What is Manual Penetration Testing?

Is Manual Penetration Testing Better than Automated Penetration Testing?


Manual Penetration Testing

Last Updated on September 13, 2022 by Redbot Security

Penetration Testing – Manual vs Automated Pen-testing

Penetration tests use different methods in order to detect vulnerabilities within applications and evaluate the system or network. During such processes weaknesses of systems will be exploited via the authorization of simulation attacks. The test aims to protect sensitive information against outsiders like hackers that may unauthorizedly access your system. Once the vulnerability has been detected, the exploitable data can then be retrieved from the system in the hope of obtaining the data. A penetration test is also called a pen test.

Manual Penetration Testing – Overview

“Adversaries continue to show that they have moved beyond malware. CrowdStrike has observed that attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint. Rather, they have been observed using legitimate credentials and built-in tools — an approach known as “living off the land” (LOTL) — in a deliberate effort to evade detection by legacy antivirus products. Of all detections indexed by the CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free.” CrowdStrike

So, how do organizations protect their critical data and systems in today’s evolving threat landscape?  Is  manual penetration testing with the human element more reliable than automated vulnerability scanners? What is Manual Penetration Testing and How Does it Work?

Definition: Manual Penetration Testing is a controlled assessment of networks and applications that is able to safely identify and validate real world vulnerabilities that are potentially exploitable.  Manual Penetration Testing removes false positives and provides proof of concept reporting along with a exploit storyboard for easier remediation.

Manual penetration testing is quickly becoming the top choice over automated tests for organizations looking to simulate what a threat actor could do.  A deep dive into network, devices and applications, Manual Penetration Testing, if performed correctly, can identify exploitable vulnerabilities that are either easily missed out by automated tests or  something a scanner simply cannot do.

MCPT or manual controlled penetration testing is performed by an ethical hacker or penetration tester that has the same knowledge a malicious actor has.  Fortunately an ethical hacker is on the good side and will be able to simulate what the bad side can do.   The penetration tester highlights many business logic flaws that automated software typically fails to identify.  However, keep in mind that Manual Penetration Testing can be time-consuming and more expensive than running a scan.

Typically, a Manual Penetration Test or Pen-test is performed by Senior Level Experts who find vulnerabilities in a system, network and /or application. Utilizing their experience with network systems, custom scripts and tools, the Sr. Level Engineer then takes the appropriate controlled steps to attempt manual exploitation of those vulnerabilities. Having additional knowledge and expertise within IT/OT environments is essential for performing a non-disruptive manual penetration test. Hiring inexperienced teams can oft result in unintentional denial of service or in the worse case, cause sensitive services to crash.

Manual penetration testing performed by humans typically has the following stages:

Manual Penetration Testing Stages

  • Discovery. The first phase of penetration testing is OSINT and Discovery.
  • Penetration Testing. Testing phase is performed by qualified engineers –  The Penetration tester utilizes  automated scanners for enumeration, port scanning, and then performs manual exploitation based on their level of expertise, testing techniques and tools knowledge.
  • Assessment. The team then Determines Risks to organization based on the appropriate frameworks used during the penetration testing phase
  • Knowledge Sharing.  The Penetration Tester or Pen-Test Team Provides clear results with Proof of Concept reporting and Remediation recommendations
  • Remediation.  The Organization remediates findings that pose a risk.
  • Retesting. The Penetration Tester will Retest the remediated vulnerabilities and provide a final pen-test report with proof of remediation.

Its important to know that current technology has made great progress but is currently unable to compete with modern day hackers,  ” the human element”. Build something and someone will be able to break it. Modern day scanners and Penetration Testing as a Service (PTaaS) providers are unable to truly hack their way into privileged information. A vulnerability scan is not a worthy substitute for a highly focused testing engagement driven by human knowledge and expertise.

Note: Many so-called penetration tests (read: low cost) are just glorified vulnerability scans decorated as pen-tests, spitting out 1000-page reports of false positives.  Furthermore, junior level techs working 24/7 to monitor PTaaS cannot identify what is exploitable and what is a false positive, and ultimately do not have the professional skills and system knowledge to safely attempt any type of real-world exploit with controlled methods.

Manual Penetration Testing is vital when attempting exploits on any system/ device. However, when looking at critical infrastructure testing, it becomes even more important that the testing team has controls in place for back-out procedures, daily meetings and a fine-tuned communication strategy. Without these controls in place, an operator of these systems is risking potential catastrophe.

