Pentest automation that replaces your glue scripts.
You already know how to run nmap, nuclei, and sqlmap. You're tired of the folder full of half-finished tool outputs, the bash scripts that work for you and break for everyone else, and the manual evidence capture that takes longer than the actual testing. Pentest automation in SimpleSec is the version of that workflow that ships — with adapters, an evidence chain, approvals, and an audit log.
The pentest workflow tax
Every operator who's done more than a handful of pentests has the same problem. The work isn't running nmap. The work is everything around it — kicking off subfinder, piping into httpx, deduplicating results, deciding what to run next, capturing output that's reproducible enough to put in a report, formatting the report itself. The actual offensive technique is maybe 30% of an engagement; the other 70% is workflow tax.
Pentest automation is the discipline of paying that tax once. You write the tool adapters, the planner that sequences them, the evidence capture format, the report generator — and then every engagement runs on that infrastructure instead of rebuilding it. SimpleSec is what you'd build for yourself if you had six months and the patience.
The argument isn't that human pentesters are bad at this. It's that they shouldn't be doing it. The creative, valuable work happens in the 30%. Pentest automation moves the 70% off the operator and onto a system that does it the same way every time.
What pentest automation actually does per step
Side-by-side comparison of the manual workflow and how SimpleSec automates each step. If you've run these phases by hand, the right column will be familiar; the left column is what gets to be different.
Target intake
An engagement record gets created. Scope, allowed time windows, destructive-action policy, and notification routing are all written into structured fields the planner checks against later.
Manual equivalent: A pentester writes scope into a doc. Maybe.
Recon orchestration
Pentest automation runs subfinder, naabu, httpx, dnsx, and katana in parallel where dependencies allow, feeding results into an asset graph as each tool finishes. Output gets parsed and deduplicated.
Manual equivalent: Shell scripts piping subfinder → httpx, with manual deduplication and a folder full of CSVs.
Enumeration planning
The planner reads the asset graph and decides what to run next. Nuclei templates fan out across web targets the recon phase actually surfaced. ffuf fuzzes paths discovered by katana. wpscan only runs against hosts whatweb fingerprinted as WordPress.
Manual equivalent: A pentester reads nmap output, decides which tools apply, types commands.
Validation
Pentest automation promotes findings from suspected to confirmed only with proof. SQL injection findings trigger sqlmap. Credential candidates get tested against live services. Database schemas are enumerated to demonstrate impact.
Manual equivalent: Manual sqlmap runs against suspicious parameters. Notes in a markdown file.
Evidence capture
Every step writes a structured evidence record: the raw tool output, the command that produced it, the parsed finding. This is what makes pentest automation reproducible.
Manual equivalent: Screenshots. Maybe a tmux scrollback. Hopefully the operator remembered.
Reporting
Findings auto-map to AttackForge with CVSS scoring from NVD, remediation templates, and attack scenarios. PDFs, CSVs, and JSON export from the same engagement record.
Manual equivalent: A pentester opens a template, copy-pastes findings, formats screenshots, calculates CVSS by hand.
Inside the pentest automation engine
Five layers, in order from outermost to innermost. The phase machine controls workflow progression. The LLM planner picks actions within a phase. The rule-engine fallback handles cases the LLM is unsure about. The approval gate sits in front of destructive actions. The tool adapters do the actual work.
Phase machine
Deterministic. The pentest moves through recon → enumeration → validation → (internal/AD if agent connected) → report. Each phase has explicit entry and exit conditions. The planner can't skip ahead.
LLM planner
Within a phase, an LLM proposes the next action based on the current asset graph and what's already been tried. Proposed actions get sanitized against detected services — no nuclei templates against a Postgres port, no WordPress tests on a static site.
Rule-engine fallback
Deterministic. When the LLM is uncertain (low confidence on what to try next, or no useful proposal), the rule engine takes over. Hardcoded heuristics from the offensive-security playbook: 'if HTTPS is open and the cert is expired, run testssl; if SMB is exposed, run netexec smb.'
Approval gate
Destructive actions (credential spray, exploit execution) don't leave the orchestrator without admin approval. The planner queues them; an operator with the right role signs off. Audit log captures the decision.
Tool adapter
Each of the 35+ tools has a thin adapter: input shape, command builder, output parser. The planner never types raw shell. The adapter is what guarantees that 'run nmap' always produces a structured result the planner can reason about.
