Pentests are often performed by third parties, but as these outside tests can be expensive and become dated quickly, many organizations perform their own penetration tests with pentesting tools, using their own IT personnel for their red teams (attackers).

Many pentesters and ethical hackers use open source pentesting tools to probe a network‘s defenses, but for organizations with high security needs, there are also commercial pentest tools and services that can offer greater support and functionality, and some top open source tools offer pro and enterprise plans too. Here we’ll review seven of the best commercial pentesting tools, their benefits, drawbacks, and use cases.

Best Penetration Testing Tools & Software: Comparison Chart

Here is a head-to-head comparison of the best pentesting tools.

Fortra Cobalt Strike – Best for Simulating a Real Cyberthreat

---

In 2012, Raphael Mudge — who also developed the Armitage GUI for Metasploit — developed Cobalt Strike, a commercial penetration testing tool primarily used as a threat emulation or post-exploitation tool to enhance adversary simulations and red team operations. Cobalt Strike allows attackers to mimic advanced threat actors and emulate their techniques, making it a popular tool among red teams and penetration testers for testing the security of organizations. Unfortunately, it’s also become a popular tool for hackers too. As a result, the tool is closely monitored and regulated, and its availability is restricted to licensed users or authorized organizations.

Visit Website

Pros & Cons

Pros

• Efficient customer support
• Offers value for money
• Has built-in tools for reconnaissance
• Responsive user interface

Cons

• Can be abused by cybercriminals, but that’s also a pretty good endorsement of its capabilities.

Pricing

A Cobalt Strike license costs about $3,540 per user for a one-year license. You can contact the company for information about the purchase process and terms.

Key Features

• Advanced adversary simulations
• Allows cybersecurity professionals to imitate a silent, long-term implanted actor in their customer’s network
• Dynamic red team engagement
• Users can create and share their extensions in the Community Kit
• Command-and-control (C2) communication capabilities

Screenshots

Also read: How Cobalt Strike Became a Favorite Tool of Hackers

Fortra Core Impact – Best for Complex Infrastructure Penetration Testing

---

Fortra owns the first two tools on our list, including Core Impact, a penetration testing tool that allows organizations to simulate real-world attacks on their network infrastructure and applications to identify vulnerabilities and weaknesses.

Featuring network testing, client-side testing, web application testing, remote exploitation, rapid penetration tests (RPTs), post-exploitation, and teaming capabilities, it enables security professionals to assess the security posture of their networks, identify potential vulnerabilities, and evaluate the effectiveness of their security controls. It allows users to customize and craft their own exploits, reflecting unique organizational requirements.

Visit Website

Pros & Cons

Pros

• User-friendly graphical user interface
• Many users applaud its automation capability
• Easy to set up and use

Cons

• Some users find the tool to be pricey
• Documentation can be improved

Pricing

Core Impact offers three pricing plans with various features.

• Basic: $9,450 per user per year
• Pro: $12,600 per user per year
• Enterprise: Custom pricing

Fortra allows you to bundle Core Impact with Cobalt Strike (Advanced Bundle) – the rates are as follows:

• Cobalt Strike with Core Impact Basic costs $12,600 per user per year.
• Cobalt Strike with Core Impact Pro costs $15,750 per user per year.
• Cobalt Strike with Core Impact Enterprise pricing is available upon request.

You can purchase SCADA, Medical, and IoT exploits as an add-on, but they are only available to Core Impact Enterprise customers.

Key Features

• Customizable reporting
• Core Impact offers Rapid Penetration Test (RPT) tools to help users automate and optimize their usage of security resources. It can be completed across three different vectors: network, client-side, and web application.
• Compliance with industry regulations like PCI DSS, GDPR, and HIPAA
• It allows you the ability to prove adherence to regulations like PCI DSS, NIST, CMMC, and more.

Screenshots

Burp Suite – Best for Developers & DevSecOps Professionals

---

Burp Suite is a top-rated software suite for attacking security testing developed by PortSwigger, available in both free and paid versions. Security professionals and penetration testers widely use it to identify and exploit vulnerabilities in applications.

Burp is a tremendous tool that can do advanced scans, but one of the most classic uses is traffic interception (e.g., HTTP requests). Burp Suite consists of several modules, including a proxy server, scanner, intruder, repeater, sequencer, and spider. Modules work together to perform various security testing tasks.

Visit Website

Pros & Cons

Pros

• Used by most security teams, researchers, and professionals (and also attackers)
• Very comprehensive

Cons

• While it has some user-friendly features, overall it’s significantly harder to learn and master than other scanners.
• Many features aren’t available in the community edition (free), and the enterprise edition is relatively expensive.

Pricing

Burp is available for free and in paid versions

• Burp Suite Community Edition: Available for free
• Burp Suite Professional: The plan costs $449 per user per year

Burp Suite Enterprise edition is available in two options – usage-based pricing and subscription.

• Pay as you scan: $1,999 per year plus $9 per hour scanned
• Classic: $17,380 per year. It allows you to perform 20 concurrent scans and support unlimited applications and users.
• Unlimited: $49,999 per year and enables you to perform unlimited concurrent scans.

Key Features

• Single-sign-on and role-based access controls
• Technical support with 24-hour SLA
• CI/CD platform integration
• It has 250 extensions (BApps) for customizing testing workflows.

Screenshots

Also read: Getting Started with the Burp Suite: A Pentesting Tutorial

Metasploit – Best for Vulnerability Assessments & Exploit Development

---

Metasploit, developed by Rapid7, is a well-known exploitation framework that — like the free version of Burp — is also included in the Kali Linux open source pentesting distribution. Metasploit provides useful modules and scanners to exploit vulnerabilities. It allows security professionals and ethical hackers to assess a system’s security posture and replicate real-world attack scenarios to understand the potential risks and vulnerabilities.

Visit Website

Pros & Cons

Pros

• Used by most security teams, researchers, and professionals (and also attackers).
• Very comprehensive
• Very convenient for emulating compromised machines
• Can be easily combined with Nmap

Cons

• It makes hacking a lot easier (including for beginners and script kiddies).
• It can get expensive for some small businesses.

Pricing

Metasploit doesn’t advertise its rates on its website. The company encourages buyers to contact its sales team for custom quotes. Publicly available information suggests that the Metasploit Pro edition costs $15,000 per year. Your actual rate may differ, so it is necessary to contact the company for quotes.

Key Features

• You can create infected payloads with a graphical interface (with payloads GUI or in the pro version).
• Tests can be automated.
• Includes post-exploitation tools such as keyloggers, packet sniffers, and persistent backdoors.

Screenshots

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

Tenable Nessus – Best for Network Vulnerability Scanning & Assessments

---

Built for consultants, pentesters, developers, SMBs, and security practitioners, Tenable Nessus is a widely used vulnerability assessment tool. It offers a comprehensive vulnerability database, frequent updates, and a user-friendly interface.

Tenable Nessus can scan your infrastructure to identify security weaknesses, misconfigurations, and potential entry points for cyberattacks, reducing the risk of cyberattacks and data breaches.

Visit Website

Pros & Cons

Pros

• Integration with other security tools
• Scan automation capabilities
• Advanced scan functionalities

Cons

• 24/7 support costs an additional $430.
• Training also costs extra.
• Some users report that the tool takes time to scan and report.

Pricing

Tenable Nessus offers two pricing plans: Tenable Nessus Expert and Tenable Nessus Professional.

According to the company, Nessus Expert is ideal for consultants, pentesters, developers, and SMBs. You can buy a one-year or multi-year license.

• 1 year: $5,686.75 for 12 months
• 2 years: $11,089.16 for 24 months
• 3 years: $16,207.24 for 36 months

The company says Tenable Nessus Professional is designed for consultants, pentesters, and security practitioners. The license cost is as follows:

• 1 year: $3,859.25 for 12 months
• 2 years: $7,525.54 for 24 months
• 3 years: $10,998.86 for 36 months

Key Features

• Up to 500 prebuilt scanning policies
• External attack surface scanning capabilities
• Customizable scanning policies

Screenshots

vPenTest – Best for Managed Service Providers

---

vPenTest, a product of Vonahi Security, is an automated network penetration testing tool designed for managed service providers (MSPs). It claims to combine the expertise of several highly competent penetration testers with the capabilities of numerous tools to perform a range of tasks, including host discovery, service enumeration, vulnerability analysis, exploitation, post-exploitation, privilege escalation, and lateral movement, as well as documentation and reporting.

Visit Website

Pros & Cons

Pros

• Most users’ experience with the tool is positive, per user feedback on review sites.
• Real-time visibility into the organization’s network
• Good reporting capabilities
• Easy to learn and use

Cons

• Documentation can be improved – some users reported that it’s outdated or lacking.
• Results turnaround time could be improved and made faster.

Pricing

The vendor asks potential buyers to contact their in-house expert for demo and quotes. While we have been unable to obtain pricing information, users report that vPenTest is substantially cheaper than hiring human pentesters.

Key Features

• Internal and external network pentest
• Privilege escalation
• Identifies and locates sensitive data that may be at risk of compromise
• Provides detailed reports and analysis on the vulnerabilities and potential security risks discovered during testing

Screenshots

Pentest-Tools.com – Best for Visualization, Reporting & Analytics

---

Pentest-Tools.com provides a variety of tools and resources for penetration testing and vulnerability assessment. It offers a collection of security tools, such as web application scanners and network scanners, which can be used by security professionals to identify vulnerabilities and test the security of their systems.

Visit Website

Pros & Cons

Pros

• Offers integration with third-party tools like Jira, Webhooks, and more.
• Reports can be exported in various formats, such as CSV, HTML, and PDF.
• You can schedule periodic scans – daily, weekly, or monthly.

Cons

• Premium support is limited to Teams plan users.
• Multi-user access is also limited to Teams plan users.

Pricing

The vendor asks potential buyers to contact their in-house expert for demo and quotes. While we have been unable to obtain pricing information, users report that vPenTest is substantially cheaper than hiring human pentesters.

Key Features

• Continuous security monitoring
• The company offers various security tools, including web vulnerability scanners, network vulnerability scanners, offensive tools, and reconnaissance tools.
• Automation capabilities
• Internal network scanning (through VPN)

Screenshots

Key Penetration Testing Software Features

Here are some of the key features that buyers should look for in pentesting tools.

Vulnerability scanning

Pen testing tools often have databases of known vulnerabilities to identify potential weaknesses in an organization’s network, systems, or applications that could be exploited by attackers, making it easy for companies to tackle these loopholes before bad actors take advantage.

Also read:

• Penetration Testing vs Vulnerability Scanning: What’s the Difference?
• Best Vulnerability Scanning Tools

Exploit testing

Exploit testing capabilities enable you to simulate real-world cyberattacks. This involves attempting to exploit identified vulnerabilities to understand the potential impact and consequences of a successful attack.

Wireless network testing

With the increasing use of wireless networks, penetration testing software should have specific features to assess the security of wireless networks. This can include scanning for open ports, testing encryption strength, or attempting to gain unauthorized access through wireless access points.

Compliance and regulatory support

Penetration testing software should have features that enable organizations to align their testing with industry standards, regulations, and compliance requirements. This ensures that organizations can meet regulatory obligations and demonstrate due diligence in their security efforts.

Integration and collaboration

Many organizations have complex IT infrastructures and multiple security tools. Penetration testing software should have features that allow for seamless integration with existing security systems, such as SIEM platforms, CMDB, ITSM, and DevSecOps tools, to provide a holistic view of an organization’s security posture and to speed fixes.

Other capabilities to look for include:

• Exploit development: The ability to develop custom scripts and tools that leverage discovered vulnerabilities to gain access to a system or application.
• Password cracking: The ability to use brute force, dictionary, and hybrid attacks to crack passwords and gain access.
• Network mapping: The ability to map a network’s topology, revealing its devices, services, and open ports.
• Social engineering: The ability to use social engineering tactics, such as phishing and pretexting, to gain access to confidential information.
• Web application testing: The ability to test for vulnerabilities in web applications and web services.
• System hardening: The ability to secure a system by patching, updating, and implementing firewalls.
• Post-exploitation analysis: The ability to analyze a compromised system to identify and exploit further vulnerabilities.
• Malware analysis: The ability to analyze malicious software and develop countermeasures.
• Privilege Escalation: Exploiting vulnerabilities to gain higher-level privileges.
• Reporting and Documentation: Summarizing results and providing evidence of findings.

