Best Pentest Tools Alternative for Continuous Protection: Attaxion EASM
Pentest Tools is just what its name says – a suite of tools for penetration testing specialists with cyber reconnaissance, vulnerability scanning, and exploitation tools.
On top of that, Pentest Tools has automation capabilities that allow security teams to interconnect and automate running these tools. That, in turn, allows users to build other, more complex security mechanisms combining individual tools from the toolbox.
For example, using Pentest Tools, one theoretically can build external attack surface management (EASM)-like processes that will discover domains, subdomains, and web hosts, then run website recon to create a list of technologies are used across the discovered assets, and finally, scan everything for vulnerabilities and even attempt to exploit some of them.
Theoretically, with Pentest Tools’ relatively affordable pricing, such an approach could be a great budget alternative to an actual attack surface management platform. What about practically? Let’s compare Pentest Tools with a real external attack surface management platform – Attaxion – with a similar cost that manages this task out of the box.
PART 1
Pricing
Pentest Tools Pricing
Pentest Tools is priced per asset and offers five different tiers: Free, Basic, Advanced, Teams, and Enterprise. Free and Basic allow up to 5 assets, Advanced brings it to 50, and Teams – to 500. Everything above is Enterprise.
Unlike most security tools that aren’t open-source, Pentest Tools has a free forever plan instead of a free trial. It includes only passive scanning (so-called “Light Tools”, and not all tools have light versions, so the scope is quite limited) and doesn’t offer any reporting.
Basic plan provides most of the tools that Pentest Tools has at $113.6 (EUR 104.55) per month. The only missing parts from the technical perspective are scanning behind logins and through VPN, which are available on a plan called Advanced at ~$254 (EUR 233.7) per month together with expanding the scope to up to 50 assets.
The plan called Teams ups the asset count to 500, doesn’t offer any additional security tools, but provides quality-of-life enhancements, multiple users, and integrations at ~$527 (EUR 485) per month. Annual plans make everything 15% cheaper. There’s also the on-premise option, but it’s considered enterprise and you can’t avoid a discussion with sales if you’re after this one.
Attaxion Pricing
Attaxion is also priced per asset, but the pricing model is still different. Starting at almost the same price as Pentest Tools’ Basic plan that includes 5 assets, Attaxion offers 40 assets on its Starter plan (for $129 per month).
It’s worth noting that the word “assets” means different things for different companies. Pentest tools defines an asset as a “network host being scanned”, while Attaxion’s idea of assets includes domains and subdomains, IP addresses, CIDRs, and more. As a result, Attaxion’s count of assets for the same infrastructure will always be higher, but not 8 times higher.
Also, Attaxion offers more options on low-cost plans, making integrations and role-based access control available on every plan. Another important difference is that Attaxion provides a 30-day trial with all functions (even though the asset count is limited) so that you can understand if the tool is right for you. There’s no free forever plan though.
How They Compare
| Pentest Tools vs Attaxion: Pricing | ||
| Attaxion | Pentest Tools | |
| Free plan | ❌ | ✅ (only Light Tools) |
| Free trial | ✅ (30 days) | ❌ |
| Pricing monthly | From $129/month | From $113.6/month (€104.55) |
| Pricing yearly | From $1,290/year | From $1,155/year (€1,066.41) |
| # of assets on cheapest plan | 40 | 5 |
Even though both are priced per asset, Attaxion and Pentest Tools cannot be compared directly in terms of pricing because of how different the rest of the pricing model is. Pentest Tools has a free plan and starts at a lower amount per month on the Basic plan, while Attaxion turns out to be somewhat more affordable if you’re trying to protect an entire attack surface instead of select assets.
Also, Pentest Tools doesn’t offer any integrations or multiple users on any tiers lower than Teams (at $527/month), while Attaxion offers everything including integrations and role-based access control with multiple team members even on the lowest tier at $129/month.
Overall, both Pentest Tools and Attaxion are on the more affordable side of the pricing spectrum of attack surface management tools – most platforms like Palo Alto Cortex Xpanse or Censys ASM cost much more than that.
PART 2
Asset Discovery
Asset Discovery with Pentest Tools
Pentest Tools has a curious relationship with asset discovery: while it does discover assets, it doesn’t do so continuously and doesn’t actually offer to do anything with the assets it discovers, except manually run scans on them. There’s a way to partially overcome this by building an automation, but it requires spending a significant amount of time.
To start with asset discovery, just like all the other security tools, be it DAST, EASM, or something else, the first step of working with Pentest Tools is for you to provide targets – generally IP addresses, IP ranges, or domains/subdomains.
Pentest Tools offers nine different scanning tools, each capable of a specific task:
- Google Hacking – to find publicly exposed information about a target.
- Website Recon – to do technology fingerprinting for a target.
- URL Fuzzer – to discover hidden files and directories.
- WAF Detector – to discover a website application firewall behind a web app.
- People Hunter – to discover email addresses and social media profiles associated with the target.
- Domain Name Finder – to discover additional domain names belonging to the same organization.
