Automated Vulnerability Scanners, on the surface, have a lot of appeal to IT directors. They run in the background and are “always on”. They alert you when you have an issue.

But the harsh reality is they provide a false sense of security and leave your network exposed. They don’t defend prominent channels, such as business email compromise (BEC), which hackers commonly use to break into your network. They’re like the Roomba of cybersecurity. They’ll pick up the obvious grime but they’re not getting that hard-to-find dirt in the corner.

Knowing those shortcomings, we’re going to lay out the drawbacks of these scanners and how continuous penetration testing provides an always-on approach, but also gives you the peace of mind that comes with in-depth pentesting.

Understanding scanners and pentesting

Vulnerability scanners work off a set database of known weaknesses that hackers can use to break into your network. The problem is no database is perfect and inherent lag times are a reality due to updates to that database. Therefore, they won’t pick up all issues as quickly as you need.

Yes, scanners often produce incredible amounts of security findings within your network. But how serious is a finding? The problem is many “minor” issues may not be issues at all. Others may require immediate attention. This often is hard to determine when reviewing vulnerability scan results.

Without an expert to prioritize and provide remediation guidance, your team doesn’t know what to chase first. It’s like a hunting dog running loose – every bird becomes equally important.

Enter, the pentester.

The pentester will assess the magnitude of an issue along with how likely it is that the vulnerabilities found will be exploited in a way that can damage your network. For many, it’s critical to know not only what’s bad, but what’s critically bad, so they can triage the issues given limited resources.

Data doesn’t lie. Where scanners fall short.

Financial Losses from attacks - 2018, 2019 & 2020
Both vulnerability scanners and pentesters can play roles in improving your overall security posture. Over time, the adoption of vulnerability scanners has outpaced that of the pentester. However, to say scanners have slowed cyber threats and their monetary impact is flat out false. How do we know this? Well, the stats speak for themselves.

According to the FBI’s 2020 Internet Crime Report, cybercrime has increased every year for the last five years. That tells us that the widening use of vulnerability scanners aren’t slowing the bleed.

So what does that mean for businesses? Beyond brand damage, it comes down to the bottom line. Financial losses from attacks have accelerated at a staggering pace. Let’s look at the past three years:

  • 2018 - $3.62 Billion
  • 2019 - $8.96 Billion
  • 2020 - $29.15 Billion

And the challenge with scanners is they aren’t focused on multiple attack surfaces (those places hackers bust into your network) that account for nearly half of funds lost to cyber criminals. Vulnerability scanners can’t simulate or detect the ability to compromise employee email accounts.

“Like in prior years, cybercrime groups engaging in BEC (business email compromise) and EAC (email account compromise) scams were the most successful, accounting for $1.8 billion in losses, which amounted to around 43% of all of last year’s total lost funds,” according to a recent article in The Record.

The takeaway? Automated vulnerability scanners ignore initial network access points that put your organization at risk.

Professional pentester perks

Certification. Experience. Communication.

A number of institutions certify and continuously test professionals who provide pentesting services. CISSP (Certified Information System Security Professional) and OSCP (Offensive Security Certified Professional) are two notable designations you should expect your pentesting partner to have.

Additionally, experience matters but it needs to be combined with a vetted, repeatable process they can demonstrate for you.

Your relationship with a pentester has unmeasurable value. It’s a partnership. In addition to helping you maintain a secure network, you’ll find benefits and tangible impact reaching into multiple facets of your organization. Communication and comfort with your extended, external team is critical to your success.

The Sprocket difference

The Sprocket Difference - We Are Always Testing Against Attacks
Now that we’ve defined why vulnerability scanners don’t cut it when it comes to protecting your organization, let’s take a minute to see what the Sprocket team brings to the table.

Sprocket provides continuous penetration testing. What’s that mean? It means we combine the benefits of vulnerability scanners and pentests into a well-rounded, ongoing testing approach that protects you year-round. You get the breadth of vulnerability scanners (we’re always testing) and the depth of a pentest (we prioritize social engineering and email attacks missed by scanners).

Wrap up

The key takeaway is this: Automated vulnerability scanners don’t protect your network against social engineering attacks, and they don’t defend prominent channels such as business email. That’s a big problem, because those types of attacks are responsible for billions in lost revenue each year.

For that reason, an approach to cybersecurity that blends on-going monitoring/testing with professional pentesting designed to address ALL vulnerabilities is ideal. That approach is known as continuous penetration testing.