How to Select the Best Penetration Testing Tools and Software for Your Business

When shopping for a penetration testing tool, be aware that you will likely need several components to perform a complete penetration test. And some tools are more flexible than others. Some software solutions let users define custom rules according to a specific use case.

The right pentesting tool will depend on the type of pentesting you plan to perform. For example, if you are performing a network pentest, you may do fine with an open source network pentesting tool such as Nmap. If you are performing a web application pentest, you will need a web application pentesting tool such as Burp Suite.

Each type of pentest will require different tools to complete the task, so it is essential to identify the kind of pentest you plan to perform and choose the appropriate tools for the job.

• Understand your requirements: Identify your organization’s specific security goals and objectives and determine the scope of the penetration testing (for instance, network, web applications, mobile apps, and wireless networks).
• Assess your resources: Make sure any solution matches your existing tools and human expertise.
• Research and shortlist tools: We’ve helped get you started, but now you need to find the right tools for your environment.
• Evaluate tool features: Compare the features of shortlisted tools against your organization’s requirements.
• Consider the tool’s security and service: Updates, training and support, as well as the vendor’s reputation, also matter.
• Test and try: You can request a demo if a free trial is unavailable.

Review Methodology

We reviewed over 60 penetration testing tools using 28 individual data points across five key categories: price/value, core features, non-core features, admin ease of use & implementation, and support. We collected information about each tool’s features, pricing, and other relevant information from their respective websites, data sheets, whitepapers, and documentation. We then used the data to score the best penetration testing tools and software as follows:

• Pricing/value (20%)
• Core features (40%)
• Non-core features (5%)
• Admin ease of use & implementation (20%)
• Support (15%)

We at eSecurity Planet have your best interest in mind. We selected the top-rated tools after careful consideration, calculation, and extensive research to help you determine the best tools for your needs and use cases.

Bottom Line: Choosing a Pentesting Tool

Penetration testing is a critically important security practice and will reduce the likelihood and opportunities for a cyber attack. There are a few different ways to do it — pentesting services, security staffers with expertise, and even automated tools — but the most important thing is to get started.

Read next:

• How Much Does Penetration Testing Cost? 11 Pricing Factors
• Top Breach and Attack Simulation (BAS) Tools

This updates a February 2022 article by Julien Maury

The post 7 Best Penetration Testing Tools & Software appeared first on eSecurity Planet.

A few vendors refer to advanced BAS solutions as security validation or continuous threat exposure management (CTEM). Several of these tools also assess broader security defenses and potential attack paths, a market known as attack surface management. Artificial intelligence and machine learning are an important part of the BAS market, as automated cybersecurity tools are needed to keep up with the huge volume of  vulnerabilities and emerging threats.

We analyzed the market for BAS tools to come up with this list of the top 19 vendors, plus an additional 8 honorable mentions, followed by more on breach and attack simulation technology and buying considerations.

• AttackIQ: Best for AI/ML security testing
• Cymulate: Best user experience
• Picus Security: Best for detecting logs and alert gaps
• SafeBreach: Best for integration with other security tools
• XM Cyber: Best for attack path management
• CyCognito: Best for risk detection and prioritization
• FireMon: Best BAS tool for visualization
• Akamai Guardicore: Best for microsegmentation, visibility and control
• Mandiant: Best BAS tool for threat intelligence
• Qualys: Best for vulnerability management and security compliance
• IBM Randori: Best BAS tool for red teaming
• Rapid7: Best for affordable risk analysis
• BreachLock: Best for network and web pentesting
• Horizon3.ai: Best BAS tool for small businesses
• NetSPI: Best BAS tool for pen testers
• Pentera: Best for ​​automated security validation
• Scythe: Best for adversary emulation
• Skybox Security: Best for integration with data sources
• Tenable: Best for analytics and attack surface visibility
• Honorable Mentions
• What is Breach & Attack Simulation Software?
• Why Do Companies Use BAS?
• BAS features
• Deployment Options for BAS
• Bottom Line: Breach and Attack Simulation (BAS) Tools

20 Best Breach and Attack Simulation (BAS) Vendors Comparison Chart

AttackIQ

Best for AI/ML security testing

AttackIQ started as an automated validation platform in 2013 in San Diego, California. The platform enables organizations to test and measure their security posture across environments. Informed by the MITRE ATT&CK matrix and its wealth of cyber adversary behavior, clients can run advanced scenarios targeting critical assets and continuously improve their defensive posture.

AttackIQ’s Anatomic Engine is a standout feature, as it can test ML and AI-based cybersecurity components. With the capacity to run multi-stage emulations, test network controls, and analyze breach responses, AttackIQ remains a top contender among BAS solutions.

AttackIQ Features

• Integration: Integrates with various third-party solutions, including Palo Alto Networks, Splunk, Cisco, and RSA
• OS support: Supports all major operating systems, including Windows, Linux, macOS
• Flexible deployment: AttackIQ can be deployed on-premises and in the cloud
• Security posture Insight: Real-time visibility into security performance
• Cloud security: Validate native security controls embedded within cloud providers like Azure and AWS
• Risk management: Uses MITRE ATT&CK framework to validate NIST 800-53 and CMMC security controls automatically

Pros

• Support for on-premises and cloud environments
• Validates native cloud security controls
• AI/ML security validation

Cons

• Users would like to see more integrations
• Some complaints about deployment challenges

Pricing

AttackIQ does not publicly list pricing information on its website. However, they offer a free trial and a personalized online demo to help potential buyers understand their services and determine the best pricing option for their needs.

The little pricing that’s publicly available on the Azure Marketplace suggests it’s not a cheap product — AttackIQ Starter Pack Bundle: $227,500.00 one-time payment per year, or $580,125.00 one-time payment for a 3-year billing term — but users understand that they’re getting a product that goes well beyond the basics.

Note that AttackIQ Starter Pack Bundle rates are subject to change starting August 1, 2023. The updated price for the one year billing term will be $250,250 one-time payment while the 3-year billing term price will increase to a $638,138 one-time payment.

Cymulate

Best for usability and user experience

Cymulate is the first of two Israeli vendors in our top-tier BAS solutions. Founded in 2016, the Rishon LeZion-based vendor specializes in breach and attack simulation and security posture verification. By employing the MITRE ATT&CK framework and mimicking an array of advanced hacker strategies, the Cymulate platform assesses network segments, detects vulnerabilities, and optimizes remediation.

To confront the dynamic threat landscape, Cymulate offers continuous security validation that provides consistent guidance for action. Deploying Cymulate with near-unlimited attack simulations can be completed within minutes via a single lightweight agent.

Cymulate Features

• Attack remediation: Allows you to prioritize remediation based on attackable vulnerabilities
• Endpoint security: Detects and prevents endpoint ATT&CK TTPs such as ransomware and worms
• Data exfiltration: Ensures that company sensitive data can not be exfiltrated
• Full kill chain APT: Validate your enterprise defense against APT attack scenarios such as Fin8, APT38, Lazarus and custom scenarios
• Email gateway: Test your security against thousands of malicious email formats, attachments, and URLs
• Web app firewall: Evaluate your security against web apps attack such as OWASP top ten

Pros

• Users praise its resources for cyber risk assessments and penetration testing
• Easy to setup and use
• Offers instant threat alerts
• Signature and behavioral based endpoint security

Cons

• Some users reported that the scanning capability can be made better
• Adding more integration with other security tools can further improve the tool 
• Reporting capability can be made better 

Pricing

Pricing information for this product is unavailable on the vendor’s website. Potential buyers can contact the Cymulate sales team for custom quotes tailored to their needs. Cymulate offers a 14-day free trial, and potential buyers can also request a product demo. Publicly available pricing on AWS shows that the Cymulate 7 attack vector bundle for organizations with up to 1,000 endpoints may cost about $7,000 a month or $91,000 per year.

Picus Security

Best for detecting logs and alert gaps

Picus Security is a continuous security validation vendor founded in 2013 and located in San Francisco, California. Recognized in each of our top BAS lists, Picus has raised over $32 million through Series B and a corporate funding round by Mastercard in May 2022. The Picus Security Control Validation (SCV) platform scans for vulnerabilities and offers guidance for configuring security controls.

Integrating into an existing security information and event management (SIEM) system, the Picus SCV helps identify logging and alert gaps where additional action is required to optimize your SIEM. With MITRE ATT&CK and kill chain visibility, administrators deploying SCV can take the necessary steps to prevent the next advanced attack.

Picus Security Features

• Threat library: Picus Security’s threat library of over 3500 threats covering the MITRE ATT&CK framework is updated regularly
• Security control validation: Test the efficacy of your network security and detection controls, including firewalls, web and email gateways, SIEM, EDR, and SOAR tools
• Mitigation library: Picus Security provides over 70,000 actionable recommendations to remedy security gaps, as well as vendor-specific mitigation suggestions targeted to your environment
• Attack Path Validation (APV): Picus APV helps security teams automatically detect and visualize an evasive attacker’s path to important systems and accounts
• Integration: Picus integrates with various third-party tools, including Citrix, Cisco, IBM Security, McAfee, F5, Trend Micro and more.

Pros

• Continuous assessment
• Provides users with recommendations to further help strengthen their networks
• Automated testing
• Supports over 100 APT and malware scenarios

Cons

• Users feedbacks from review sites shows that Picus Security has a complex initial setup
• Some users say technical support are some time insufficient, product documentation can be improved to help users resolves minor issues quickly 

Pricing

Picus Security does not advertise pricing on its website, as packages and services are tailored to the customer’s exact needs. Generally, prices for their services range from $30,000 to $120,000, depending on the scope of the chosen package. To receive a custom quote tailored to your needs, contact their sales team. You can also take advantage of their 14-day free trial or request a product demo.

SafeBreach

Best for integration with other security tools

SafeBreach holds multiple patents and awards for its BAS technology. Founded in 2014, the California-based vendor is a pioneer in breach simulation. Since our last update, SafeBreach earned a $53.5 million Series D funding round in November 2021. The BAS platform can detect infiltration, lateral movement, and data exfiltration by offering cloud, network, and endpoint simulators.

SafeBreach continuously validates tools and the organization’s overall security posture with an ever-changing threat landscape. When flagged, administrators have the visibility to take prompt action against potential vulnerabilities. With the SafeBreach platform deployed, organizations can expect increased security control effectiveness, real threat emulation, and improved cloud security.

SafeBreach Features

• Integration: SafeBreach integrates with various technology solution providers, including Splunk, ServiceNow, Google BigQuery, Tanium, Checkpoint, IBM, Slack, Qualys and more
• Reporting: Provides real time reporting and remediation action
• SafeBreach-as-a-Service: SafeBreach is available as a fully managed software solution consisting of platform licensing, ongoing strategy, and full support
• RansomwareRx: Allows users to run a customized, no-cost attack scenario based on actual ransomware behavior—including MITRE ATT&CK TTPs
• No-code: Allows users to plan every aspect of attack in a single no-code environment

Pros

• Ability to simulate over 15,000 attacks
• Dashboards display security risks over time
• Offers cloud, network, and endpoint simulators

Cons

• Customer support can be made better. Users reported slow response time
• User interface takes time to learn and get use to

Pricing

SafeBreach doesn’t advertise prices on its website. Interested buyers can contact its sales team for custom quotes. You can also request a free demo to learn how to leverage the product for your environment. Publicly available pricing on AWS shows that SafeBreach simulator can cost about $18,000 for an annual subscription.

XM Cyber

Best for attack path management

XM Cyber is a Tel Aviv-based cyber risk analytics and cloud security vendor launched in 2016. Born from the thought leadership of the Israeli intelligence sector, the XM Cyber Breach and Attack Simulation, previously known as HaXM, is a leading BAS solution. In its short history, the vendor has been at the forefront of BAS innovation, winning several awards and pushing other vendors forward.

XM Cyber identifies an organization’s most critical assets and works backward with attack-centric exposure prioritization, identifying the exploit routes. Analyzing every potential attack path and crafting remediation options informed by risk impact give administrators visibility in real-time to secure their network. Through its success, XM Cyber was acquired for $700 million by the Schwarz Group in November 2021.