Manual Penetration Testing is essential for critical infrastructure. ICS/SCADA networks can be easily disrupted with traditional IT active scanning techniques.  The potential consequences of disrupting critical systems:

*  Reduction or loss of production at one site or multiple sites simultaneously.

*  Injury or death of employees.

*  Injury or death of persons in the community.

*  Damage to equipment.

*  Environmental damage.

*  Violation of regulatory requirements.

*  Product contamination.

*  Loss of proprietary or confidential information.

*  Loss of brand image or customer confidence

Schedule a demo/meeting with Redbot Security’s Manual Penetration Testing  Team –  The team utilizes a comprehensive Pen test assessment methodology, providing results with the utmost accuracy and ensuring representational coverage of risks facing an application or information system.

This assessment methodology is based upon understanding of the

  • business use cases,
  • types of data stored, processed, or transmitted by a given system or system component.

This evaluation involves a form of threat modeling by which system components are broken into their constituent elements representing

  • use cases,
  • data,
  • users,
  • processes,
  • components,
  • technologies and boundaries.

Once these elements are decomposed, potential risks affecting their interaction is evaluated by the assessment team as illustrated by the following process flow:


Define and Understand Scope of Work


Review Target Architecture, Tech and Capabilities


Threat Model and Attack Scenarios


Assessment Plan


Target in Production Similar Enviroment


Security Vulnerabilities


Extent of Business Impact


Difficulty and Likelihood


Develop / Map Ratings Using Relevant Standards


Map Vulnerabilities against Policies, Procedures and Standards


Document Findings  and Supporting Documentation

Knowledge Transfer

Transfer Information and Knowledge


Client Remediation Best Practices


Follow ups / Retesting and Remaining Engaged


Knowledge Base

Manual Penetration Testing or MCPT  Manual Controlled Penetration Testing is thorough and in many projects will look for  issues such as:

  • Open Source Intelligence (OSINT) Gathering and Data Collection
  • Enumeration of Publicly Accessible Services
  • Email-based (non-phishing) attack techniques
  • Buffer Overflow & Underrun Conditions or Race Conditions
  • Misconfigured Services
  • Insecure Services
  • Password Guessing & Default Passwords
  • Protocol Manipulation
  • Man-in-the-Middle (MitM) Interception or Replay of Credentials
  • Authentication Exploitation & Bypass
  • Testing Cryptography Implementations
  • Weak or Insecure File and File Share Permissions
  • Exploitation of Domain Trust Relationships
  • Database Security Misconfigurations
  • Limited Web Application Penetration Testing

Manual Penetration Testing

Can help your team find exploitable vulnerabilities before bad actors find them.

If you are looking to find exploitable vulnerabilities on your OT/IT networks, Manual Controlled Penetration Testing (MCPT) is an easy to execute cost effective solution.

Manual Controlled Penetration Testing provides reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations.

What’s the difference between manual and automated penetration testing?

Typically, penetration testing is a cyber attack on networks that has been authorized by law. It’s performed not to hurt networks, but to determine how effective it is in repelling threats. After testing the pen, the vulnerabilities can be corrected and the result is obtained. Penetration tests are done manually using humans or automatic methods. Each has different advantages or disadvantages. What does automation mean and how should it work? Get the details here.

Vulnerability Scanners vs Manual Penetration Testing?

The difference, not always obvious has to do with the goals of the testing and the current security approach of the organization.

vulnerability assessment is designed to identify as many vulnerabilities as possible within a network, application or system. This type of assessment usually occurs as a first level analysis within an organization to help identify their current security posture. The organization will be aware that they have problems and need help identifying them.

Penetration tests are typically reserved for organizations who have obtained their desired security posture. That have eliminated all known and discovered vulnerabilities. Have updated systems, patches and some type of cyber security program in place. The penetration test will simulate a scenario of attempting to breach an organizations system by finding exploits and vulnerabilities based upon pre-organized goals.

Should I perform a vulnerability assessment and a penetration test?

The classic rule of thumb for an organization is that anytime major changes occur to your network, you should do a vulnerability assessment.

Here are a few examples of these changes.

  • New hardware, Infrastructure changes (Firewall, switches, routers, servers)
  • Changes in Compliance, Regulations, Laws
  • Change Management (Firewall Rules, Routing, VPNs, Wireless)
  • Software (removal or addition of new software applications)

As we can see, the scheduling of vulnerability assessments can be very difficult to budget and plan without a long-term IT implementation plan in place. Companies like Redbot Security offer organizations the option of pre-purchasing vulnerability assessment at a discounted rate on an annual contract. If a company typically performs (4) assessments a year, although at various times, this become a valuable cost-effective option.

