerability scanners generate volume rather than context. Nearly all organisations use scanning tools, but only a third consider them highly effective. False positives and alert fatigue delay remediation, allowing real attack paths to remain exploitable.

By contrast, Autonomous Penetration Testing focuses on whether weaknesses can actually be exploited, not just whether they exist.

What the Data Shows from 50,000 Automated Penetration Tests

From more than 50,000 automated pentests conducted in production environments, Horizon3.ai recorded:

Over 415,000 compromised hosts and more than 170,000 sensitive data exposures
Nearly 29,000 credential dumping instances, with 95 percent verified as remediated on retest
More than 99,000 successful exploits across 229 CVEs, many listed on CISA’s Known Exploited Vulnerabilities catalogue

Time to impact proved critical. In the fastest scenario, domain administrator access was achieved in 60 seconds. On average, critical impact occurred within 14 hours.

Manual penetration testing, which may take weeks to plan and execute, cannot account for the constant drift in cloud identities, permissions, and configurations that attackers exploit daily.

Automated Penetration Testing Versus Traditional Pentesting

Penetration testing, commonly shortened to pentesting or pen testing, has traditionally been delivered as a periodic manual exercise. While skilled testers provide deep insight, these engagements represent a snapshot in time.

Automated penetration testing changes the model. Instead of testing annually or quarterly, organisations continuously validate their security posture against real attack paths.

This approach is increasingly delivered through penetration testing as a service, where automated testing runs frequently, supported by expert oversight and periodic manual red team exercises.

The return on investment is clear.

Automated testing detects chained exploits that scanners miss, particularly credential-based lateral movement. It enables faster remediation by validating fixes through immediate retesting. It also prioritises findings based on real business impact rather than theoretical severity.

Australian Context: Essential Eight and Regulatory Expectations

For Australian organisations, automated penetration testing supports more than just technical security. It helps demonstrate control effectiveness under ASD and ACSC guidance, particularly within the Essential Eight maturity model.

ACSC guidance places strong emphasis on verifying that controls are implemented and operating effectively. Continuous offensive testing provides tangible evidence of this, especially for identity controls, patching, and privileged access management.

Regulatory pressure is also increasing across frameworks such as SOCI, NIS2, and global customer assurance requirements. Reducing exposure windows through continuous testing directly lowers the risk of reportable incidents, downtime, and compliance penalties. CyberPulse integrated Autonomous testing seamlessly to support our Essential 8 aligned services.

A Practical Playbook for Moving Beyond Annual Pen Tests

Transitioning from annual pentests to automated penetration testing does not require abandoning manual testing. Instead, it requires rebalancing effort.

Focus on Risk, Not Volume

Start with crown-jewel assets. Identity systems such as Active Directory and Microsoft Entra, cloud IAM roles, and exposed attack surfaces consistently appear as dominant breach paths in the data.

Combine Automated Pentesting With Human Expertise

Run automated tests daily or weekly, supported by periodic manual red team engagements. Horizon3 customers using this model achieved a median testing interval of six days.

Measure and Reduce Mean Time to Remediate

Set clear targets for fixing critical issues, such as verifying remediation within seven days. Automated retesting provides objective proof that fixes are effective.

Prioritise Actively Exploited Vulnerabilities

Integrate CISA KEV data into remediation workflows. Many of the most frequently exploited vulnerabilities observed were already known to be actively targeted.

Strengthen Credential and IAM Hygiene

Credential dumping and privilege escalation drive the majority of successful attacks. Automated testing that emulates these paths provides realistic exposure data that scanners cannot.

Improve Governance and Reporting

Executives and boards need evidence, not dashboards. Continuous testing produces clear exploit paths, remediation verification, and business impact summaries that support decision-making.

Case Highlights From the Horizon3 Report

In one national materials supplier case, an uncredentialed internal automated pentest uncovered full domain compromise, exposure of millions of sensitive resources, and access to nearly a quarter of user accounts. Follow-up testing verified significant remediation progress within weeks.

Across the broader dataset, automated testing identified nearly 29,000 credential dumping instances and verified remediation in 95 percent of cases, demonstrating measurable improvement rather than theoretical compliance.

Is Automated Pentesting Safe in Production?

When delivered by an experienced provider with clear engagement rules, automated penetration testing is safe for production environments.

Horizon3’s analysis confirms that autonomous testing platforms are routinely used in live systems with real-time notifications, exploit controls, and rapid rollback mechanisms. This allows organisations to identify and remediate critical weaknesses without operational disruption.

Recommendations

Australian organisations should move from annual penetration tests to continuous or near-continuous validation, with a strong focus on identity and cloud assets. For full coverage organisations can combine traditional penetration testing with Automated testing, for the best possible outcome.

Actively exploited vulnerabilities should be prioritised using KEV data.

Mean time to remediate should be tracked and reduced, with fixes verified through retesting rather than assumed.

Automated penetration testing should be complemented by periodic manual pentests to provide strategic depth.

Next Steps

If you are responsible for security assurance, start with a short readiness assessment. CyberPulse can help identify your crown-jewel assets, measure current remediation timelines, and design an automated penetration testing cadence aligned with the Essential Eight and real-world threat activity. assurance, request a short readiness assessment from CyberPulse.
We’ll map your crown jewels, measure current MTTR, and propose a continuous penetration testing cadence aligned with Essential Eight and KEV priorities.

About CyberPulse

CyberPulse is a security-first compliance partner helping organisations reduce cyber risk, build resilience and achieve certification with confidence. Founded by former CISOs and security leaders, we align technical depth with real-world context to deliver measurable outcomes across advisory, managed services, compliance and threat defence.

Let’s Talk

Follow us on LinkedIn for practical insights, or contact us to speak with a CyberPulse expert.

Useful Link

• Penetration Testing Services Australia: The Definitive Guide for Serious Security Leaders
• Penetration Testing Requirements in Australia: A Best-Practice Guide for 2026
• Penetration Testing (Pentesting / Pen testing) vs Managed Security Testing: Which Offers Better Protection?
• Top 10 Penetration Testing Companies in Australia (2025)
• Top Web Application Penetration Testing Providers in Australia (2026)

Related Services

• Automated Pentesting Services
• Penetration Testing
• Essential 8 Services

External Resources

• ASD Cyber security priorities for boards of directors 2025-26