XM Cyber Features

• Flexible: Allows organizations to prioritize security exposures and focus remediation activities across cloud, SaaS and on-premises
• Compliance validation: Automate compliance validation and reporting for key standards such as ISO, NIST, GDPR, SWIFT and PCI
• Attack path management: APM allows users to detect attacks before they happen proactively
• Hybrid cloud security: Identify exposures across your AWS, Azure and GCP environments
• Active Directory security: Neutralize Active Directory risks across on-premises and cloud environments
• Automated red teaming and penetration testing: Provides real-time evaluation of your security tools’ performance and uses attack modeling to reveal misconfigurations, mismanaged credentials, and risky user activity

Pros

• Track users’ overall security posture and risk level
• Advance analytics capability
• End-to-end network scanning
• Provides users with visibility into their critical attack paths

Cons

• Users report that the tool is expensive, making it hard for small businesses to buy
• The customer support can be improved and optimized for fast response time

Pricing

This is a quote-based tool, and the price is available on request. Contact XM Cyber for custom quotes. You can also request a personalized demo to learn more about the solution. AWS Marketplace shows pricing for XM Cyber’s hybrid attack simulation for up to 1,000 assets cost about $7,500 per month or $90,000 per year, while its next-generation vulnerability management costs about $1,083 per month or $13,000 per year for up to 1000 assets.

Read more on security automation:

• Hyperautomation and the Future of Cybersecurity
• Top Security Orchestration, Automation and Response (SOAR) Solutions
• Vulnerability Management as a Service (VMaaS): Ultimate Guide

CyCognito

Best BAS tool for risk detection and prioritization

CyCognito is committed to exposing shadow risk and bringing advanced threats into view. One of the youngest BAS vendors started operations in 2017 and resides in Palo Alto, California. Founded by tenured national intelligence professionals, CyCognito identifies attacker-exposed assets to enhance visibility into the attack and protect surfaces.

According to the vendor, clients identify up to 300% more assets than they knew existed on their network. Through the CyCognito platform, organizations can define risk categories, automate offensive cybersecurity operations, and prepare for any subsequent advanced attack. The budding vendor continues to grow with a Series D of $100 million in December 2021.

CyCognito Features

• Graph business and asset relationships: The CyCognito platform leverages machine learning, natural language processing, and graph data structure to uncover and consolidate all corporate relationships in your organization, from acquired companies to joint endeavors and cloud infrastructures.
• Test security: CyCognito testing capabilities detect attack vectors that could be used to breach enterprise assets, including data exposures, misconfigurations and even zero-day vulnerabilities.
• Risks prioritization: CyCognito automatically prioritizes risks based on the following principles
  • Attackers’ priorities
  • Business context
  • Discoverability
  • Ease of exploitation
  • Remediation complexity

• Integration: The platform integrates with SIEMs, ITSM, CMDBs, and communications software.
• Security framework: CyCognito satisfies most common security frameworks such as MITRE ATT&CK Framework, NIST cybersecurity framework, CIS critical security controls and ISO/IEC 27000 and regulatory compliance standards, including GDPR, NIST 800-53, CCPA, PIPEDA, BDSG and POPI act.

Pros

• Supports cloud and on-premises environments
• Attack surface management
• Advanced analytics

Cons

• CyCognito is difficult to learn and use, new users need extensive training to understand the tool

Pricing

Product pricing is available on request. Contact the CyCognito sales team for custom quotes. For its attack surface management product, data from AWS marketplace shows a cost of $30,000 for 12 months, $55,000 for 24 months, and $80,000 for 36 months – limited to 250 assets max.

FireMon

Best BAS tool for visualization

Started in 2001, FireMon is a Kansas-based vendor for cybersecurity, compliance, and risk mitigation. One of the earliest companies to address change detection and reporting, compliance, and behavioral analysis, FireMon has a track record that includes over 1,700 organizations. FireMon’s vulnerability management technology can be found under Security Manager and Cloud Defense, offering real-time risk assessment, mitigation and validation. FireMon’s attack path graphics and analysis are suitable for administrators who desire greater visibility.

FireMon Features

• Integrations: FireMon integrates with a range of technologies, including ITSM tools (ServiceNow, Accenture, Jira Software, Redseal and BMC), SIEM/SOAR solutions (Splunk, Komand, Demisto and Swimlane), and vulnerability scanners (Qualys, Rapid7, and Tenable)
• Optimize response: Real-time event analysis and intelligent routing of high-priority events
• Notification: Send alerts directly using existing tools, including Slack, Teams, and Jira
• Compliance: Support for common compliance standards, including CIS and PCI-DSS
• Visualization: Comprehensive reporting and dashboards
• Automatic enforcement: Adhere to security requirements from CIS, NIST and AWS, and implement monitoring/logging, IAM, and backup across all cloud accounts and providers

Pros

• Intuitive user interface
• Users find its historical log capability beneficial
• Tracks firewall rule change
• Easily identify misconfigurations

Cons

• Customer support and documentation could be improved
• Complex initial setup, which leads to slow implementation time

Pricing

FireMon does not publicly disclose pricing information. In addition to custom quotes, you can also request a demo to learn more about the platform. FireMon also offers bring your own license (BYOL) plans for Azure and AWS.

Akamai Guardicore

Best for micro-segmentation and enhanced visibility and control

A decade into a maturing zero trust solution space, Guardicore has been an upstart microsegmentation company addressing security for assets across hybrid environments. The Tel Aviv-based company was acquired by Akamai in September 2021 for $600 million.

For BAS, Akamai Guardicore’s open source platform Infection Monkey offers continuous testing and reports on network performance against attacker behavior. On par or better than some proprietary solutions, Infection Monkey is environment agnostic, handles varying network sizes,  and offers analysis reports based on zero trust, ATT&CK MITRE, and BAS.

Guardicore Features

• Legacy system support: Support legacy systems such as Windows 2003, CentOS 6, RHEL5, and AS400
• AI-powered segmentation: Implement AI-recommended policies with templates to address ransomware and workload attributes like processes, users, and domain names
• Broad platform support: Support modern and legacy OSes across bare-metal servers,  virtual machines, containers, IoT, and cloud instances
• Integrations: The platform integrates with third-party solutions such as CyberArk, Duo, Okta, Google Cloud Platform, Microsoft Azure, Oracle, AWS, Cisco, Check Point and more
• Flexible deployment: Secure IT infrastructure with a mix of on-premises workloads, virtual machines, legacy systems, containers and orchestration, public/private cloud instances, and IoT/OT

Pros

• Users can create audit reports
• Support for on-premises, container, and cloud environments
• Free open source version available

Cons

• The search and filtering capabilities can be improved to help users easy concatenate fields
• The Guardicore central user interface can be improved to enhance navigation

Pricing

Akamai Guardicore’s Infection Monkey can be downloaded for free, while cloud users would need to pay infrastructure costs.

Mandiant

Best BAS tool for threat intelligence

In our first BAS update, Virginia-based startup Verodin made the list before its acquisition by FireEye in 2019. Integrated into the Mandiant Security Validation platform, Mandiant — now part of Google — continues to lead the way through an eventful few years.

With integrated threat intelligence, automated environmental drift detection, and support for optimizing existing cybersecurity tools like SIEM, Mandiant eases a client’s monitoring job to focus on taking action. Mandiant notes clients can save big financially in the form of controlled vulnerabilities and speed response time to advance TTP by almost 600%.

Mandiant Features

• Breach analytics: Continuously monitors an organization’s real-time and historic threat alert data to identify and prioritize indicators of compromise (IOCs) present in their environment
• Security validation: Provides security teams with real data on how security controls behave under attack
• Visibility into external exposure: Identify unknown or unmanaged vulnerable internet-facing assets
• Attack surface management: The platform allows organizations to identify unsanctioned resources, digital supply chain monitoring and assess high-velocity exploit impact
• Digital threat monitoring: Provides visibility into the open, deep and dark web

Pros

• Automated defense
• Security validation and threat intelligence
• Flexible deployment

Cons

• Mandiant customer support response time can be improved for fast issues resolution
• Users report that the on-premises client is too processor-intensive

Pricing

Mandiant doesn’t publish pricing information for Security Validation, but CDW offers pricing info on a range of Mandiant Verodin offerings.

Qualys

Best BAS tool for vulnerability management and security compliance

Qualys is a leading provider of cloud security and compliance solutions – and one of the older vendors to make our list, founded in 1999 in San Francisco. The Qualys Vulnerability Management, Detection, and Response (VMDR) platform is their most popular product and a top BAS solution.

From analyzing vulnerabilities with six sigma accuracy to identifying known and unknown network assets, Qualys VMDR is a comprehensive solution that’s fully cloud-based, and the vendor offers a set of features and several add-ons for organizations requiring more. Those include mobile device support, cloud security assessments, and container runtime security.

Qualys Features

• Asset monitoring: Automatically identifies all known and unknown assets, on-premises, endpoints, clouds, containers, mobile, operational technology, and IoT, to generate a comprehensive, categorized inventory.
• Prioritize remediation: Qualys offers real-time threat information and asset inventory correlation to give you an overview of your threats.
• Validate file integrity: Qualys’ FIV solution monitors OSes continuously, logging and managing events centrally, and correlating and tracking changes.
• Systems monitoring: Qualys collects IoC data from your assets and stores, processes, indexes and analyzes it.
• Detects critical vulnerabilities, malware, exploits and misconfigurations.

Pros

• Integrates with ITSM tools like Jira and ServiceNow
• Automates remediation with no-code workflows
• Customizable dashboard
• Straightforward initial setup

Cons

• Users report that the tool’s remediation module can be complex
• The tool is pricey, making it unaffordable for many small businesses

Pricing

Qualys offers a free trial of their cloud platform for 30 days, after which pricing depends on the type of subscription and the specific services required. The company offers solutions for small businesses, mid-market, and enterprise environments. You can contact Qualys directly for more information on pricing.

Publicly available pricing shows that Qualys VMDR starts at $542 per month or $5,422 per year for 128 hosts.

IBM Randori

Best BAS tool for red teaming

A part of the budding attack surface management (ASM) solution market, Randori was one of the top cybersecurity startups before its acquisition by IBM in June 2022. Launched in Waltham, Massachusetts in 2018, Randori’s black-box approach maps attack surfaces to identify and prioritize an organization’s most valuable targets.

Whether it’s continuous automated red teaming (CART), preparing for zero-day attacks, or inspecting shadow IT, the Randori Platform offers robust insights into the cyber kill chain. Organizations can test their managed detection and response (MDR), managed security service provider (MSSP), and Security Operations Center (SOC) capabilities, as well as the effectiveness of tools like SIEM, SOAR, and EDR.

Randori Features

• Detect shadow IT: The platform helps identify forgotten assets, blind spots, and process failures.
• Notification: Randori provides alerts on new vulnerabilities and misconfigurations, such as unauthenticated services, pages with outdated copyright and new applications with poor quality.
• Continuous and automated red team: Randori helps organizations Prioritize investments in security tools by assessing the risks in your people, process and technology with regard to opportunistic, social, and zero-day attacks.
• Validate security investments: Randori helps organizations validate the efficacy of their SIEM, EDR, SOAR, threat intelligence, and MDR partners.

Pros

• Continuous automated red teaming
• Shadow IT discovery
• Attack surface management

Cons

• Steep learning curve for new users. The interface can also be improved to help users more easily navigate the platform.

Pricing

Randori doesn’t advertise product pricing on its website. Potential buyers can request product demos and pricing details by filling out a short form on their website.

Rapid7

Best BAS tool for affordability and risks analysis

Rapid7 kicked off operations in 2000, and fifteen years later released the Insight platform, bringing together vulnerability research, exploit knowledge, attacker behavior, and real-time reporting for network administrators.

Rapid7’s BAS solution is InsightVM and comes with an easy-to-use dashboard, where clients can manage everything from risk prioritization and automated containment to integrated threat intelligence feeds. Rapid7’s goal is to make cyber risk management seamless, with features devoted to remediation and attack surface monitoring.

Rapid7 Features

• Lightweight endpoint agent: Automates data collection from all your endpoints, including those from remote workers.
• Live dashboards: InsightVM dashboards are not static, they are interactive and allow you to create custom cards for admins or CISOs.
• Real risk prioritization: Leverage InsightVM real risks score to prioritize threats based on their severity and potential impact automatically.
• IT-integrated remediation projects: Streamline the process of responding to threats by integrating InsightVM with IT’s ticketing systems.
• Cloud and virtual infrastructure assessment: The platform integrates with cloud services and virtual infrastructure to ensure your technology is configured securely.
• Attack surface monitoring with project sonar: Continually scan your attack surface for vulnerabilities and misconfigurations to identify risks before they can be exploited.
• Container security: Monitor container workloads and external images for vulnerabilities and compliance issues in an automated, integrated fashion. Organizations can integrate InsightVM with CI/CD tools, public container repositories, and private repositories.
• RESTful API: Quickly integrate Rapid7 solutions with your existing security tools and processes via API.