Testing becomes more periodic when we start talking about manual penetration testing. Every organization is dynamic. From the data to the infrastructure, everything is in a continual state of change. There are multiple factors to analyze to determine when and how a penetration test should occur. These factors can range from your current IT footprint, company size, levels of compliance and regulation to regions where you do business or organizational growth. Either way, we recommend to all companies who have some level of cyber posture to perform at least one penetration test a year.

Manual Penetration Testing Advantages and Disadvantages

Advantages of Manual Pen-Testing (Benefits) Disadvantages of Manual Pen-Testing- (Potential Negatives)
No or Reduced False Positives Not as easy to schedule or set up
Goes beyond just listing vulnerabilities Pricing is more expensive than a scan
Proof of Concept reporting Potentially can disrupt systems if not performed correctly
Storyboard of Exploits and testing proof Requires more time
Testing is typically performed by engineers with more knowledge Scanning companies not performing True Manual Penetration Testing
Shows steps to remediate Results vary by vendor and security consultant
Demonstrates steps took to achieve exploit Not a one size fits all
Simulates what real world bad guys can do Penetration Testing is not a 1x project
Considered an important compliance step and testing method for hardened cybersecurity Results are only a snapshot in time

Manual Penetration Testing

Pen-Test Your Internal Network.

33% of data breaches involved social engineering. 43% of data breaches involved small businesses. The average size of a data breach is 25,575 records. … Targeted emails, or spear phishing, is reported by businesses to be used in 91% of successful data breaches and 95% of all enterprise networks. via purplesec

Internal networks can easily be hacked by phishing emails.  Once an intruder has access to your internal network its just a matter of time until they have access to your critical data.

Manual Penetration Testing Example

Simulating real world attacks 

what is penetration testing

During an internal network manual penetration test, Redbot Security will deploy a Virtual Machine (VM) to the testing target internal network environment to simulate unauthorized access of a malicious actor through a company’s workstation. Many times, Redbot Security will find the presence of LLMNR and NetBIOS traffic, which Redbot Security is able to poison and leverage for passwords hash interception. More often than not, client hosts do not require SMB Signing and these hosts can be used as targets for password relay attacks.

With elevated privileges obtained on hosts, Redbot Security can extract the local administrator password hash. Often the same local administrator password is a valid account across multiple hosts. Through reconnaissance and continuous scanning, Redbot Security will leverage the local administrator credentials to locate a domain admin’s cleartext password stored in memory. Redbot is then able to pull down the NTDS.dit file from the domain controller, which contains all domain accounts’ password hashes.

In addition, if a company has a weak password policy, Redbot Security can quickly cracked 50% or greater of the hashes within one round of password cracking. With Passwords cracked Redbot Security is able to locate sensitive shares and networks, potentially associated a company’s SCADA and OT environments, ultimately accessing this information to disrupt Critical systems.


NetBIOS, is enabled by default in all Windows 2000 and above systems, was meant to provide host-to-host information necessary for file and resource sharing communication. The NetBIOS protocol is considered outdated and not efficient in enterprise environments. Therefore, NetBIOS should only be used when legacy systems require the protocol to maintain functional and business-required operations.


LLMNR is a protocol derived from the DNS packet format that allows IPv4 and IPv6 hosts to perform name resolution for hosts on the same broadcast domain and was implemented as an enabled protocol since Vista. LLMNR is supposed to be a replacement for environments where DNS is not implemented, or the environment is too large to process DNS requests effectively.

Typically, Microsoft Windows hosts perform name resolution in the following order:

  • Check the local system
  • Check the local cache
  • Check the local hosts file
  • Query DNS
  • Perform LLMNR request
  • Perform NetBIOS request

Due to the inter-operational nature of the LLMNR protocol, hosts within the broadcast domain do not check the trust relationship of other hosts to ensure that information is accurate. A malicious actor can manipulate this protocol by actively listening for LLMNR, DNS, NetBIOS, WPAD, and other request packets then responding accordingly to the potentially vulnerable host. In many cases, the manipulation of LLMNR and NetBIOS protocols leads to the intercept of authentication credentials, direct system connections, or lateral movement.

