Automation, Pentesting and Red Teaming: the triad for vulnerability management

July 1, 2025

The data on vulnerability disclosure and exposure growth paints a chilling picture of the threat landscape. With an average of 110 new CVEs created per day in 2025, only 6,494 vulnerabilities were reported in 2015, whereas by mid-2025 we’ve already reached 22,717 CVEs—at the time of writing this article.

This makes risk management associated with these vulnerabilities an increasingly complex priority, due to the speed required to run detection tests and apply necessary mitigations for each threat, as well as the varying risk levels in each report.

As with everything in Cyber Security, this calls for a process and ongoing evolution that involves technology, procedures and people as the foundation for continuous improvement. One common action repeated across many organisations—yet rarely providing significant value—is performing one or two Ethical Hacking or Pentest exercises per year, targeting only a sample of the organisation’s systems or servers.

With an average of 110 new CVEs created daily in 2025, the threat landscape demands faster and more intelligent risk management.

This practice is rooted in certification standards introduced back in 2012, which required one or two vulnerability scans per year, along with evidence of mitigation efforts. At that time, this approach was valid, considering the volume of reported threats and the technology available. But today, it falls well short of what’s needed.

Carrying out such an exercise requires a seasoned offensive security specialist and at least three days to assess a single asset. Therefore, this resource should be deployed strategically—focused on assets identified through more automated analysis as having high or critical threats. In organisations with critical assets or more robust Cyber Security systems, these tests should go a step further, helping validate the full protection framework.

Let’s start with the basics

If your organisation is just beginning to implement Cyber Security processes—or only conducts Pentests for compliance—you’ll likely find that most reports reveal a high volume of medium and low-level vulnerabilities.

These often go unresolved by development or IT teams responsible for remediation, and in some cases, remain unaddressed for years. What’s more concerning is that only a fraction of the infrastructure is tested due to the cost of a comprehensive Pentest, allowing threats across the network to grow and spread unchecked.

For this reason, our recommendation for over a decade has been to carry out persistent, automated security testing. An automated offensive service should be the first step any organisation considers in its vulnerability management process.

Performing one or two Pentests per year is no longer enough to contain the scale and speed of modern cyber threats.

This automation can be applied across the entire network, exposed web services and even to assess the attack surface—delivering a more complete risk and exposure map to the Cyber Security team. This happens in much less time than a semi-annual Pentest—almost in real time—and through a console that enables continuous tracking of mitigation actions.

So, what should I do with the high and critical risks?

With that map in place and after at least a year of monitoring, not only will mitigation measures have improved, but monitoring will be better aligned to detect exploitation attempts—not just general alerts typically configured in SOCs.

This approach also enables leadership to make decisions based on actual risk. One such decision could be to carry out a much deeper Penetration Test or Ethical Hacking exercise than what automated monitoring offers. The goal is for skilled professionals not only to detect vulnerabilities, but to actively attempt to exploit them—demonstrating the real threat level and uncovering gaps that only expert insight can reveal.

An automated offensive security service should be the first step any organisation takes in its vulnerability management process.

Additionally, this testing helps validate monitoring alerts and the mitigation actions taken, strengthening defensive procedures or highlighting the need for new technologies, process changes or team training.

And it doesn’t end there…

In Cyber Security, there’s always room to go a step further or make an extra effort. An organisation with the above procedures well established and validated may be considered to have a high level of Cyber Security maturity. But there’s still one crucial test left: the one that evaluates the entire defence system.

A red team exercise simulates real attacks to measure an organisation’s true ability to detect, respond and defend.

Known as a red team exercise, this test puts Cyber Security teams—and the entire organisation—through the motions of a real incident, without the actual consequences. Its goal is to validate an organisation’s defence capabilities against a simulated attack that mirrors the tactics and techniques used by known cybercriminal groups.

This type of testing evaluates the response of defence and monitoring teams and brings a practical, not just theoretical, dimension to vulnerability management. It helps assess detection levels, monitoring effectiveness and readiness to respond to incidents.