Pros

• Transparent pricing
• Risk scoring based on attacker analytics
• Integrated threat feeds
• Live dashboard
• Good value

Cons

• Users say that the reporting is only available with direct access to the console, meaning a user needs access to the local server or VM instance to pull the reports
• Users say scan engine management is difficult

Pricing

Rapid7 InsightVM pricing is based on the number of assets being managed. Buyers looking to cover their entire network can contact the Rapid7 sales team for custom quotes and enjoy volume-based discounts.

• 250 assets: $2.19 per asset per month ($26.25 per year)
• 500 assets: $1.93 per asset per month ($23.18 per year)
• 750 assets: $1.79 per asset per month ($21.43 per year)
• 1000 assets: $1.71 per asset per month ($20.54 per year)
• 1250 plus assets: $1.62 per asset per month ($19.43 per year)

BreachLock

Best BAS tool for network and web penetration testing

Launched in early 2019, BreachLock is a top BAS company focused on penetration testing as a service (PTaaS). While relatively new, the New York City startup already has a growing reputation.

The on-demand SaaS solution offers testing for servers, IoT devices, APIs, mobile and web apps, and cloud infrastructure to give clients end-to-end visibility of exposure to risk.

BreachLock Features

• Vendor security assessment: BreachLock validates mobile and web applications, APIs, external and internal networks, cloud environments, and IoT.
• Cloud penetration testing services: The platform experts can test your cloud security in AWS cloud, GCP cloud, and Azure cloud, cloud technology, cloud platforms, and cloud-hosted SaaS applications.
• Network penetration testing: BreachLock experts manually test your external and internal networks.
• Web application penetration testing: Users’ web applications will be manually tested by the BreachLock team for OWASP and business logic security flaws.

Pros

• Efficient support team
• Vulnerability scanning
• Online and offline reporting

Cons

• The GUI could use a facelift to be more intuitive
• Users says they find the documentation confusing

Pricing

This is a quote-based solution. Contact the BreachLock sales team for custom quotes.

Horizon3.ai

Best BAS tool for startups and small businesses

Another top cybersecurity startup, Horizon3.ai also offers a cloud-based BAS solution with its autonomous penetration testing as a service (APTaaS), NodeZero.

Across hybrid IT environments, NodeZero identifies internal and external attack vectors and verifies the effectiveness of security tools and remediations. Started in October 2019, the San Francisco-based company most recently earned a $30 million Series B in October 2021.

Horizon3.ai Features

• Availability: The solution is available 24/7, allowing organizations to continuously evaluate their security posture and proactively identify and remediate attack vectors.
• Attack surface management: Provides coverage for internal and external attack vectors on-premises, in the cloud or in hybrid environments.
• Monitor attack path: NodeZero helps users understand the attack vectors that lead to a critical breach to mitigate attacks.
• Coverage: NodeZero algorithm fingerprints external, on-premises, IoT, identity, and cloud attack surfaces.

Pros

• Scalable
• Easy to use and helpful support team

Cons

• Some users find the tool cost-prohibitive
• Users say the tool lacks automated testing capabilities, whch means they can’t run tests on schedule

Pricing

Although Horizon3.ai doesn’t advertise pricing on its website, they offer a 30-day free trial and custom pricing for users. Enterprise users can contact the company for a tailored quote. Additionally, buyers can request product demos for more information about the solution. Publicly available pricing shows that Horizon3.ai pricing may range from about $24,999 per year to $327,467 per year.

NetSPI

Best BAS tool for pen testers

Founded in 2001, NetSPI has a track record of delivering pen testing to the top cloud providers, healthcare companies, banks, and more.

The Minneapolis, Minnesota-based company’s PTaaS, Resolve, offers clients an orchestration platform to manage the lifecycle of vulnerabilities. With two-way synchronization with tools like ServiceNow and Jira, Resolve can reduce time to remediation.

NetSPI Features

• Identify detection gaps: NetSPI identifies detection gaps such as missing data sources, disabled and misconfigured controls, broken telemetry flows, incomplete coverage and kill chain gaps.
• Validate controls: The platform validates controls, including endpoint controls, network controls, Active Directory controls, SIEM capabilities and MSSP capabilities.
• MITRE ATT&CK simulation: The platform helps organizations stay resilient against the attacks listed in the MITRE ATT&CK framework.
• Attack surface management: NetSPI detects known and unknown potential vulnerabilities of public-facing assets.

Pros

• Detects misconfigured controls
• Customizable solution
• Extensive testing services

Cons

• Can be expensive, particularly for smaller organizations or those with limited budgets

Pricing

NetSPI is a quote-based tool. Potential buyers can contact the sales team for custom quotes. They can also request a demo to better understand the platform. You can also visit AWS Marketplace to subscribe to this solution.

Pentera

Best BAS tool for ​​automated security validation

Formerly known as Pcysys, Pentera has emerged as another top BAS solution in a field that has attracted a number of Israeli security startups.

Started in 2015, the Pentera Automated Security Validation (ASV) Platform inspects internal and external attack surfaces to emulate the latest threat behavior. With a Series C round worth $150 million in January 2022, Pentera has the resources to continue growing.

Pentera Features

• Continuous validation: The platform validates an organization’s security programs, such as defense controls, security policies, password configurations, and critical assets in near-real time.
• Agentless: Pentera is a fully automated platform that provides immediate discovery and exposure validation across a distributed network infrastructure.
• Model attacker behavior: Pentera enables security teams to emulate malicious actors, providing insights needed for anticipating and preventing an attack.
• Prioritize remediation: The platform generates a risk-based remediation roadmap with a focus on high-priority systems.
• Attack surface management: Detect known and unknown exposures, external and internal, to identify attacker’s most attractive target.

Pros

• Remediation priority capability
• Easy to deploy and intuitive
• Efficient technical support
• Offers different testing scenarios, including black box, gray box, targeted test, and AD strength assessment tests

Cons

• Users reported difficulty understanding the documentation
• Some users say the scheduler is not flexible

Pricing

Pentera does not publicly disclose pricing information. However, they do offer a free demo of their software, which could be requested by contacting their sales team. Contact the vendor for a custom quote.

Scythe

Best BAS tool for real-world adversary emulation campaigns

Launched in 2018, Scythe is an adversary emulation platform offering services for red, blue, and purple teams to optimize visibility into risk exposure.

Available as a SaaS or on-premises solution, the Virginia-based startup also offers developer-friendly clients a software development kit to create custom validation modules in Python or native code.

Scythe Features

• Visibility: The platform offers real time visibility of “real-world risk posture and exposure.”
• Prioritize remediation: Scythe prioritizes vulnerabilities to focus on the highest-risk issues.
• Threat library: Scythe’s public threat library helps organizations be prepared for both known and unknown threats.
• Reports: The platform allows users to customize reports. Scythe also offers insights and prioritized recommendations to help users remediate critical issues quickly.

Pros

• Customizable tool
• Supports red, blue, and purple teams
• Increases detection and reduces response times

Cons

• Training is limited to live online and documentation
• Lacks integration with Check Point IPS and Infinity

Pricing

Scythe serves enterprises, consultants and managed service providers. Their price is tailored to the customer’s needs and requirements. To get a quote, you will need to contact their sales team, and you can also request a demo to gain a better understanding of the product.

Skybox Security

Best BAS tool for integration with data sources

Twenty years after its founding, Skybox Security’s stack of products include threat intelligence, vulnerability control, network assurance, change management, and firewall assurance to form the Security Posture Management Platform.

Alongside a robust set of integrations, Skybox offers organizations visibility into IT and OT infrastructure, path analysis, and risk scoring.

Skybox Security Features

• Vulnerability discovery: The platform allows organizations to gather, aggregate, and normalize data from scanners, EDR, CMBDs, security controls, network technologies, OT assets, and Skybox threat intelligence.
• Vulnerability assessment and prioritization: Assess and prioritize remediation with precise risk scores (CVSS, exploitability, importance, exposure).
• Rule optimization: Conduct analysis, optimize, and audit firewall rules; remove redundant, shadowed, or overly permissive rules.
• Context-aware change management: Gain visibility, assess rule and policy changes, spot misconfigurations, and identify potential vulnerability exposures.

Pros

• Attack surface visibility
• Path analysis and risk scoring capability
• Extensive integration with third-party services

Cons

• Some challenges with customized reports
• Technical support could be more responsive

Pricing

Skybox Security does not list pricing. To obtain pricing information, customers must contact the company directly. It’s also available on Azure.

Tenable

Best BAS tool for analytics and attack surface visibility

A longtime leader in vulnerability management, Tenable continues to look to the future of cyber exposure management while organizations undergo digital transformation.

Started in 2002, the Columbia, Maryland-based cybersecurity vendor’s portfolio includes solutions for ransomware, zero trust, application security, and a range of compliance and security frameworks.

Tenable Features

• Visibility: Provides a unified view of all enterprise assets and associated software vulnerabilities, configuration vulnerabilities and entitlement vulnerabilities, whether on-premises or in the cloud, to identify risk exposure.
• Predict and prioritize: Protects organizations against cyber attacks.
• Eliminate attack paths: Maps critical risks to the MITRE ATT&CK framework to visualize all possible attack paths on-premises and in the cloud.
• Comprehensive asset inventory: The platform provides comprehensive visibility into an organization’s assets and exposures (vulnerability management, web app security, cloud security and active directory security).

Pros

• Transparent pricing
• Attack surface management
• Attack path analysis
• About 500 prebuilt scanning policies

Cons

• Users report that the vulnerability scanning engine has high false positives and negatives
• Users say Tenable support response could be quicker

Pricing

Tenable offers four pricing plans. They include:

Nessus Professional

•  1 Year – $3,644.25
•  2 Years – $7,106.29
•  3 Years – $10,386.11

Nessus Expert

• 1 Year – Promotional price: $5,364.25 (Actual price $8,051.75)
• 2 Years – Promotional price: $10,460.29 (Actual price $15,700.91)
• 3 Years – Promotional price: $15,288.11 (Actual price $22,947.49)

Tenable Vulnerability Management

Pricing for this plan depends on the number of assets. They rates below are for 65 assets (minimum number of assets supported for this plan)

• 1 Year – $2,934.75
• 2 Years – $5,722.76
• 3 Years – $8,364.04

Tenable Web App Scanning

• 5 FQDNs – $3,846.35

Add-ons

• Advanced Support: $430 (24×365 access to phone, email, community, and chat support)
• On-Demand Training: $268.75 (1 year access to the Nessus Fundamentals On-Demand Video Course for 1 person)

Honorable Mention BAS Solutions

With so many options out there, it can be difficult to know which BAS vendor is right for you. The following companies offer a range of features and capabilities that make them viable options for organizations looking for comprehensive security defense.

Aujas

Aujas services include identity and access management, risk advisory, security verification, security engineering, managed detection and response, and cloud security.

Detectify

Detectify is a security solution designed to help AppSec and ProdSec teams protect their external attack surfaces. Their core products include surface monitoring and application scanning. Detectify solution can be used for attack surface protection and other uses.

DXC Technology

DXC Technology is a Fortune 500 global IT services provider headquartered in Ashburn, Virginia. It was formed in 2017 by the merger of the former Hewlett Packard Enterprise’s Enterprise Services business and Computer Sciences Corporation (CSC). Its services include technology consulting, cloud and mobility solutions, application services, and business process services.

Foreseeti

Foreseeti is an automated cybersecurity risk management platform that helps organizations reduce their cyber risk and improve their security posture. Foreseeti enables organizations to quickly identify security gaps, prioritize cyber risks and create action plans to reduce those risks.

Keysight

Keysight BAS platform enables organizations to simulate cyber attacks and rapidly detect, respond and remediate threats. The platform provides a comprehensive view of the security posture of an organization, enabling customers to assess their level of risk and reduce their attack surface. Keysight achieves this via its security solutions, including Threat Simulator, ThreatARMOR and Security Operations Suite.

NeSSi2

NeSSi2 (Network Security Simulator) is an open source tool for network security simulation. NeSSi2 includes a graphical user interface and a library of components that can be used to build, configure, and monitor simulations.

