What are Alternatives to a Penetration Test?


Penetration testing costs can get up there, so smaller companies who still want to know something about their security situation might look, and hope, for reasonable alternatives to the penetration test.

Vulnerability Scans, attack surface analysis, phishing simulations, and some DIY elbow grease are all reasonable alternatives to the penetration test. These options exercised year-round can still end up cheaper than a single penetration test.

Alternatives to the penetration test do not replace the penetration test, but instead offer reduced capability at a more affordable price. However, a smart combination – combination dependent on the needs of the business – of the below alternatives can provide something almost as effective but still cheaper.

Alternatives to a Penetration Test

  • Do-It-Yourself Security Assessment and Risk Analysis
  • Automated Breach Simulation
  • Vulnerability Scan (pen test component)
  • Phishing Simulation (pen test component)
  • Attack Surface Analysis (extended form of a pen test component)

This article assumes the business has no regulatory (industry or government) requirement to perform “regular” penetration testing. If the business does have such a requirement, then consider these alternatives additional beneficial methods of measuring risk and the security of the data.

Are Penetration Tests Even Needed?

A penetration test is a core security assessment most often used to test the cyber security defensive controls and countermeasures for preventing, detecting, containing, and eradicating an attack. The results of a penetration test are fit for extensive decision making. If a business wants to know if it needs to modify or change certain technical security controls, the penetration test is the tool to reach for.

However, some companies may have low security maturity, and a penetration test may not provide the optimum information for assessing the business cyber risk or are just too expensive.

Penetration Alternatives Comparison Chart

Tool/ProcessDetect Standard VulnerabilitiesDetect Complex VulnerabilitiesDetect Auxiliary DataAnnual Price
DIYIf tools workNoNoNeglegable
Vulnerability ScanYesNoNo$2,300
Attack Surface AnalysisYesMaybeYes$2,500
Automated Breach SimYesYesNoFree – Undisclosed
Penetration TestYesYes, but not allYes, but < ASA$10k – $40k
Comparison Chart

Do-It-Yourself Security Assessment and Risk Analysis

The DIY option is … always an option. There are a few open-source projects out there that provide the means for cheap and “easy” vulnerability and security control assessments. If those are combined with some basic risk assessment questions, it may be a recipe for the Shepards pie of security assessments.

But buyer beware, penetration tests are not expensive only because pen testers know how to perform a penetration test, they are also expensive because pen testers know what the results mean and can help translate them into actionable risk-based decision-making information for the business owner.

Of course, like any DIY option, even when stuff is free, it’s never really free. Time spent on installing tools, performing activates, tracking findings, researching fixes all add up to an opportunity loss. That is, time spent doing a low-quality security assessment is not time spent on something else that could improve the business.

This is not advocation for ignoring security, only that paying for professionals to perform even the cheapest security assessment is probably better than doing it yourself.

With that said, here are a few DIY tool options:

  • OpenVas vulnerability scanner
  • Burp Suite web application vulnerability scanner
  • Atomic Red Team test if you have security tools installed
  • Infection Monkey (Free Breach Sim tool but much steeper learning curve)

After using the tools (or before, it doesn’t really matter), ask these critical questions:

  • What would happen to the business if all the company’s data disappeared overnight?
  • What would happen to the business if everything except the data disappeared overnight?
  • Where is the money-making data located? (IE which systems host/store the data: local, cloud, otherwise)
  • What systems, if down, would stop revenue generation?
  • What systems, if down, would diminish revenue generation, and at what percent?

The questions should help identify and calculate the value of data. The kind of data that either make the business the money or would cost the business money in the event of a breach.

At some point assign a dollar value to the data. An example box printing business with $50 million a year in revenue might have the data for printing boxes valued at 75% of the total value of the company, when hardware, printing machines, real state, etc., are counted. Should the Acme Printing lose, for whatever reason, all of the data, and couldn’t replace it, they are dead in the water. They aren’t printing any more boxes and aren’t making any more money.

Every business owner (or person responsible for the business’s data) needs to know the value of that data.

When complete, put the results of the scans and the value of the data into the below cyber risk chart. Note, this is not a traditional cyber risk matrix. The below chart is here to help get risks organized and visualized in the most rudimentary way. There is no way to sketch out full risk analysis in a couple hundred words.

VulnerabilitySeverityEvent ProbabilitySystemData Value (est)Expected Loss
Vuln 1Critical80%host A$32,500,000.00$26,000,000.00
Vuln 2High70%host B$5,000,000.00$3,500,000.00
Vuln 3High70%host C$0$0.00
rudimentary risk table

The scanner will provide severity and system information on each vulnerability. Use the following severity numbers to populate the chart. These assignments would not happen with a cyber risk expert. The expert would take many measurements into consideration before assigning an event probability to a particular type of event, like ransomware, or business email compromise. These are fast and dirty and probably result in exaggerated expected losses, but it’s a place to start.

  • Critical = 80%
  • High = 70%
  • Medium = 20%
  • Low = 5%
VulnerabilitySeverityEvent ProbabilitySystemData Value (est)Expected Loss
VulnCritical80%host AValue of Data as % of revenueEvent Probability * Data Value
populating Data Value and Expected Loss equation

Expected Loss is the sum of an event occurrence multiplied times the probability of that event occurring. In this case the event is a hacker taking advantage of the vulnerability. This is a standard way to measure risk across multiple fields.

