So, whatever happened to human-conducted pen testing? Core officials point out a few advantages to automating the process, including the ability to bring the work in-house, network safety and stability during testing, elimination of false positives, improved reporting, and quality control. In addition, Core Impact's console makes running the exploits themselves simple -- leaving the possibility of handing off that job to junior staffers, while senior managers concentrate on higher-level issues and solutions.

Mark Odiorne, chief information security officer at insurer Scottish Re, characterizes automated pen testing as "another bullet in [his] belt." His user installation is highly mobile -- "we're a company full of VPs, and everybody travels. I've got more laptops than desktops by far, and our endpoints do seem to be where we get attacked" -- and he characterizes automated pen testing as a time-saving strategy that allows him to prove to his own satisfaction and to management that vulnerabilities are patched or otherwise mitigated. He uses both automated and hands-on testing as needed.

As an insurance firm, Scottish Re is subject to the mandates of the Sarbanes-Oxley Act and the Graham-Leach-Bliley Act as well as a host of industry-specific security regulations. Auditors, Odiorne finds, may still raise an eyebrow at the prospect of automated testing, but the numbers make sense. "Some of the auditors kind of question it, but I explain that I can scan vulnerabilities all day long but I still have to prove whether or not a vulnerability applies to us. I can use the Core exploit framework to prove whether a vulnerability needs to be patched or even can be patched."

A one-year unrestricted license for Core Impact 6, covering an unlimited number of network users, is US$25,000. Customers with currently valid licenses can get Version 6.0 at no additional cost.