NopSec

NopSec is an enterprise cyber security platform that helps organizations discover and manage vulnerabilities, detect and respond to threats, and automate security operations. It provides a comprehensive cybersecurity platform with a wide range of capabilities, including vulnerability management, risk simulation and attack, threat detection and response, and security automation.

ReliaQuest

GreyMatter Verify is ReliaQuest‘s BAS platform. It allows security operations teams to simulate breaches and identify gaps in their security posture. 

What is Breach & Attack Simulation Software?

Breach and attack simulation solutions go beyond vulnerability assessments, penetration testing, and red teaming by offering automated and advanced breach simulation.

To test the strength of network security, organizations must put themselves in the shoes (or hoodies) of malicious actors. Security teams lean on existing threat intelligence, outsource system auditing to cybersecurity firms, and pray they fend off the next advanced attack. As a software, hardware, cloud, or hybrid solution, BAS offers the latest in automated vulnerability management, risk analysis, and network testing.

Why Do Companies Use BAS?

Malicious attacks and advanced persistent threats (APTs) pose a constant risk to SMBs and enterprise organizations. In response to the ever-evolving nature of threats, several security tools have evolved to address rapidly changing threats, among them vulnerability assessments, penetration testing, red teaming, and breach and attack simulation.

Without disrupting business continuity, these methods can test attacks and other malicious activities and provide valuable insight into defensive needs.

While pentests can take as much as a couple of weeks, red team assessments typically last 3-4 months. Those human tests yield important insights, but they’re expensive. To augment those practices, BAS offers an around-the-clock automated solution.

BAS Features

Given the wide range of breach and attack simulation tools, features can vary, but a few in particular help to automate vulnerability management.

APT Simulation

Breach and attack simulators assess and verify the most recent and advanced tactics, techniques, and practices (TTP) circulating the globe.

Advanced persistent threats, in particular, are daunting to organizations due to social engineering, zero-day vulnerabilities, and an incredible capacity to go unnoticed and undetected. No tool is guaranteed to stop every attack. Still, a BAS system can make APT attacks harder by detecting zero-day vulnerabilities and identifying potential attack routes for malicious actors moving through a network.

Automated vs. Manual

For penetration testing, red teaming, or in-house security audits, organizations and third-party security contractors are responsible for manually designing and executing each passthrough. Whether the scan was targeting a critical asset or doing a vulnerability assessment of the entire network, manual network testing is resource-intensive and expensive.

BAS solutions have the technological prowess to augment these tests by automating the deployment of custom scans and attacks pertinent to the specific network, informed by threat intelligence feeds and the broader industry ecosystem.

Real-Time Insights

Malicious actors don’t care what time it is and will gladly take advantage of a small window of opportunity. Given this, SMB and enterprise organizations know that 24/7 monitoring is necessary, or at least an objective in progress.

Firms can save internal resources devoted to vulnerability and attack simulations by outsourcing BAS. Network administrators can rest better knowing that vulnerabilities should result in a timely notification.

Flexible For Evolving Infrastructure

Organizations moving to the cloud or considering alternatives to on-premises infrastructure require a solution covering everything. As a newer technology, breach and attack simulation can deploy to most infrastructures or network segments, including organizations moving towards a hybrid cloud or SD-WAN.

Add to this the headaches caused by mergers and acquisitions. For a global economy chock full of digital transformation and network changes, deployment flexibility for diverse environments is critical.

Deployment Options for BAS

There are a number of ways to deploy a BAS tool. Here are the main ones.

Agent-Based Vulnerability Scanning

The most straightforward deployment of BAS is the agent-based method. Similar to a vulnerability assessment but offering more visibility, this approach means placing agents in an organization’s LAN to continue testing network segments.

A critical downside to the agent-based method is its lack of oversight of the perimeter and, typically, an inability to exploit or validate vulnerabilities. That said, the agent-based process for deployment is still an improvement from past tools, thanks to its ability to report vulnerabilities and map out potential attack routes.

Malicious Traffic-Based Testing

Monitoring traffic, including malicious packets, is an inherent component of any modern cyberinfrastructure. Whether it’s an NGFW, IDPS, SIEM, EDR, NDR, or a combination of these tools, comprehensive solutions to address risks are a focal point for advanced network security. The malicious traffic-based testing approach attacks the network to identify vulnerabilities and – more importantly – report instances where core security solutions like IDPS and SIEM miss malicious traffic.

Like agent-based scanning, several agents in virtual machines (VMs) sit positioned throughout the network. Using a database of breach and attack scenarios, these VMs serve as the targets for testing. However, like the agent-based method, the traffic-based deployment option also leaves your perimeter out of the equation.

Black Box Multi-Vector Testing

The most advanced approach to BAS typically involves cloud deployment of agents to network locations, while the software solution maintains communication with the BAS platform. Unlike the previous two methods, the black box multi-vector approach for deployment includes analysis for perimeter-based breaches and attacks.

Much like the classic black box example for agent-machine I/O, this method aims to test as many inputs on multiple attack vectors to detect malfunctions. Suffice it to say that this method is the most desirable for enterprises because it offers the most visibility into its defensive posture.

Bottom Line: Breach and Attack Simulation Tools

When honing a skill, the saying goes, “practice makes perfect.” And then someone interjects, “Actually, perfect practice makes perfect.”

While maybe a bit too literal, they’re right in the context of cybersecurity. Threats today require proactive defensive strategies and can’t wait to be attacked to prepare. All it takes is one hidden misconfiguration and an advanced TTP for a network to fall victim to malicious actors.

Pen testing and red team services continue to make defenses more robust, offering critical insight into vulnerabilities, breach detection, and attack vectors. Breach and attack simulation is a natural step for SMB and enterprise organizations that require the latest cybersecurity tools. In an age where APTs wreak massive damage to critical and sensitive infrastructures, the need for constant, active scanning for the newest threats makes sense.

Read next: AI Will Save Security – And Eliminate Jobs

This updates a July 2022 article by Sam Ingalls

The post 19 Top Breach and Attack Simulation (BAS) Tools appeared first on eSecurity Planet.

By automating GRC practices, GRC tools can help companies prevent the damage and huge fines and losses that can come from failing to protect personally identifiable information (PII) and critical company data.

Many organizations don’t have a good handle on the data they have or how they’re required to protect it. GRC software can give businesses a plan for protecting their most sensitive data, addressing security vulnerabilities, and for limiting damage in the event of a breach.

Here, in our analysis, are the top 10 GRC solutions, followed by features and issues buyers should consider as they look for a GRC tool.

• RSA Archer: Best for Breadth of Features
• LogicManager: Best for Risk Reporting
• Riskonnect: Best for Internal Auditing
• SAP GRC: Best for Real-time Visibility and Control
• SAI360: Best for Monitoring Third-party Access
• MetricStream GRC: Best for Flexibility and Customization
• Enablon GRC: Best for Continuous Assessment
• ServiceNow: Best for Automation
• StandardFusion: Best User Experience
• Fusion Framework: Best GRC tool for Visualization

Top Governance, Risk and Compliance (GRC) Tools Comparison Chart

Archer – Best GRC for Extensive Features

---

Private equity group Cinven recently acquired RSA’s Archer Suite, now operating as Kansas-based Archer Technologies LLC. Archer offers nine risk management solution areas, with four platform options, from streamlined through enterprise. Archer removes silos from the risk management process so that all efforts are streamlined and the information is accurate, consolidated, and comprehensive. The platform’s configurability enables users to quickly make changes with no coding or database development required.

Visit Website

Pros

• Broad GRC capabilities
• Customizable workflow
• Comprehensive dashboard view
• Report customization
• Admins can set access control at the system, application, record, and field levels, allowing users to log in based on their access level

Cons

• User interface could be improved
• The keyword search feature could be better

Pricing

Archer does not list pricing on its website, but pricing per risk area typically starts around $30,000 to $50,000.

Key Features

• IT & security risk management
• Enterprise & operational risk management
• Regulatory & corporate compliance
• Audit management
• Business resiliency
• Public sector solutions
• Third-party governance
• ESG management
• Operational resilience

Screenshots

LogicManager – Best GRC for Risk Reporting

---

LogicManager’s GRC solution has specific use cases across financial services, education, government, healthcare, retail, and technology, among other industries. Like other competitive GRC solutions, it speeds the process of aggregating and mining data, building reports, and managing files.

Visit Website

Pros

• Pre-built and configurable reports featuring heat maps, risk summaries, and risk control matrices
• Allows users to automate workflows
• LogicManager custom profile and visibility rules allow users to configure GRC form input fields to fit specific scenarios
• Efficient support team

Cons

• Some users say the platform and interface could be more intuitive and easier to use
• Reporting functionality could be improved

Pricing

Pricing for LogicManager is based on the size and complexity of an organization, but can start as low as $10,000 a year.

Key Features

• Enterprise risk management
• IT governance and security
• Compliance management
• Third-party risk management
• Audit management
• Incident management
• Policy management
• Business continuity planning
• Financial reporting compliance

Screenshots

Riskonnect – Best GRC Tool for Internal Auditing

---

The Riskonnect GRC platform has specific use cases for risk management, information security, compliance, and audit professionals in healthcare, retail, insurance, financial services, and manufacturing. It integrates the governance, management, and reporting of performance, risk, and compliance processes company-wide.

Strategic analytics (built into the platform through Riskonnect Insights) provide intelligence by surfacing, alerting, and visualizing critical risks to senior leadership. Riskonnect also boasts tight integration with the Salesforce CRM platform.

Visit Website

Pros

• Riskconnect automates task assignment, document management, data deduplication and data entry
• Dashboards provide risk status and customizable KRIs and KPIs
• Gathers vendor information – including agreements, contracts, policies, and access credentials
• Merges insurable and non-insurable risks for easy management

Cons

• Some users reported that the software implementation process can be difficult
• Steep learning curve

Pricing

Riskconnect doesn’t list prices on its website, but the ESG Governance solution is available to Salesforce users for $25 per user per month. The Riskonnect website also includes an ROI study that may be of value to potential customers.

Key Features

• Risk management information system
• Claims administration
• Internal auditing
• Third-party risk management
• Enterprise risk management
• Compliance management

Screenshots

SAP GRC – Best GRC for Real-time Visibility & Control

---

For large enterprises, SAP’s GRC offering is a robust suite of tools that provide real-time visibility and control over business risks and opportunities. SAP’s in-memory data access provides top-of-the-line big data and predictive analytics capabilities tied to integrated risk management. 

Visit Website

Pros

• Streamline enterprise compliance efforts, document and assess critical process risks and controls, test, and remediate using best practice internal control processes
• SAP security information and event management helps identify, analyze, and addresses cyberattacks in real-time in SAP applications
• Allows admins to restrict, control, monitor, and manage user’s access
• Efficient support team
• Analyze large transactional data in real time, using predictive analysis and extensible rules to detect anomalies, fraud, or policy violations

Cons

• Users report that the solution is pricey for small businesses
• Steep learning curve
• Implementation can be challenging

Pricing

SAP GRC does not publish pricing information on its website. They offer demos and custom quotes. One UK consultancy offers SAP GRC as a Service starting at around US$6,000.

Key Features

• Process control
• Audit management
• Business integrity screening
• Regulation management
• Enterprise threat detection
• Privacy governance and management
• Global trade management
• S/4HANA implementation

Screenshots

SAI360 – Best GRC for employee training & monitoring third-party access

---

SAI360 from SAI Global offers three different editions of its platform to suit a variety of needs, from small businesses needing just the basics to large enterprises needing major customization.

SAI360 catalogs, monitors, updates, and manages a company’s operational GRC needs. It’s specifically focused on monitoring third parties with access to your systems, automating workflows to fill any gaps you might be missing, and creating a culture of compliance best practices among your internal teams.

Visit Website

Pros

• Users can create relationships between elements like risks, controls, policies, applications, and loss events to enhance assessment scores and reporting
• Quality support team
• Easy workflow setup
• Provides a unified view of enterprise risk management

Cons

• Users reported that the solution has limited customization
• Reporting could be improved
• The user interface could be better

Pricing

SAI360 does not provide pricing, and we could find no secondary sources.

Key Features

• Compliance education & management
• IT risk & cybersecurity management
• Environment, health, and safety (EHS) management
• Enterprise & operational risk management
• Audit management
• Business continuity management
• Regulatory change management
• Internal control
• Vendor risk management

Screenshots

MetricStream GRC – Best GRC for Flexibility & Customization

---

MetricStream’s platform is best for organizations that have unique requirements for different sets of users, including auditors, IT managers, and business executives.