With the EL numbers in hand now cyber security decisions are possible. Primary decision: What to do to reduce or remove any particular risk? In the case of vulnerability scan results, most options are patching, upgrading the software, replacing the software, or making some other configuration change.

Use this Return on Control calculation to help things along:

ROC = (Expected Reduction in Risk / Cost of the Control) - 1

Expected Reduction in Risk is the difference between what the risk chart looks like now and what the above risk chart would look like if a control (or controls) were implemented. If the expected loss of vuln 1 is $26 million (.8 * $32.5 M) and control S would bring event probability down to 5% the new expected loss is 1.6 million (.05 x 32.5 M) and the ERR is $24.4 M ($26 M – $1.6 M).

Cost of Control is the cost it would take to purchase, engineer, and maintain for one year. If control S cost $3 million, the final ROC calculation is a 713% return on investment:

713% (7.13) = ( ( $26 M - 1.6 M) / $3 M) ) - 1

Automated Breach Simulation Tool

This is a market growing like crazy and is projected to hit just under a billion by 2025. No vendor selling this product will disclose their pricing unless a demo/quote is requested. This often means it’s pricey compared to traditional routes like penetration testing or red teaming, and the sales team wants to explain the value proposition before people run away in terror.

There is however, a free open-source breach simulation tool, and it’s already been mentioned: Infection Monkey. It is free to use, and all the documentation is available to anyone willing to try it.

Here is a video of Infection Monkey’s creator talking about his creation.

Vulnerability Scan

Vulnerability scans crawl the systems on the network looking for published vulnerabilities. When the scan is complete it spits out report detailing the discovered vulnerability’s location, severity, and resolution steps (if any). As a mature technology, they are fast, efficient, and effective with an important caveat.

In general, vulnerability scans can only discover the vulnerabilities that are published in accordance with a specific process and are on systems the scanner can “see”. Vulnerability scanners won’t find things such as combination attacks, faults in trust relationships, poor password usage, and defective protocol attacks, to list a few. A penetration test can discover those other issues.

Vulnerability scans provide rapid detection of vulnerabilities at a price often 2 – 4 times cheaper than a penetration test (which generally includes a vulnerability scan of some sort). That is, if a penetration test for a business would cost $25,000 a vulnerability scan with the same systems in scope will cost between $6,000 – $17,000 depending on various factors such as number of systems, credential vs non-credentialed, depth of scan, and types of systems scanned.

As a mature and competitive industry there is a vast number of vendors who offer vulnerability scans. Each trying to differentiate themselves with unique feature such as risk quantification or are targeting different industries, markets, and use cases such as a scanner geared toward penetration testers.

Prices are competitive and regardless of which scanner is purchased core features are the same. A typical small business can get regular scans for about $2,300 per year.

Check out some of the below vendors:

Phishing Simulation

According to the most recent Verizon Data Breach and Incident Report (2020), 20%+ of all breaches start with a phishing email. (Another 20% are from the use of stolen credentials, but that is for the Attack Surface Analysis section).

Phishing simulation can go a long way to training company employees to spot and report phishing emails. When effective training is undertaken (read: up to date, and regular), then a 3% click rate is not just a place in Atlantis.

There are a number of vendors providing continuous phishing simulation and training.

A small business will pay about between $300 – $2000 per year depending on the number of “seats”.

A couple vendors in this space are Knowbe4 and Barracuda PhishLine.

Attack Surface Analysis

Attack Surface Analysis (ASA) or sometimes called Attack Surface Management (ASM) is not a new term but has taken on a more robust meaning in the last few years. Where once the attack surface only referred to a system(s)’ or application’s interface, it now expanded to include the entire organization’s people (in a crude sense people are “interfaces”) and technologies.

Further, this new sense of the term generally includes all relevant information an attacker could discover and use as a means to craft or target an attack – think job postings that include confidential technology information, disgruntled employees posting on “job review sites”, or stolen credentials (20% of all breaches) available on the dark web.

ASA/M as a service offering is still young so there is no standard feature, however most vendors seem to provide the following combination of features:

  • vulnerability scans
  • automated and sophisticated recon
  • dark web scans

However, vendors are still working out the market, so the uncertain market demand for ASA has produced a large array of competing features and pricing models.

There are massive price ranges from $2500 to $200,000 per year. The assumption of this article is the reader is looking for penetration testing alterative as a cost savings measure. With that in mind, consider Intruder.io‘s Pro option (left – priced below for 10 “targets”) or Detectity’s Surface Monitoring (right – starting from price)

Recreating the Penetration Test in the Aggregate (AKA. Money Ball)

A penetration test usually consists of a reconnaissance, vulnerability scanning, phishing, attack chain exploitations, and reporting.

Money Testing

If a small business with about 28 scannable systems and 25 employees were to combine intruder.io with KnowBe4, that small business would have unlimited attack surface analysis (recon+), vulnerability scanning, phishing, and reporting for about $4700. The only thing missing is attack chain exploitation of complex vulnerabilities and the other issues only a penetration test can discover.

Money Ball = $4,700

One time Penetration Test = about $10,000

The options aren’t endless, but there are a few, and each little bit more means more reliable risk analysis. When it’s all done you might not win a World Series, but maybe you’ll win a pennant and that’s better than nothing.

Recent Posts