Extending pentest automation with your own tools
Each tool in SimpleSec is a Python adapter — typically a few hundred lines. The adapter declares its input shape (arguments the planner can pass), implements a command builder (the shell invocation that actually runs), and implements an output parser (turning stdout into structured findings the planner can reason about). That's it.
Custom adapters live alongside the 35+ built-in and are picked up by the planner automatically. Pro-tier customers can ship private adapters the platform executes but doesn't open-source — useful for proprietary internal tooling or commercial scanners you've already licensed.
Pydantic model of arguments the planner is allowed to pass.
Returns the literal argv the adapter will execute.
Turns stdout into Finding records the planner consumes.
The part of pentest automation people skip
Most pentest automation projects skip approvals. They assume the operator is sitting at the console watching the run. In reality, the operator is doing two engagements at once, the run starts at midnight, and "fully autonomous" automation eventually fires a credential-spray attack the operator wouldn't have approved.
SimpleSec gates destructive actions (credential spray, exploit execution) behind admin approval by default. The planner queues them; an operator with the right role signs off. The audit log captures the decision, the reasoning, and the timestamp. This is what makes pentest automation safe to leave running.
Approvals are configurable per engagement — a hardened internal-only engagement can lift the gate on certain action types; a customer-facing external engagement leaves them all in place. Either way, the audit log knows.
Pentest automation — frequently asked
What is pentest automation?
Pentest automation is the practice of replacing manual, operator-driven penetration testing workflow steps with software. SimpleSec is a pentest automation platform: an AI planner sequences 35+ industry-standard offensive-security tools through the recon → enumeration → validation → reporting workflow, with deterministic adapters calling each tool and parsing output. The result is the same pentest a human would run, executed without the glue scripts and folder-full-of-text-files most pentest workflows accumulate.
How do I automate a penetration test workflow?
The two real options: build it yourself (write scripts that call each tool, parse output, manage state, handle authentication, deduplicate findings, generate reports) or use a pentest automation platform like SimpleSec that does all of that. The 'build it yourself' path is harder than it looks — most teams end up with a fragile pipeline of shell scripts that work for the operator who built them and break when anyone else tries to run them. SimpleSec is the version of that pipeline that ships with adapters, evidence capture, an approval workflow, and an audit log.
Can pentest automation replace my custom scripts?
For the operator-undifferentiated parts of the workflow, yes — and that's most of them. Recon, enumeration, validation, and reporting are the same steps on every engagement; pentest automation does them faster, more consistently, and with better evidence than a folder of bash scripts. The custom parts of your workflow (engagement-specific exploitation, internal proprietary tooling) stay manual or get wrapped into a custom adapter. The SimpleSec adapter format is straightforward — input contract, command builder, output parser.
What's the architecture of pentest automation in SimpleSec?
Five layers: a phase machine (deterministic, controls workflow progression), an LLM planner (proposes next actions within a phase), a rule-engine fallback (handles cases where the LLM is uncertain), an approval gate (admin sign-off on destructive actions), and a tool adapter layer (each tool has a thin Python adapter with input shape, command builder, and output parser). Findings flow into an evidence store with three layers: raw output, command log, parsed record.
How do I add my own tools to pentest automation?
Each tool in SimpleSec is a Python adapter — a few hundred lines on average. The adapter declares its input shape (what arguments it accepts), implements a command builder (what shell invocation to produce), and implements an output parser (how to turn the tool's stdout into structured findings). Custom adapters live alongside the built-in 35+ and get picked up by the planner automatically. Pro-tier customers can ship adapters that the platform runs but doesn't open-source.
Does pentest automation lose the creativity of a human pentester?
Some of it, yes. Pentest automation is excellent at the repetitive, methodical parts of an engagement — coverage, consistency, evidence capture — and weaker at the creative, business-logic parts where a human reads an application like an attacker would. The realistic answer: pentest automation handles the 80% that's the same on every engagement; humans handle the 20% that's differentiated. That's not a downgrade. It's the same split a senior pentester applies internally when they decide what to delegate.
Related reading
Stop building the same workflow on every engagement.
Pentest automation that ships with adapters, evidence chains, approvals, and an audit log. Self-serve signup; the first test lands in minutes.