MetricStream’s GRC platform is centered around three dimensions of risk: the waves of risk (financial, cyber, human health, and environmental); stakeholder engagement; and organizational agility. This kind of structuring helps you focus on what’s most important at any given moment.

Visit Website

Pros

• Provides mobile apps to support mobility
• Uses AI to remediate issues
• Automate content extraction from SOC2 and SOC3 reports
• Use AI-powered recommendations to categorize observations as a case, incident, issue, or loss event and route them for review, approval, and closure
• Provides insight into risks via advanced analytics, heat maps, reports, dashboards, and charts

Cons

• Reporting could be improved
• Users report that the solution can be buggy

Pricing

MetricStream does not publish pricing information for its solutions. However, AWS marketplace quotes MetricStream CyberGRC Prime for IT risk assessments, reporting, scoring and centralized management at $180,000 for 36 months. Prospective buyers should contact MetricStream directly to request pricing information and schedule a platform demo before making a purchase decision.

Key Features

• Enterprise & operational risk management
• Business continuity management
• Policy & compliance management
• Regulatory engagement & change management
• Case & survey management
• Internal audit management
• IT threat & vulnerability management
• Third-party management

Screenshots

Enablon GRC – Best GRC for Continuous Assessment

---

Enablon GRC is best aligned with businesses of all sizes and industries that place a strong emphasis on sustainability. While it has powerful automation capabilities that reduce—if not eliminate completely—the need for manual processes, Enablon truly shines with its dashboards and reporting tools.

The GRC platform will analyze your data from the top-down or from the bottom-up with the click of a button and help you identify high-level trends with speed and precision. Then you can download relevant data sets and export them as spreadsheets, PDFs, or presentations.

Visit Website

Pros

• Leverage ML/AI to identify potential threats and risk incidents
• Offers self-service channels for faster incident reporting
• Manage KPIs
• Ensures compliance at site, regional and global level
• Mobile capabilities

Cons

• Initial setup can be cumbersome
• Requires comprehensive training

Pricing

Visit Wolters Kluwer’s website to request pricing information and book a demo. Some sources say pricing starts at around $50,000.

Key Features

• Compliance management
• Audit management
• Inspection management
• Document control
• Incident management
• Risk management
• Internal control management
• Internal audit management
• Insurance & claims management
• Business continuity management
• Continuous assessment

ServiceNow – Best GRC Tool for Automation

---

ServiceNow, as the name implies, strives to provide the insight you need now. It uses sophisticated monitoring, automation, and analysis tools to identify risks in real-time, so you can respond to them as efficiently as possible.

ServiceNow GRC simplifies workflow management and tracking for collaboration with internal and external teams and also serves as a valuable project management tool in many cases. Its reporting tools leave something to be desired and could use improvement with its data visualization, but overall it is regarded as a powerful force in the GRC market.

Visit Website

Pros

• Real-time view of compliance across the organization
• Automates workflow with a no-code playbook
• Users can interact with a virtual agent in human language to resolve common issues
• Allows users to manage and assess vendor’s risks
• Manages KRIs and KPIs library with automated data validation and evidence gathering

Cons

• Users report that the solution can be pricey
• Steep learning curve

Pricing

Pricing for ServiceNow GRC is available on request. ServiceNow partner pricing can start at about $3,000 a month, while base licensing can start around $50,000.

Key Features

• Policy & compliance management
• Risk management
• Business continuity management
• Vendor risk management
• Operational risk management & resilience
• Continuous authorization & monitoring
• Regulatory change
• Audit management
• Performance analytics
• Predictive intelligence

Screenshots

StandardFusion – Best GRC for Usability & User Experience

---

StandardFusion offers a range of GRC features for everything from small businesses to enterprises. Ease of use and deployment makes it a strong option for SMBs, but more advanced features will appeal to enterprises too.

It streamlines compliance standards for multiple regulations, including GDPR, HIPAA, NIST, CCPA, and many others. Unlike some GRC vendors, StandardFusion has a very transparent pricing structure, so you won’t be surprised by hidden costs or unexpected fees. User reviews have been very positive, rating the company well above average for ease of use, deployment and support, among other features.

Visit Website

Pros

• Transparent pricing
• Integrates with several third-party tools, including RiskRecon, SecurityScorecard, Slack, Jira, Confluence, ZenDesk, SSP Reporting and POA&M
• Users can generate branded reports
• Manage compliance to multiple standards, such as ISO, SOC2, NIST, HIPAA, GDPR, PCI-DSS, and FedRAMP
• Quality support team
• Free trial available

Cons

• SSO is only available in enterprise packages. It costs an extra $200 per month for Starter and Professional plans.
• The starter plan lacks integration into major third-party apps
• Steep learning curve

Pricing

StandardFusion offers four pricing plans

• Trial: A 14-day free trial is available
• Starter: $1,500 per month, onboarding fee: $7,500
• Professional: $2,500 per month, onboarding fee: $10,000
• Enterprise: $4,500 per month, onboarding fee: $20,000
• Enterprise+: $8,000 per month, onboarding: Dedicated implementation

Key Features

• IT and operational risk management
• Vendor and third-party risk management
• Compliance and audit management
• Policy management
• Incident management

Screenshots

Fusion Framework System – Best GRC for visualization

---

The Fusion Framework System is built on Salesforce Lightning, so it’s an ideal solution for organizations that are already using the newest Salesforce interface.

With the Fusion Framework System, users can map their business from top to bottom and visualize relationships, dependencies, and opportunities. Its click-to-configure user interface and guided workflows make Fusion Framework very user-friendly, and its integrations with other platforms add value to an already flexible tool.

Visit Website

Pros

• Quality customer service team
• Users reported that the solution is highly customizable
• The UI is user-friendly
• Enables users to create guided workflows

Cons

• Steep learning curve
• The report builder could be improved

Pricing

Fusion doesn’t advertise prices on its website. Potential buyers can contact the sales team for custom quotes. However, Salesforce AppExchange notes that pricing starts at $30,000 per company per year. You can also book a free demo to get more information about the product.

Key Features

• Enterprise & operational risk management
• Third-party management
• Business continuity management
• IT disaster recovery management
• Crisis & incident management

Screenshots

What is GRC Software?

Governance, risk, and compliance (GRC) software helps businesses manage all of the necessary documentation and processes for ensuring maximum productivity and preparedness. Data privacy regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) can be hard to navigate for businesses of any size, but GRC tools can simplify and streamline adherence with all compliance demands.

GRC tools are also useful for preventing and addressing vulnerabilities that will inevitably impact your systems, resources, and stakeholders. Further, managing the short-term and long-term policies and procedures of your organization can be challenging without an effective GRC strategy in place.

See the Top Vulnerability Management Tools

Back to top

What Do GRC Tools Include?

Whether you have a small business or a large enterprise, governance, risk management, and compliance will play some role in your business operations and preparedness. As Benjamin Franklin once said, “If you fail to plan, you plan to fail,” and GRC strategies thus help your business avoid failure. This happens through planning for organizational structure, vulnerability monitoring and response, and reporting requirements.

Learn How To Improve Governance, Risk, and Compliance

Governance Management

Governance describes the top-down approach to managing your organization. Your business’s governance strategy is composed of all the business processes and policies that are structured, implemented, and maintained to preserve productive relationships among all stakeholders. It creates a framework that enables your business operations to run like a well-oiled machine. It also ensures that the top officials are receiving the most accurate information needed to make decisions quickly and effectively.

Risk Management

Risk management refers to the measures put in place to prevent, detect, and respond to vulnerabilities that can impact your organization from all perspectives. Specifically, risk management monitors all departments – most importantly IT, finance, and HR – to ensure your broader business goals won’t be impeded or compromised.

It considers all internal risks as well as those presented by working with third-party vendors. This is important because when you choose to work with a third-party vendor, you need to make sure they can be entrusted with your organization’s information and resources. Otherwise, you may be faced with costly data breaches, operational failure, or regulation non-compliance.

In addition to addressing the risks themselves, risk management also involves mitigating any consequences or potential impact on your organization’s infrastructure, resources, and stakeholders.

See the Best Third-Party Risk Management Software & Tools

Compliance Management

Compliance involves your business’s ability to fulfill the obligations set forth by government regulations. It relies heavily on documenting all efforts to meet relevant standards, usually concerning data protection and privacy. Such regulations include the EU’s General Data Protection Regulation (GDPR), the CAN-SPAM Act, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA).

Also Read: 34 Most Common Types of Network Security Protections

Back to top

What Is the Purpose of GRC?

To use an example of a functional GRC strategy in action, imagine a fictional retail business that sells vitamin supplements. The narrowest component, compliance, ensures that any data they collect is purposeful, the way they store the data is secure, and the way they use the data is appropriate. If they collect health information about prospective customers to match them with the right kinds of vitamins, compliance will help them meet all HIPAA requirements.

The risk management component monitors the security of the business’s infrastructure and technology, the activities of internal teams, and the suitability of prospective external partners. If there’s a phishing attempt that targets the company’s email system, the risk will be recorded, assessed, and dealt with in a way that minimizes damage to the internal systems and information. If there is damage, the risk management strategy will also help recovery efforts regarding the impacted technology and data itself as well as any reputational rehabilitation that may be required.

Perhaps most broadly, the corporate governance component helps the business’s leadership manage the company’s success in meeting short-term and long-term goals. It provides an overview of the financial and operational status at any given moment so that all teams are aware of urgent needs or areas for improvement. It also ensures all internal policies are being upheld and enforced, like paid time off and technology use. Not only does the governance framework promote accountability and corporate integrity, but it also helps optimize the business’s performance.

Overall, a GRC strategy helps make sure every action, resource, and stakeholder is aligned with the business’s broader company objectives.

Which Industries Typically Need GRC Tools?

While finance, healthcare, and manufacturing are probably the first industries that come to mind when you hear risk and compliance, nearly every industry has risk and at least some compliance requirements, so every industry needs some type of GRC tool in place. For example, retailers have PCI DSS compliance to contend with in order to accept credit card information, and any business that interacts with Europe in any way has to abide by GDPR.

GRC software may not be a priority for small businesses, especially those in industries that are not heavily regulated. Typically, their risk and compliance needs can be handled with basic cybersecurity software and business continuity plans. However, enterprises that don’t currently have a GRC framework in place should add the tools as soon as possible. Without them, they’re leaving themselves vulnerable to risk and could compromise their clients’ data.

Back to top

Features of GRC Software

Most of the vendors listed above have been recognized in the Gartner Magic Quadrant for IT risk management as well as Forrester’s GRC Wave. What helps these platforms gain recognition? According to Forrester, a GRC solution should have the breadth and depth to support a wide range of GRC use cases, capabilities to align GRC efforts across multiple business functions, and advanced risk analysis. Most GRC programs employ some combination of features in the following areas to accomplish these goals:

• Risk and control management
• Document management
• Policy management
• Audit management
• IT risk management
• Third-party risk management
• Risk scoring
• Workflow
• Dashboards and reports
• Preconfigured and custom integration
• End-user experience

How To Choose a GRC Solution

With so many GRC solutions in the market today, it can seem like a challenge to know where to begin. Thankfully, there are a few discerning factors that can identify the solution that will be best for you from the crowd.

Ease Of Use

As with many things, a GRC technology is effectively pointless if you can’t figure out how to use it. Once you’ve narrowed your list down to a few platforms, a demo or free trial period might help you discern which one will best match your team’s needs. Pay attention to how accessible the different features are, how everything works together, and how intuitive the platform feels as a whole. Your needs and technical expertise will help guide the solution choice too.

Mobile Application

In today’s mobile world, a GRC platform that offers support for all of your devices is an advantage. When you (and your team) are able to manage your organization’s governance, risk, and compliance efforts from anywhere, you can have peace of mind knowing you’ll be able to address any issues that may arise even when you’re on the go.

Delivery Method

Cloud-based software is the way of the future, so you’re unlikely to find a competitive GRC platform that is not delivered as a Software as a Service (SaaS) product. Here’s why that’s important: SaaS solutions are more cost-effective, easier to implement, and much more flexible to grow alongside your business. Additionally, the SaaS GRC vendor will be responsible for the day-to-day maintenance of the platform itself, meaning your team can focus on the bigger priorities at hand.

