This is one excellent value. At about $12 per IP at the 1,000 IP level it certainly comes in at the low end of the price spectrum. We tested the SAINTbox Model 300. The box came with a two-page quick-start guide and we found everything we needed there. We powered it up and attached a keyboard, mouse and screen to it. From that point, following the guide was easy. Each of the eight setup steps is clear and we got excellent results in that we were up and ready to start scanning in 15 minutes.
SAINT is one of the pioneers in mixing vulnerability assessment and penetration testing in the same tool. SAINT (Security Administrator's Integrated Network Tool) originally was a rework of SATAN (Security Administrator's Tool for Analyzing Networks). Back when these tools were open source they caused a lot of concern in security circles. For example, in the mid-1990s, HP put out a warning to its HP-UX customers that SATAN was coming and they needed to tighten up their security.
Unlike those old, cobbled-together collections of hacking scripts - mostly for Unix - today's SAINT is a paragon of professionalism. The GUI is very user-friendly, the functionality is first-rate and the performance is right where it needs to be. The integration of SAINTexploit into the vulnerability scanner provides a solid path from vulnerability assessment to pen testing (as of SAINT8, SAINTexploit is fully integrated into the product instead of being an option). When an asset has an exploitable vulnerability the dashboard shows that and suggests how to exploit it.
Once we were set up and ready to go, the next step was setting up a scan policy. From this, SAINT knows what vulnerability assessment probes to run against the asset. This, in turn, results in pen testing suggestions. In the meantime, SAINT stores the vulnerability assessment data in its backend database.
The dashboard - our landing page in this case - is pretty typical of dashboards throughout the industry. That, we think, is a good thing since it is familiar and easy to navigate for those who have been around other tools. Tabs across the top clearly present navigation options, such as scan, analyze, report, ticket, etc. Each tab has detailed options as well, so getting to the broad category leads you to sub-categories - again, consistent with what a user might expect.
Once we had run our scan we could opt to select the Exploit Tab and move on to attack the vulnerabilities our vulnerability assessment scan found. The exploit process is a bit more complicated. Even though SAINT has a wide variety of available exploits, some setup is required to use one. The setup is not particularly difficult and experienced pen testers likely will find it trivial, but for newbies there will be a bit of a learning curve. This is not a fully automated exploit tool at this point, although it does have an automated pen test option.
The automated pen test begins with a scan to identify devices and running services. It then determines which exploits apply and attempts the exploits. Finally, it documents the results and makes them available to the tester. The notion of automating pen tests is debated in pen testing circles. For our part we like having both the manual and automated options. We also liked the finesse of selecting only those exploits that address services actually running on the target. This is not quite the same as a "hail mary" in Armitage which is a lot noisier.
Documentation is very good. It's complete with lots of screen shots and step-by-step instructions. The website is complete and well laid out, and there are several support options - ranging from pretty plain vanilla to extended - with personalized assistance. Pricing makes this a very good value for the money.
