Cybersecurity blog

Automated Penetration Testing Tools: Strengths, Limits & When You Still Need a Human

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Automated Penetration Testing Tools: Strengths, Limits & When You Still Need a Human

A scanner has never once talked its way past a receptionist. It has never noticed that the price field on a checkout page was a hidden integer it could set to minus one and walk away with a credit. It has never chained three low-severity findings that every tool marked as informational into a full account takeover. Yet every quarter a client sends us a 400-page automated scan report and asks why we still charge for a manual test.

The honest answer is that automated tools and manual testers are not the same job wearing two price tags. They are different instruments that fail in different places. If you buy one believing it does the work of the other, you will pass your scan and fail your breach. This guide is the version of that conversation we have in the audit room, minus the diplomacy.

What the machines are actually good at

Start by giving automation its due, because plenty of manual testers oversell their own value by pretending scanners are useless. They are not. For breadth, speed and repeatability, nothing beats a well-tuned tool chain, and no auditor worth their empanelment does a large scope without one.

The two families you will meet are SAST and DAST. SAST is Static Application Security Testing: it reads your source code without running it, looking for dangerous patterns such as unsanitised input flowing into a SQL query. DAST is Dynamic Application Security Testing: it attacks the running application from the outside, like an attacker would, without seeing the code. There is a third cousin, IAST (Interactive Application Security Testing), which instruments the running app to watch data flow from the inside, but in Indian mid-market engagements you will mostly deal with SAST and DAST.

Here is where each earns its keep.

Tool typeWhat it does wellWhat it cannot see
SAST (static / code)Finds insecure patterns early, covers every code path, runs in CI on every commit, catches hardcoded secrets and weak crypto callsRuntime behaviour, business logic, whether the vulnerable code is even reachable, config and infrastructure gaps
DAST (dynamic / running app)Confirms exploitable input points from outside, no source needed, catches server misconfig and exposed endpointsAnything behind authentication it cannot navigate, multi-step logic flaws, race conditions, findings needing chained steps
Network / infra scannersFast CVE and missing-patch detection across thousands of hosts, TLS and open-port hygiene, version fingerprintingWhether a CVE is actually exploitable in your context, false positives from back-ported patches, segmentation logic

That last column is not a footnote. It is the entire reason manual testing exists. A scanner tells you a door is unlocked. It cannot tell you the door leads to the vault, or that the lock is decorative and the real entrance is round the back.

The five things a scanner will never find

After a few hundred engagements the pattern is boringly consistent. The findings that actually get organisations breached, and the findings that fail a serious audit, cluster into five categories that no automated tool reliably catches. Call them the five blind spots.

1. Business logic flaws

A scanner has no idea what your application is supposed to do. It does not know that a loan-disbursal API should never approve an amount above the sanctioned limit, or that a discount coupon should apply once. We routinely find flows where a user can skip the payment step and still receive the goods, or replay a one-time-password because the server never invalidates it. These are the vulnerabilities that make the newspapers, and they are invisible to SAST and DAST because the code is doing exactly what it was told to do. It was just told the wrong thing.

2. Chained low-severity findings

Tools rate findings in isolation. A verbose error message here, a predictable object ID there, a missing rate limit somewhere else, each rated low or informational and each ignored by a busy team. A human links them: read the error to learn the ID format, enumerate the IDs because there is no rate limit, and pull every customer record. Three lows become one critical. No scanner does this arithmetic.

3. Authentication and authorisation logic

DAST can log in if you give it credentials, but it cannot reason about who should be allowed to do what. Broken object-level authorisation, where user A can read user B data by changing an ID in the URL, remains the single most common serious finding we report, and automated coverage of it is poor because the tool cannot tell an intended cross-tenant access from a bug.

4. Context and false positives

The inverse problem. Scanners cry wolf. A network scanner flags a CVE on a service where the patch was back-ported by the OS vendor, so the version string looks vulnerable but the code is not. Hand a raw 400-finding scan to an examiner and you will spend the audit defending noise instead of fixing risk. Triage is a human skill and it is most of the value.

5. The human layer

Social engineering, physical access, a helpdesk that resets passwords without verification. CERT-In and RBI both expect this to be in scope for a real assessment, and no tool tests it at all.