- Subdomain Finder – for subdomain enumeration.
- Port Scanner – to find open ports.
- Virtual Host Finder – to discover virtual hosts on the same IP address.
Pentest Tools also offers to combine scanners into so-called templates. For example, the Asset Discovery Template combines Subdomain Finder, Domain Finder, and Virtual Hosts Finder. You can configure it to run regularly and, to some extent, it emulates what EASM tools can do when it comes to asset discovery.
On the one hand, the sheer amount of available reconnaissance tools makes it very flexible. On the other hand, it doesn’t offer a “find everything” option to run all the recon scans at once (even though you can manually build a robot that will do so).
Also, even though it discovers subdomains and other assets, Pentest Tools doesn’t automatically add them to the list of assets that it works with. It just offers you a report and an option to manually initiate a scan on the discovered asset. And you can’t even export a list of assets to import it into the vulnerability scanner because of the file format conflict.
Pentest tools can discover assets in your cloud infrastructure, but it requires a VPN agent, which is only available on the Teams plan and above.
Asset Discovery with Attaxion
Attaxion has a different, more automatic approach to asset discovery. It also requires some root assets to start the scanning, which you need to verify first (for example, by adding a TXT record to DNS). The domain that matches the email you signed up with can be verified with just one click.
Once an asset is verified, Attaxion automatically begins asset discovery using various cyber reconnaissance techniques. Everything it discovers, except so-called root asset candidates, is automatically added to the map of your attack surface and then scanned for vulnerabilities.
Attaxion even builds a graph of how the assets are connected for you to trace possible attack paths.
Root asset candidates – second level domains that for a certain reason seem to belong to your organization – are added to a special list. You then get to choose whether to verify them so that they’re also scanned for related assets and vulnerabilities or discard them as false positives.
Attaxion offers integrations with the most popular cloud platforms – AWS, GCP, Azure, and Digital Ocean – to help you find assets there.
How They Compare
During our test, Pentest Tools and Attaxion managed to find roughly the same number of subdomains and open ports. However, Pentest Tools generated many more false positives while doing subdomain enumeration. Pentest Tools also doesn’t discover some types of assets like SSL certificates or CIDRs.
But the main difference is in the approach. When it comes to asset discovery, Attaxion feels like a fully automatic solution while Pentest Tools is a much more manual type of tool.
Attaxion builds a full list of external assets which then automatically becomes its list of targets to continuously run vulnerability scans (and use them for further reconnaissance). Pentest Tools just give you a list of assets, and for each you’ll need to manually run further scans or build a robot that will automate it.
PART 3
Vulnerability Scanning and Prioritization
Vulnerability Scanning and Prioritization with Pentest Tools
Pentest Tools proves its name when it comes to vulnerability scanning, offering as much as 12 different narrow-focused tools for this purpose plus 5 exploit tools.
There are individual scanners for popular platforms like Sharepoint, Joomla, Drupal, and WordPress. There are website and API scanners. There’s a network scanner, password auditor (which also discovers open ports), SSL/TLS scanner, DNS server scanner, cloud scanner, and a Kubernetes scanner.
Describing every tool will take too much time, so we’d rather focus on the results of the scans. Once you scan an asset for vulnerabilities, Pentest Tools would provide you a list of its findings (also accessible from the “Findings” section) that can be sorted by severity – high, medium, low, or info, depending on the issue’s CVSS score.
Pentest Tools doesn’t offer any additional prioritization criteria to the user. However, in the documentation, they mention that they also somehow consider EPSS score when considering which detections to add. What they do offer is the ability to adjust risk level manually — a security team member may do so and also provide a reason about why they think the level needs to be adjusted.
To detect vulnerabilities, Pentest Tools uses its own proprietary network vulnerability scanner, which partially relies on well-known open-source scanners such as OpenVAS and Nuclei, apparently preferring to double-check rather than trust just one of the open-source scanners, which is commendable.
To scan multiple targets at once, you can set up a robot that will do so. The reports you’ll get would be for individual assets though.
Vulnerability Scanning and Prioritization with Attaxion
Attaxion doesn’t require any actions from the users’ side to start scanning discovered assets for vulnerabilities. The platform automatically detects CVE and CWE issues with any of the assets that it has discovered.
The findings look like a list of issues with their severity across all assets and can be sorted or filtered if you’re looking to narrow the scope down to a specific asset.
Unlike Pentest Tools, Attaxion offers additional prioritization options. Not only does it provide CVSS scores, it also adds EPSS and CISA KEV data to help filter vulnerabilities that are actively exploited in the wild and have a higher chance of causing trouble.
How They Compare
When it comes to vulnerability detection and prioritization, Pentest Tools and Attaxion again show somewhat similar results, but take a completely different approach.
In our tests, Attaxion was slightly ahead in the number of vulnerabilities discovered, including finding a high-severity issue that Pentest Tools didn’t notice. Also, Pentest Tools adds some noise by generating a lot of Info-level issues like “Nothing was found using this method”, but they are easy to filter out.