Redbot Security typically recommends to clients that disabling the NetBIOS and LLMNR protocols as the most effective enhancement to the overall security posture. However, network and system administrators should consider the following before pursuing disablement:

  • Does the organization need or rely on LLMNR? Generally no, but if the environment does not have an active DNS and does not support legacy systems, LLMNR should remain active until the deployment of DNS.
  • Does the organization need or rely on NetBIOS? The NetBIOS protocol should only be active for legacy systems that currently require the protocol for proper communications and environments that do not have DNS. If NetBIOS is required, network and system administrators should configure local, host-based firewalls to only accept communications between necessary and authorized hosts.

Learn More – Windows Security Article

Manual Penetration Testing

Manual Penetration Testing frameworks and testing guides:


Manual Penetration Testing


In summary, a vulnerability scanner such as Nessus* or Nmap* are necessary tools to discover vulnerabilities either by internal scans performed by your company or scans performed by 3rd parties.   Manual Penetration Testing goes quite a bit farther, verifying false positives and manually attempting to show proof of concept for exploits.  Something a scanner is not able to do, at the present moment.

*Nessus is one of the most popular vulnerability scanners, with over two million downloads across the globe. Additionally, Nessus provides comprehensive coverage, scanning for over 59,000 CVEs.

*Nmap Port Scanner. This tool does not go as broad in its detection, but it is more focused on mapping open ports (services) across a network. An open port that should not be accessible can still be a vulnerability.

There are many other Penetration Testing Tools, view more info here

Best Manual Penetration Testing Solutions

As technology becomes more reliable, penetration testing is rapidly growing into an exponentially growing industry. Each year, new vendors are flooded into the market that offer innovative APTM/MPT solutions to customers at an affordable price. Companies should choose wisely. Investing with market leaders only guarantees their financial safety.

Top (Key) Players in the Penetration Testing Market:

View 3rd Party 2021-2022 Market Research Reports  Here:

Listed Key Penetration Testing Companies – Market Report Studies:

Notable players of the global penetration testing market include:

If your company has decided on a vendor for Manual Penetration testing.  The following process steps are typical:

Scope of Work

  • Scoping Questionnaires
  • Recommendations
  • Demos
  • Alignment

Effort Determination

  • Budget Limitations
  • Client Expectations
  • Statement of Work
  • Scheduling

Project Kick-Off

  • Rules of Engagement
  • Communication Strategy
  • Timeline
  • Set up
  • Q&A

Testing - Execution

  • Status Updates
  • Notification – Critical findings
  • Proof Gathering


  • Discuss Exploits
  • Key findings
  • Initial Report Creation


  • Executive Summary
  • Storyboard
  • Proof of concept
  • Risk Ratings


  • Retesting after Remediation
  • Final Report Delivery
  • Report Review


  • Stay Engaged
  • Ask Questions
  • Transparency
  • Build Relationship

Redbot Security

Redbot Security provides Network, Application, Mobile,  and critical infrastructure security testing without disruption. Our team is led by the Nation’s top ICS/SCADA and Senior Level Fully Certified Penetration Testing Experts. We have a proven track record and can help to secure your networks during these times of increased threats.

Learn More.

Penetration Testing Quote
Related Posts
What is Redbot Security’s Manual Controlled Penetration Testing?2022-08-22T15:06:13+00:00

MCPT® or Manual Controlled Penetration Testing [manual penetration testing] is a controlled assessment of networks and applications that is able to safely identify and validate real world vulnerabilities that are potentially exploitable.  Manual Penetration Testing removes false positives and provides proof of concept reporting along with a exploit storyboard for easier remediation.

What are the stages in a penetration test?2022-08-22T14:48:02+00:00

The Six Stages of Penetration Testing

  • Discovery. The first phase of penetration testing is OSINT and Discovery.
  • Testing. Testing phase is performed by qualified engineers that utilize both automated and manual exploitation testing techniques and tools
  • Assessment. Determine Risk to organization
  • Knowledge Sharing.  Provide clear results with Remediation planning
  • Remediation.  Organization remediates findings that pose a risk.
  • Retesting. Retesting of remediated vulnerabilities and final report delivery


  1. […] dangerous vulnerabilities within a particular application or network. During such processes a human will attempt to manually find and exploit weaknesses of a network, application or device. The penetration test aims to protect […]

  2. zortilo nrel November 6, 2021 at 7:17 pm - Reply

    Great site! I am loving it!! Will come back again. I am taking your feeds also

  3. […] testing company for your project is to know if they are selling you a vulnerability scan or true Manual Controlled Penetration Testing.  In addition if you select the wrong company you may end up with a 1000 page report of false […]

Leave A Comment