What actually happens in the room

A payments company in Pune, PCI DSS in scope, came to us confident. Their quarterly ASV scan (Approved Scanning Vendor, mandated under PCI DSS Requirement 11.3.2) was clean and green. Their internal SAST pipeline broke the build on anything above medium. On paper, unbreakable.

On day two of the manual test, one of our team noticed the refund endpoint accepted a negative amount. The scanner had tested that endpoint, confirmed it required authentication, found no injection, and moved on. It never occurred to the tool to send minus five thousand rupees. The negative refund credited the attacker card and debited the merchant float. From there, the transaction IDs were sequential, so every refund in the system could be enumerated and reversed. One business-logic flaw, invisible to two tool chains, would have drained the settlement account before the next ASV scan even ran.

That is the shape of nearly every real finding. The tools did their jobs. The jobs just did not include the flaw that mattered.

Where the Indian regulators actually stand on this

This is not merely good practice, it is written into the frameworks you are audited against. Every major Indian regulator expects both automated coverage and manual expert testing, and the seniority of the tester is increasingly explicit.

FrameworkWhat it expects on pentestingThe automation-only trap
RBI Cyber Security Framework (2016) & Master Direction on IT Governance (2023)Periodic VAPT of critical systems, with vulnerability assessment and penetration testing named as distinct activitiesA VA scan alone does not satisfy the PT limb; examiners ask specifically for manual testing evidence
CERT-In (2022 directions & empanelment)Security audit by CERT-In empanelled auditors; manual verification of findings is part of the empanelment methodologyTool output without auditor validation is not an empanelled audit report
PCI DSS v4.0Req 11.3.1 internal and 11.3.2 external penetration testing at least annually and after significant change; segmentation testing under 11.4ASV scans (11.3.2 quarterly) are separate from and do not replace the annual penetration test
SEBI CSCRF (2024)VAPT for regulated entities on a defined cadence with reporting to the board and SEBISelf-attested scans without qualified tester sign-off do not meet the assurance bar
IRDAI & DPDP contextSecurity safeguards proportionate to risk; VAPT expected for systems holding personal dataPersonal-data breach liability is not reduced by a clean scan if logic flaws remained untested

Notice the recurring word: penetration testing is named as a distinct activity from vulnerability assessment. Regulators drew that line deliberately. A vulnerability assessment is largely what a scanner produces, a list of potential weaknesses. A penetration test is what a human does with that list, proving which weaknesses are actually exploitable and chaining them. When your RBI examiner asks to see your VAPT report, they are asking for both halves. Submitting only the automated half is the most common gap we see, and it is an easy finding for them to raise.

So what should you actually run, and when

The mature answer is not tools versus humans. It is tools continuously, humans periodically and after change, with the humans reviewing what the tools produce. Here is the cadence that survives an audit and a real attacker.

ActivityFrequencyWho / what
SAST in CI pipelineEvery commit / buildAutomated, developers triage
DAST against stagingWeekly to monthlyAutomated, security team triage
Network / infra vulnerability scanMonthly (quarterly minimum for PCI ASV)Automated ASV / internal scanner
Full manual VAPT of critical appsAnnually and after significant changeSenior CERT-In empanelled tester
Business-logic and auth deep diveAnnually, part of manual VAPTHuman, scenario-driven
Social engineering / red teamAnnually or as risk dictatesHuman, scoped exercise

The cost conversation, honestly

Clients push back on manual pricing because a tool licence looks cheap by comparison. The comparison is real, but it is not the right one. You are not choosing between spending on a tool or a tester. You are choosing what residual risk you carry into your next incident.

OptionTypical Indian cost rangeWhat you are really buying
Commercial DAST / SAST licenceINR 3 to 15 lakh per yearContinuous breadth, false-positive noise, no logic coverage
Automated-only VAPT reportINR 40,000 to 1.5 lakh per appA scan with a cover page; rarely survives a serious examiner
Senior manual VAPT (empanelled)INR 1.5 to 6 lakh per app depending on scopeExploited findings, chained attacks, logic and auth coverage, audit-ready sign-off
A material breachINR crores plus DPDP penalties up to 250 croreThe bill you avoid by paying the one above

The DPDP Act penalty ceiling of 250 crore rupees for failure to take reasonable security safeguards changes the arithmetic permanently. A regulator or the Data Protection Board asking whether your security safeguards were reasonable will not be impressed that you owned a scanner. They will ask whether a competent tester actually examined the systems holding personal data. That question has a yes or no answer, and the scanner cannot give it for you.