The main difference in this section is about prioritization: Pentest Tools relies on CVSS only and leaves the proper vulnerability assessment to humans that should consider exploitability and business-criticality. Attaxion adds another dimension with EPSS and KEV data that help prioritize not just “everything with CVSS above 7.5,” but rather issues that have a real chance of being exploited by attackers.
PART 4
Vulnerability Remediation
Vulnerability Remediation with Pentest Tools
Neither Attaxion, nor Pentest Tools offer automatic remediation like closing ports en-masse. Both are focused on providing reporting and guidance as well as automating support ticket creation.
Pentest Tools seems to be more focused on reporting – it can create detailed reports for scans or individual vulnerabilities. For each vulnerability, it offers editable reports with adjustable risk levels.
If you opt for the expensive plan – Teams – you’ll get an option to create Jira tickets in one click. There are no other ticketing systems integrations. The Jira integration is not available on cheaper plans though.
Paying more also allows you to create custom reports and report templates, as well as do white-labeling.
Vulnerability Remediation with Attaxion
Attaxion also provides guidance for each vulnerability it discovers and allows you to create reports/exports of asset lists, issue lists, or technology lists. These reports are not editable, but, as mentioned above, contain more useful information such as, for example, KEV data.
When it comes to ticket creation, Attaxion also provides an integration with Atlassian Jira. Unlike Pentest Tools, even if you choose the cheapest plan, you can still use the integration.
How They Compare
Pentest Tools does a great job with reporting, offering a lot of flexibility and customization. However, automatic support ticket creation is only available on more expensive plans, while Attaxion offers it on every plan.
Attaxion also pulls vulnerability remediation guidance from multiple sources, potentially making it more informative. On the other hand, Attaxion doesn’t allow you to customize or white-label the reports.
PART 5
Continuous Monitoring
Continuous Monitoring with Pentest Tools
When it comes to continuous monitoring, Pentest Tools is very flexible with scan scheduling, but offers only basic notifications functionality on cheaper plans, expanding it on more expensive plans starting with Teams.
For each plan, Pentest Tool defines the number of scans that you can run per month as well as the number of scans running in parallel (which is 2 on cheaper plans and 5 on more expensive ones). If you want to run more than the specified number of scans concurrently, they get queued. Most scans are quite quick and take only a few minutes, but there are some that may take significantly longer.
The scheduling is really flexible – you can schedule individual scans or pentest robots to run daily, weekly, or monthly, and provide additional conditions in the automation builder.
But when it comes to notifications, there’s only one option available on Free, Basic, and Advanced plans – email. Want Slack? You need to buy the Teams plan. Email notifications are quite flexible, though – you can choose events and conditions when a notification is sent, including scan events, discovering certain technologies, or something else.
Continuous Monitoring with Attaxion
Attaxion is quite different from Pentest Tools when it comes to continuous monitoring. Firstly, there’s no need to schedule anything at all – scans just run, continuously, on every discovered asset (unless you manually excluded it).
Secondly, Attaxion offers all integrations on every plan, which includes Slack notifications (in addition to the default email notifications). However, Attaxion has a simpler approach to notifications – you can only select the lowest issue severity that will trigger a notification.
How They Compare
Unlike Attaxion, Pentest Tools is aimed not at continuous protection, but rather at regular usage. That results in one notable difference: relying on scheduling instead of continuous scanning. Once Attaxion finds new assets, it automatically scans them for security vulnerabilities and sends you notifications. That’s not the case with Pentest Tools, where you’ll need to build a system running regular scans and review these scans to take action.
Pentest Tools offers more flexibility when it comes to notifications, but Attaxion has a Slack integration out of the box on every plan.
PART 6
Conclusion
Pentest Tools is a well-known and widely used set of tools with a well-deserved reputation: it’s very flexible, offers a pleasant graphical interface, and is quite capable when it comes to reconnaissance and vulnerability discovery.
It’s best suited as a platform for penetration testing for red teams or individual ethical hackers whose job is to conduct security assessments, discover common vulnerabilities and attack vectors, and provide a report about them. Customizing and white-labeling reports is a great feature for consultants and bug bounty hunters.
But when it comes to automation and continuous monitoring of an organization’s attack surface, Pentest Tools cannot replace a proper EASM platform like Attaxion. Since its penetration testing tools are disjointed, it doesn’t automatically add new targets and continuously scan them for issues.
Another Pentest Tools’ limitation comes from the complete absence of integrations on cheaper plans. Basic functions like creating support tickets and sending Slack messages are only available on the expensive Teams plan or above. Attaxion offers both of these on all plans and also requires much less manual work when it comes to maintaining the asset inventory and the full picture of the attack surface.
Given that their pricing level is roughly the same, we can conclude that Pentest Tools could be a better choice for red team activities with a focus on one-time or recurrent pentesting, while Attaxion is preferable for continuously protecting an organization from external threats. If you’re looking to enable vulnerability management or external attack surface management in your organization, Attaxion is a better alternative to Pentest Tools.
Ready to try Attaxion EASM? Start a 30-day free trial, or request a personal demo.