Scaling penetration testing through smart automation

In this Help Net Security interview, Marko Simeonov, CEO of Plainsea, discusses how organizations can move beyond compliance-driven penetration testing toward a more strategic, risk-based approach. He explains how automation, human expertise, and continuous monitoring can transform penetration testing into a dynamic, business-critical process.

While many organizations still treat penetration testing as a compliance checkbox, the need for more proactive approaches is growing. How can companies shift their mindset from compliance-led testing to a more strategic, risk-based approach?

I believe that in today’s hyperconnected digital landscape, treating penetration testing as a mere compliance exercise is equivalent to driving while only looking in the rearview mirror. It’s a fundamentally flawed and risky approach that completely misses the real purpose of pen-testing. Compliance alone does not equate to security; it is merely the starting point of a broader, ongoing commitment to safeguarding an organization’s assets.

Although MSSPs are well aware of that, many of their clients still see penetration testing (and cybersecurity overall) as a ‘tick-box’ expenditure rather than a long-term business investment. They do not understand the ‘why’ behind it.

Transforming this perception begins with understanding that vulnerabilities aren’t just technical problems – they’re potential business existential threats that can lead to catastrophic consequences- from data loss and operational downtime to irreparable reputational damage and loss of customer trust. In fact, one in five companies in the US and Europe now risk bankruptcy due to cyberattacks.

This underscores why penetration testing isn’t about finding a few vulnerabilities once a year—it’s about building a dynamic feedback loop that drives strategy, guides investments, mitigates risks, and protects the bottom line.

Automation is being touted as a key component of the future of penetration testing. What aspects of the pen-testing process do you see as the most ripe for automation, and where does human expertise remain indispensable?

Automation undoubtedly has tremendous potential to streamline the penetration testing lifecycle for MSSPs. The most promising areas are the repetitive, data-intensive, and time-consuming aspects of the process. For instance, automated tools can cross-reference vulnerabilities against known exploit databases like CVE, significantly reducing manual research time. They can enhance accuracy by minimizing human error in tasks like calculating CVSS scores.

Automation can also drastically reduce the time required to compile, format, and standardize pen-testing reports, which can otherwise take hours or even days depending on the scope of the project. For MSSPs handling multiple client engagements, this could translate into faster project delivery cycles and improved operational efficiency. For their clients – it enables near real-time responses to vulnerabilities, reducing the window of exposure and bolstering their overall security posture.

However – and this is crucial – automation should not be treated as a silver bullet. Human expertise remains absolutely indispensable in the testing itself. The human ability to think creatively, to understand complex system interactions, to develop unique attack scenarios that an algorithm might miss—these are irreplaceable. We’re seeing emerging threats like sophisticated prompt injection attacks that require a level of contextual understanding and creative problem-solving that current AI simply cannot replicate.

This is why we at Plainsea champion the “augmented pen-testing approach.” By combining human expertise with advanced technology tools, we enable streamlined operations, scalable services, and real-time insights to address these threats effectively.

You mention scalability and for MSSPs, scaling penetration testing services remains a significant challenge due to the reliance on highly skilled personnel. How can MSSPs strike the right balance between automation and human expertise to meet growing demand?

The scaling challenge is indeed one of the most pressing issues for MSSPs. Skilled cybersecurity professionals are in high demand, and the skills gap continues to widen. In fact, a month ago ISC2 published its annual Cybersecurity Workforce Study where it estimated that the current workforce gap is almost 4.8M people now – a 19.1% increase from the previous year.

However, for MSSPs, the path forward isn’t about choosing between automation and human expertise – it’s about creating an intelligent ecosystem where technology amplifies pen-testers’ capabilities. Think of it as an augmented intelligence model. Automation should handle the repetitive, data-intensive tasks that consume valuable human hours: automated vulnerability enrichment, infrastructure mapping, CVE correlation, risk scoring, overall report generation.

By implementing such smart tools that can handle routine tasks, you’re not just solving a staffing challenge – you’re creating way bigger space for your most talented professionals to do what they do best: hacking.

And let’s be honest—this is what keeps top talent motivated. Skilled professionals don’t want to spend their days on repetitive tasks. By automating the mundane, you’re giving them the space to do work that’s meaningful and challenging, which is key to keeping them engaged and invested in your team. In addition, automated vulnerability enrichment can significantly boost the quality and detail of your team’s findings.

How can penetration testing evolve to provide more continuous and adaptive monitoring of an organization’s attack surface rather than relying on periodic testing cycles?

Key enablers of continuous testing model include automated tools that can detect configuration changes or identify newly exposed assets in real-time. These tools, integrated seamlessly into security operations, provide a proactive defense mechanism that reduces response times and improves risk management.

At Plainsea, we’ve observed that this approach can accelerate project turnaround times by up to 30%, enabling MSSPs to deliver faster, more actionable insights to their clients.

Technology platforms are critical enablers in transitioning from traditional to modern penetration testing. What features or capabilities are most crucial for these platforms to offer to support comprehensive, continuous testing services?

Pen-testing is not a one-size fits all service and it shouldn’t be boxed in a rigid solution. That’s why modern penetration testing platforms need to prioritize scalability, agility, and user-centric design to deliver continuous services in the most effective way. While pen-testing itself is complex, the tools that support it don’t need to be.

This is where Plainsea’s platform for augmented pen-testing sets a new benchmark. With features like real-time project data and vulnerability analytics, comprehensive vulnerability templates, and automatic CVE linking, it empowers teams to transition from periodic testing cycles to a continuous service delivery model.

Capabilities like AI-powered summarization and write-up engines simplify report generation, saving time for both junior and senior pen testers. Features like automated CVSS and OWASP-based scoring ensure findings are prioritized effectively, making it easier for teams to address the most critical risks first. By integrating these tools into a centralized platform, MSSPs can scale their services without compromising on quality.

Equally important, Plainsea fosters collaboration across teams by providing actionable insights and real-time updates. This ensures vulnerabilities are identified and resolved as they emerge, eliminating delays and reducing remediation time to zero.

Ultimately, platforms like Plainsea don’t just help MSSPs keep pace—they redefine what’s possible in cybersecurity. By enabling proactive client engagement, fostering seamless collaboration, and delivering real-time, actionable insights, Plainsea transforms penetration testing from a periodic necessity into a continuous competitive advantage. With Plainsea, MSSPs can scale effortlessly, tackle emerging threats head-on, and position themselves as indispensable partners in safeguarding their clients’ digital future.