A checklist before you sign off on any pentest

Whether the work is in-house or outsourced, run the engagement against this list. If any item is a no, you have an automated scan wearing a penetration-test label, and an examiner will spot the difference.

  • Does the report distinguish vulnerability assessment findings from penetration testing findings, as RBI expects?
  • Is there evidence of manual verification for each high and critical finding, not just tool output?
  • Were business-logic flows tested by scenario (payment bypass, negative amounts, replay, workflow skipping)?
  • Was broken object-level authorisation tested by manipulating identifiers across accounts?
  • Were low and informational findings reviewed for chaining into a higher-severity attack path?
  • Are false positives triaged out with a stated reason, so the examiner sees signal not noise?
  • For PCI scope, are the annual penetration test and the quarterly ASV scan both present and clearly separate?
  • Is the tester CERT-In empanelled where empanelment is required, with named individuals and credentials?
  • Does the report include a retest confirming the fixes actually closed the findings?

The bottom line

Buy the tools. Run them constantly. Break the build on real findings and scan every host every month. Automation is the only sane way to cover breadth at speed, and any tester who dismisses it is showing off. But do not mistake coverage for assurance. The scanner tells you which doors are unlocked. It takes a human to notice the door leads to the vault, to walk in, and to tell you honestly what they found on the other side.

At CyberSigma we run the tool chains and then do the part they cannot, as senior CERT-In empanelled auditors and PCI QSAs who still sit in the room and test by hand. If your last pentest was 400 pages of green with no chained findings and no logic testing, that is worth a second look before your next examiner takes one.

FAQs

Is a vulnerability assessment the same as a penetration test?

No, and Indian regulators treat them as distinct. A vulnerability assessment is largely automated, producing a list of potential weaknesses. A penetration test is a human proving which of those weaknesses are actually exploitable, chaining low findings into real attack paths, and testing business logic no scanner understands. RBI and PCI DSS both expect both activities, not one standing in for the other.

Can automated tools satisfy my PCI DSS penetration testing requirement?

Not on their own. PCI DSS v4.0 Requirement 11.3.1 and 11.3.2 mandate penetration testing at least annually and after significant change, performed to a documented methodology. The quarterly ASV scan under 11.3.2 is a separate, additional requirement. An automated scan is a vulnerability assessment, not the penetration test the standard demands.

What is the difference between SAST and DAST?

SAST, Static Application Security Testing, reads your source code without running it and finds insecure coding patterns across every code path. DAST, Dynamic Application Security Testing, attacks the running application from the outside like an attacker, without needing the source. They are complementary: SAST catches code-level flaws early, DAST confirms exploitability at runtime, and neither reliably finds business-logic or authorisation flaws.

Why do scanners miss business-logic vulnerabilities?

Because a scanner has no concept of what your application is meant to do. It cannot know that a refund should not accept a negative amount, or that a coupon should apply once. The vulnerable code runs exactly as written, so nothing looks anomalous to a tool. Only a human who understands the intended workflow can spot that the logic itself is the flaw.

How often should we run manual penetration testing?

Run automated SAST and DAST continuously and network scans monthly. Commission a full manual VAPT by a senior tester at least annually and after any significant change to the application or infrastructure, which is what RBI, PCI DSS and SEBI CSCRF expect. Business-logic, authorisation and social-engineering testing should be part of that annual manual engagement.

Does the DPDP Act change how we should approach pentesting?

Yes. With penalties up to 250 crore rupees for failing to take reasonable security safeguards, the question shifts from whether you scanned to whether your safeguards were actually reasonable for systems holding personal data. Demonstrating that a competent, ideally CERT-In empanelled, tester examined those systems by hand is far stronger evidence of reasonable safeguards than a clean automated report.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205