Security

A functional GRC platform means all of your organization’s vulnerabilities and regulatory efforts are managed from one place. If that platform is compromised, that means your company’s weaknesses are at risk of being exploited. To avoid these harrowing situations, your GRC platform should include external security features like encryption and user access management. When configured correctly, these security measures will prevent costly breaches and exposures.

Cost

Obviously budget is a major consideration when implementing any kind of technology. The ROI of a GRC platform is a bit hard to measure because you don’t normally think about how well it’s working until something goes wrong. So rather than thinking about how much it costs, also consider the cost of not implementing a GRC platform.

Customer Support

Much like the significance of a GRC platform’s ease of use, the customer support the vendor provides will also determine how effective it is. When something breaks or isn’t working as it should, how will your team be able to fix it? Will there be dedicated support staff at the ready? Is there adequate documentation to guide the troubleshooting process? How quickly and effectively will your needs be addressed? These questions may prove useful when evaluating a platform’s customer support capabilities. Look for service-level agreements to help you answer these questions.

Automation

With the massive amounts of data and events affecting an organization, automation is becoming increasingly important. GRC with automation capabilities will be able to send you alerts the second a vulnerability is identified so your team can jump into action. It can also perform data validation and auditing operations in the background. This means your team won’t have to spend time on manual processes and can instead focus on long-range innovations and more impactful projects. It also ensures that the information you’re reviewing is thorough, consolidated, and free of human error.

Bottom Line: GRC Tools

GRC is more than a software platform or a set of tools. In fact, GRC is effectively a broad framework that helps with decision-making processes, emergency preparedness, and collaboration across all segments of a business.

Any organization, regardless of industry or size, can benefit from a GRC strategy. It will help you optimize performance, stay up-to-date with all compliance requirements, and be proactive in preventing and addressing all threats to your organization. To keep customer data safe, and in turn keep their confidence, you’ll need the right set of GRC tools.

See the Top Cyber Insurance Companies

This updates a June 9, 2022 article by Kaiti Norton

The post 10 Top Governance, Risk and Compliance (GRC) Tools appeared first on eSecurity Planet.

The good news is that patch management and vulnerability management tools can help, and they’re getting more sophisticated all the time. Patch management still isn’t easy — many organizations don’t even know everything that’s attached to their networks, let alone whether it’s patched — but patch management tools can help organizations find what needs to be patched and automate those security fixes.

We’ll cover the top patch management products, followed by buying considerations for those in the market for a patch management solution.

Top Patch Management Software & Tools

• Syxsense Manage: Best for Comprehensive Small Business Security
• Tanium Patch: Best for Distributed Enterprise Networks
• Automox: Best for Automation
• BMC Helix Automation Console: Best for Compliance Automation
• Ivanti Patch: Best All-in-One Solution
• Red Hat Satellite: Best for Linux Environments
• Kaseya VSA: Best for Remote Monitoring & MSPs
• BigFix: Best for Endpoint Management
• Micro Focus ZENworks: Best for Endpoint Patching
• Quest KACE Systems: Best for IT Asset Tracking
• SecPod SanerNow: Best for Remote Patching
• NinjaOne: Best for Unified IT Management
• Key Features of Patch Management Software
• Choosing a Patch Management Solution

Syxsense Manage

Best for Small Businesses in Need of Comprehensive Security

Syxsense Manage is a cloud-based platform that offers patch management and endpoint visibility inside the network and out, and covers all major operating systems and third-party applications too. It includes a wealth of automation features and offers endpoint intelligence with OS, hardware, and software inventory details. The system scans and sets security and patching priorities based on risk. It’s available as SaaS or a managed service.

Key features

• Patch management: Deploy operating system, third-party patches, and Windows 10 Feature Updates for Microsoft, Mac, and Linux devices automatically
• Visibility: Provides endpoint visibility across major OS and IoT devices
• Advanced threat detection: Scan for software vulnerabilities, security compliance violations, and potential security threats with the ability to respond in real-time using advanced threat detection
• Syxscore: The  security assessment tool Syxscore provides NIST and vendor severity assessments of the endpoints in your environment
• Patch supersedence: Automatically exclude superseded patches and include newer ones, saving time and network bandwidth
• Remote control: Admins can access employees’ devices remotely and resolve issues

Pros

• Cross-platform support (Windows, Mac, Linux, iOS, and Android)
• Allows targeted deployment
• Patch rollback in case a patch is buggy
• Three-hour turnaround for the testing and delivery of new patches

Cons

• Some users report a steep learning curve
• Lack of documentation for some advanced features

Pricing

Pricing information is unavailable on the vendor’s website, but Syxsense Manage previously started at $600 a year for 10 devices. Syxsense provides a custom demo and a 14-day free trial period with access to all product features.

Also read: Patch Management vs Vulnerability Management: What’s the Difference?

Tanium Patch

Best for Distributed Enterprise Networks

Tanium Patch enables organizations to deploy the latest critical updates and security patches across their entire IT environment. IT and security teams can determine which systems need patching, identify potential conflicts, and deploy patches at scale without disrupting user productivity. With Tanium Patch, IT operations teams can keep systems up to date with automated patching across the enterprise at speed and scale, as well as monitor patch status across devices. Tanium is well-liked by users but aimed primarily at the large enterprise market. It is pricier than many other solutions and is often included as part of a larger Tanium endpoint suite.

Key features

• Real-time patch visibility and control: Tanium allows users to manage hundreds of endpoints and deploy patches at scale
• One client: This tool allows users to patch multiple endpoints without the need for additional infrastructures such as a secondary relay, database or distribution servers
• Customized patch scheduling and workflows: Deploy a single patch to a computer group and use advanced rule sets and maintenance windows to deploy patches to other groups at scheduled times
• Patching effectiveness tracking: Tanium Patch provides quick feedback on deployment success or failure, patch histories for individual machines, endpoint reboot status and access to vendor knowledge base articles (KBAs)
• Create dynamic lists, rules, and exceptions with custom workflows, and schedule patches based on advanced rules

Pros

• Serves users in a range of verticals, including government (federal, state and local), education, financial services, retail and healthcare
• Enables collaboration between IT security and management personnel to allow them to optimize network security and performance
• Consolidates all historical data on device endpoints, security drivers, firmware, and software version gaps
• Indicates the percentage of outstanding critical patches, which ones should be deployed first to minimize risk, and which endpoints need protection until a patch is available

Cons

• The user interface could be improved
• Users report high CPU utilization

Pricing

While Tanium doesn’t publish pricing, we’ve seen subscription pricing around $7 a month per endpoint. Interested buyers should contact the vendor for custom quotes. They offer a two-week free trial.

Automox

Best for Automation

Automox is a cloud-based patch and configuration management platform that enables users to quickly and easily automate and manage device security and compliance across their IT environment. Automox is a SaaS product backed by investment from leading endpoint security vendor CrowdStrike. Primarily a patch management tool, Automox is gradually expanding its offering as it transforms into an endpoint hardening platform that supports Windows, macOS, and Linux from a single console. It enables continuous connectivity for local, cloud-hosted, and remote endpoints without needing on-premises infrastructure or tunneling back to the corporate network.

Key features

• Integration: Automox integrates with third-party technology such as Rapid7, ServiceNow, SentinelOne, Freshworks, CrowdStrike, and Splunk
• Automated policy enforcement: Set policies to manage or blocklist software, enforce password settings, and lock USB access
• Extensive OS patching tools: Patch, configure and track inventory to quickly remediate vulnerabilities before adversaries can exploit them, plus report the vulnerability status of all devices
• Unified console: Automox allows you to automate cross-OS patch management, enforce patches, security configurations, software deployment, and custom scripting across your Windows, Mac and Linux systems from one console

Pros

• Supports Windows, macOS, and Linux
• Automated continuous patching of OS and third-party applications
• Good integration with CrowdStrike products
• User-friendly interface
• Remotely execute PowerShell based on schedule or group
• Enables seamless collaboration between SecOps and ITOps

Cons

• Knowledgebase could be improved
• Reporting functionality could be better

Pricing

Automox offers three pricing plans, and rates are determined by the number of devices in your environment. All plans are eligible for a 15-day free trial.

Basic: $3 per month per device, billed annually

Standard: $5 per month per device, billed annually (eligible for 10% discounts for over 550 devices)

Complete: $7 per month per device, billed annually (eligible for 10% discounts for over 550 devices)

Also read: Automated Patch Management: Definition, Tools & How It Works

BMC Helix Automation Console

Best for Compliance Automation

BMC Helix Automation Console (previously BMC Helix Vulnerability Management) simplifies patching, remediates security vulnerabilities, and ensures compliance using automation and analytics. It is a hybrid solution deployed in the cloud and uses an automation engine located on-premises for remediation. BMC Helix Automation Console also works with change management to form a closed-loop change management solution. It can manage compliance with regulations and policies and automate remediation of out-of-compliance conditions. The console is built using microservices and containers.

BMC Helix Automation Console integrates with a variety of vulnerability scanners to collect data for IT resources, both on-premises and in the cloud.  After consolidating the vulnerability scanner data collected, it uses analytics to transform that data into actionable information, maps vulnerabilities to assets and patches, helps determine risks and priorities and automates patch acquisition and deployment to remediate security exposures. It also works with BMC Discovery for blind spot detection and change automation with BMC ITSM.

Key features

• Automated remediation: Maps vulnerabilities to servers and patches, identifies severity level and business services affected, schedules remediation, and takes automatic corrective action
• Visibility: Offers real-time insight into security flaws, unmapped assets, missing patches, and misconfigured resources
• Compliance: Ensures that regulations and internal policies are consistently followed to ensure audit preparedness
• Policy-based patching: Reduce patching complexity by utilizing policy-based patching to decrease the required number of patch deployment jobs

Pros

• Intuitive user interface
• Risk scoring for vulnerability prioritization
• Integrates with vulnerability scanners to collect data for on-premises and cloud IT resources; works with discovery solutions to identify blind spots to scan
• Provide insight into vulnerabilities, severities, SLAs, trends, and remediation progress through patch dashboards

Cons

• Reporting feature could be improved
• Advanced features documentation could be better

Pricing

BMC doesn’t publish pricing for Helix Automation Console. Quotes are available upon request.

Ivanti Patch

Best All-in-One Solution

Ivanti Patch offers a solid patching solution, although its product portfolio has gotten a little complex following the acquisition of Shavlik, MobileIron, and Lumension. There are a few options for patching solutions:

• Ivanti Patch for Endpoint Manager (formerly LDMS) can detect vulnerabilities in Windows, Mac OS, Linux, and hundreds of third-party apps, as well as deploy pre-tested patches
• Ivanti Security Controls provides PowerShell and REST APIs to allow for extensive automation of critical workloads
• Ivanti Patch for MEM provides an extensive catalog of updates and has a rapid time to implementation as well as quick discovery from inventory or vulnerability assessments
• Ivanti Neurons for Patch Intelligence: This is a supplemental analytics solution that extends all three of Ivanti’s patch management solutions and helps you achieve faster SLAs for vulnerability remediation efforts via supervised and unsupervised machine learning algorithms

Key features

• Patch management: Patch OS, third-party apps, physical and virtual servers, and systems that aren’t always connected
• Patch virtual systems: Patch online and offline VMs, hypervisors, templates, and third-party applications
• Dynamic allowlisting: Develop policies that are both adaptable and proactive to guarantee that only approved and trusted software can be run on a system
• Third-party application patching: Allows users to access their most vulnerable apps, including Acrobat Flash, Java, and multiple Internet browsers
• Remote patching: Users can patch remote devices regardless of the location or status

Pros

• Vulnerability detection and remediation for various OSes, including Windows, macOS, and Linux, as well as scan and report on AIX, CentOS, and HP-UX vulnerabilities
• Dashboard and reports to assess vulnerability and patch status
• Patch devices anywhere via Wake-On-WAN, booting, do-not-disturb events, and maintenance windows

Cons

• The reporting feature could be improved
• Steep learning curve

Pricing

Ivanti Patch does not advertise pricing on its website, but we’ve seen subscription pricing starting in the $4 to $7 range depending on volume. Prospective buyers should contact the sales team to inquire about product options and receive a custom quote.

Red Hat Satellite

Best for Linux Environments

Red Hat Satellite is an infrastructure management product specifically designed to keep Red Hat Enterprise Linux environments and other Red Hat infrastructure running efficiently, with security, patching, and compliance. Patching is only one small part of a broader platform. But for those operating Linux environments, whether physical, virtual, or cloud, it will often make the shortlist.

