SummaryWhen it comes to pen testing, there is nothing that this tool either cannot or won't soon do for you. First, it does a credible job of keeping up with exploits. There is a significant difference between a vulnerability assessment tool and a penetration testing tool. Pen test tools, on the surface, need to have the capability of penetrating the target. But there is a whole lot more in a commercial environment. First on my list is repeatability. If I run a set of tests and get a result, then anyone else using the same tool should get the same results.
This is not hacking in any of its hype-laden guises. This is production penetration testing with the purpose of performing in situ quality testing on the enterprise or its parts. Period. And that is a lot harder than it sounds. Impact has a set of scripted wizards that make preliminary testing easy. Of course, the scripted stuff is pretty loud and the skilled pen tester will be a whole lot more subtle. Impact allows that.
Production pen testing needs to be scriptable. That means I should be able write a macro that will run a set of tests every time I want to run it and know that the same procedures are being followed. That gives consistency and repeatability. This is just the ticket for production testing.
We have seen many of the other commercial and open source pen test tools and there are some very good ones. But when it comes to needing a consistent, configurable, customizable, easy-to-run pen testing tool, Core Impact from Core Security is a favorite hands-down. And it's because of its strength and consistency that it makes our anniversary list.