Red Hat Satellite can help organizations track, manage, and deploy software updates across their environment and monitor, report on, and diagnose system issues. Red Hat Satellite can manage the life cycle of Red Hat infrastructure and configuration content such as Red Hat data services, virtualization, directory server, certificate system, OpenShift container platform and other software available as an RPM.

Key features

• Ability to define and manage SOE: Ensure SOE (standard operating environment) through security patching, updates, and enhancements 
• Automated patch: Patch hundreds or thousands of systems at once
• Deploy and track Red Hat and third-party software: Deploy all Red Hat and third-party software via Satellite, which provides improved security and tracking of deployed systems

Pros

• Red Hat Satellite Capsule Server instances make this tool highly scalable
• Significantly improves system-to-administrator ratios by automating patch and configuration management, and provisioning
• It allows the admin to identify and quickly respond to vulnerabilities like Shellshock, Heartbleed, and GHOST

Cons

• The user interface can be made better
• Reporting features could be improved

Pricing

Red Hat does not advertise pricing for its Satellite product on its website. Interested buyers should contact a sales representative in their region for custom quotes. Alternatively, potential buyers can fill out the contact form on the website, and a sales representative will get back to them.

Kaseya VSA

Best for Remote Monitoring & MSPs

Kaseya VSA is a cloud-based Remote Monitoring and Management (RMM) platform designed to help IT service providers automate IT management and security processes across multiple devices in an organization. It provides an integrated view of the entire IT infrastructure and delivers actionable insights to help IT professionals proactively monitor and manage IT systems.

Kaseya VSA can help IT teams automate common IT management and security tasks such as patching, asset tracking, and audit and inventory. It also provides features such as remote access and remote control, policy-based scripting, and more.

Kaseya VSA is focused on the MSP market. The suite includes comprehensive IT management, IT automation, and security features. Security includes automated software patch management and vulnerability management, access control via 2-factor authentication, management of backups, and antivirus/anti-malware management from a single interface.

Key features

• Policy-based patch management: Simplify software maintenance with automated, standardized policies, streamlining patch deployment and approvals, scheduling, and installation
• Rapid distribution on and off-network: VSA’s agent endpoint fabric optimizes the delivery of installer packages, eliminating the need for centralized file share or LAN cache
• Scan and analysis: Schedule periodic network scans and analysis to automate software updates without user disruption
• Scheduling control: Its Blackout Windows allow users to suspend operation for a specified period
• Patch override: Deny a patch, KB (knowledge base), or block an update to specific machines, overriding the default patch classification

Pros

• Feature-rich
• Manage multiple devices, including mobile and business IoT
• Support various environments, including on-premise, cloud and hybrid
• Enhances threat detection with EDR, managed SOC, DDoS, WAF, AV and more
• VSA remotely connects and manages various devices, including printers, firewalls, switches, and routers, with one click

Cons

• Steep learning curve
• One user reported that the live connect feature infrequently disconnected

Pricing

Kaseya VSA does not disclose pricing on its website, and potential buyers can contact sales for custom quotes. Those interested in the product can also sign up for a 14-day free trial to test out the product and get a better sense of how it works and what it offers.

Also see the Best Patch Management Service Providers

BigFix

Best for Endpoint Management

IBM sold BigFix to HCL in 2019. The functionality still survives, although the patching side is largely buried among a huge list of other applications and features. HCL BigFix is an endpoint management platform that enables IT and security teams to automate discovery, management, and remediation, whether on-premises, virtual, or cloud—regardless of operating system, location, or connectivity. However, BigFix Patch is offered as a low-cost automated patching tool.  

Key features

• Automate patching: Patches hundreds of thousands of endpoints regardless of type, location, connection, or status.
• Scalability: BigFix manages up to 300,000 endpoints per management server
• Visibility: Provides insight into patch compliance with flexible, near-real-time monitoring and reporting
• Unify patching: Patches almost 100 different operating systems and variants with one platform using HCL-provided content

Pros

• Allows patching across Windows, UNIX, Linux and macOS endpoints
• Remotely wipe a lost device
• Achieves 98% first-pass success rate
• Free trial up to one month

Cons

• Support could be improved
• Reporting functionality could be better

Pricing

BigFix does not advertise pricing on its website, but BigFix Patch can be had for about $3 a client per year. Potential buyers can contact sales for custom quotes, and those interested in trying out BigFix can sign up for a free 30-day trial or book a free demo.

See the Top Endpoint Detection and Response (EDR) Solutions

Micro Focus ZENworks Patch Management

Best for Endpoint Patching

ZENworks Patch Management automates the collection, analysis, and policy-based delivery of patches to endpoints. It provides pre-tested patches for more than 40 different Windows and non-Windows operating systems. It is part of the comprehensive ZENworks endpoint management suite and covers systems, applications, and devices across physical, virtual, and cloud environments.

Key features

• NIST-based: Uses the NIST common vulnerabilities and exposures (CVEs) database to identify and mitigate risk through manual or automated patch deployment
• Policy-based patching: Patching policies can automate patch delivery in defined maintenance windows once compliance rules are set
• Interactive dashboards: Allows users to customize their dashboards to track devices, individual CVE, or software patch status and trends
• OS and third-party apps: Patch Windows, Linux, and Mac systems. It also extends OS update management to iOS and Android with endpoint device management

Pros

• Easy to set up
• Automated job execution
• Scan schedule allows users to control scan time and frequency

Cons

• The user interface could be improved
• Users report that ​​product updates and fixes take time

Pricing

ZENworks Patch Management pricing is not published, so interested buyers should contact a sales representative.

Quest KACE Systems Management Appliance

Best for IT Asset Tracking

Quest KACE Systems Management Appliance is an IT systems management solution designed to help IT administrators to manage their entire IT infrastructure, from desktop to server, in an automated and secure way. It provides a platform for managing all aspects of IT, including patch management, software distribution, asset inventory, security, compliance, reporting and more. With this solution, IT administrators can quickly and easily deploy and manage IT systems, maintain compliance with industry standards and keep their IT infrastructure secure and up-to-date.

The Quest KACE Systems Management Appliance is another worthy contender, but it’s a broader endpoint management tool. It covers various endpoints, including laptops, servers, IoT devices, and printers. It goes beyond patch management to include service desk capabilities, server monitoring, and inventory and asset management, among other features.

Key features

• Inventory and IT asset management: KACE SMA provides hardware and software inventory for Windows, Mac, Linux and UNIX systems, as well as OS and hardware inventory for Chromebooks, using Google APIs
•  Server management and monitoring: Easily configure and integrate KACE SMA’s server log monitoring for Windows, Mac, Linux & UNIX with their service desk and KACE Go mobile app. Expand capabilities with threshold monitoring for CPU, memory and disk metrics, plus monitor for requested applications.
• Patch third-party apps: Patch applications such as Microsoft Office, Zoom, and Adobe Reader
• Software license management: KACE SMA software license management lets users swiftly blacklist apps (like games or those with known vulnerabilities), blocking end users from running them and avoiding security or productivity issues. Generate reports to detect illegal apps, then uninstall them.

Pros

• Supports Windows, Mac OS X, Linux, UNIX, Chrome, iOS and Android
• User-friendly
• Users find the scripting functionality valuable

Cons

• Software distribution is not available on UNIX platforms
• A user reported the KACE Go Mobile App is sometimes glitchy

Pricing

Interested buyers should contact the sales team for quotes. They also offer a 14-day free trial.

See the Top IT Asset Management (ITAM) Tools for Security

SecPod SanerNow

Best for Remote Patching

SecPod SanerNow Patch Management is an automated security solution for businesses and organizations that helps protect against cyber threats. It provides continuous vulnerability assessment, asset discovery, patch management, and compliance reporting. It also features user access control, data protection, and threat detection and response capabilities.

SecPod SanerNow is designed to automate patching. From detection to deployment, it takes care of all aspects of patching on Windows. MAC and Linux, as well as third-party applications. Its pre-tested patches are made available within 24 hours of being released by the vendor.

Key features

• Compliance: Regulate devices with HIPAA, PCI, ISO, and NIST benchmarks
• Automate reporting and provides audit-ready reports: SanerNow offers automated, customizable asset reports for anytime audit-readiness, tracking and reporting IT asset metrics in real-time
• Endpoint health metrics: Allow users to monitor and assess over a hundred endpoint health metrics, such as  settings and configurations, in real-time
• Control: Uninstall apps, block devices, start or stop services, apply security controls, configure kernel and firewall, deploy software, run scripts, and quarantine devices
• Asset discovery: Detect malicious or vulnerable assets across all enterprise devices with an IT asset discovery app, whitelist approved apps and blacklist malicious or outdated assets

Pros

• Supports all major OS platforms such as Windows, Mac, and Linux
• Supports over 400 third-party applications
• Allows role-based access control
• Its database contains over 160,000 vulnerabilities

Cons

• Users reported that the admin dashboard needs improvement
• Documentation could be improved

Pricing

SecPod SanerNow pricing is not publicly available. Contact their sales team for quotes..

NinjaOne

Best for Unified IT Management

NinjaOne (formerly NinjaRMM) can patch endpoints in large numbers. Its automated features can be set up based on the time to deploy or based on various categories. This application combines patching with remote control, scripting, and antivirus.

Key features

• Cross-platform: Patch Windows, Mac, and Linux servers, workstations, and laptops from a centralized platform
• Patch automation: Patch endpoints with zero-touch patch identification, approval, and deployment
• Networkless wake-for-patch: Automatically wake the device before patch scans and updates without the need for wake-on-LAN
• Patch reporting: Report on patch compliance status, failed patch deployments, and known endpoint vulnerabilities

Pros

• Unified management from a single pane of glass
• Efficient support team
• Advanced automation

Cons

• Reporting functionality could be improved
• Documentation could be better

Pricing

NinjaOne uses a pay-per-device pricing model. Prospective buyers should contact NinjaOne sales for custom quotes.

What are Key Features of Patch Management Software?

Patch management tools need certain capabilities to be effective; here are some of those key features.

• Automation: Patching tools need to automate the process of installing multiple patches in a great many systems simultaneously.
• Patch testing and rollback: Patches from vendors should be tested before they are deployed. Left as an in-house function, this is often the bottleneck that prevents timely deployment of patches. Some vendors now offer testing as part of their service. And if a patch goes bad, a rollback feature returns the enterprise to the previous state.
• Cloud functions: Patching tools should at least be cloud-enabled if not cloud-based.
• Discovery: Detection of available updates based on inventory. The system should self-assess and offer guidance on what to install in which sequence.
• Prioritization: There are always more updates than organizations feel they can respond to effectively, so prioritization based on more than vendor severity is critical.
• Cross-platform support: Management of all endpoints from one centralized location, including cross platform support, for Windows, MacOS, and the many versions of Linux.
• Reporting: Most want to understand the compliance of their environment and see overall insights on patching needed to show that SLAs are being achieved.

Also read: Patch Management Policy: Steps, Benefits and a Free Template

How Do You Select Patch Management Software?

Choosing new or replacement patch management software can be challenging. Many vendors appear to offer similar features, and many are also part of larger IT management suites. Here are a few tips to ease the selection process.

• Cloud or on-premises: If the application is installed inside the corporate firewall, additional hardware and software may be involved. On-premises systems may struggle to patch devices outside the firewall.
• Maintenance & support: Some vendors charge extra for maintenance, others roll it into one SaaS price. And check support quality and any limitations.
• Bandwidth: It is important to test solutions to determine how much bandwidth a patch consumes. If a lot of systems are being patched, some tools can strain network capacity.
• Agents: Most patch management tools use agents to establish a connection between the endpoint and the management cloud/server. It is important to understand how the agent functions and to research any performance overhead it may create. Some poll the server every 60 minutes, which can delay the completion of urgent tasks. Others have an always-open connection.
• OS & app support: Check to see what operating systems the tool supports, whether Windows, Mac, or Linux, as well as cloud platform and application support.

Bottom Line: Patch Management Tools & Software

Patch management is not an optional cybersecurity practice, and the companies that are best at it perform patch management continuously. That’s not easy for a company that doesn’t have the staff or sophistication for an intensive process, so choose the patch management tool that best makes the job easier for your organization.

Read next:

• Patch Management Best Practices & Steps
• Top Vulnerability Management Tools
• Top Breach and Attack Simulation (BAS) Vendors

Drew Robb contributed to this research report

The post 12 Best Patch Management Software Solutions & Tools appeared first on eSecurity Planet.