Top 22 Penetration Testing Tools – 2023

Cybersecurity professionals rely on an array of tools when conducting penetration tests. They’ll use open-source tools such as Nmap, W3af, and John the Ripper to scan networks and search for vulnerabilities, such as weak passwords, outdated software, and misconfigured hardware.

In a typical penetration test, these testers will use the information their automated tools uncover to then manually test the system, launching simulated attacks and documenting the results.

In addition to open-source tools, many companies offer paid software and services to aid in penetration testing. We’ll cover both free and paid options below, as we survey the top 22 pen testing tools.

Free & Open-Source Tools

1. Nmap

Nmap is a network mapping tool that allows pen testers to scan ports, identify operating systems, and create service and device inventories. The tool works by sending packets designed for various transport layer protocols and retrieving IP addresses and information on firewalls, packet filters, and more. That data supports OS fingerprinting, security auditing, and host and service discovery. Additionally, it allows network security professionals to inventory network-connected OSs, devices, and applications to find potential vulnerabilities.

Nmap also aids in non-security tasks, such as upgrade scheduling and uptime monitoring for hosts and services.

Key Features:

  • Scans 1,000 widely-used ports for each type of network protocol
  • Assists with network mapping and port scanning during manual penetration tests
  • Retrieves IP addresses, OSs, software versions, and other critical asset details


  • Compatible with Linux, Windows, and macOS
  • Can map large networks featuring thousands of ports
  • Is broadly considered a go-to network penetration testing tool
  • Free-to-use and open source


  • Requires technical expertise to use effectively
  • False positives are possible

Get NMap

2. Kali Linux

Kali Linux is a Debian-based variant of the Linux operating system (OS) that was explicitly designed for penetration testing, digital forensics, and similar activities. The OS includes pre-installed security tools, including popular ones like Metasploit, John the Ripper, Wireshark, and many others, effectively compiling them into a single platform. These tools are divided into categories, such as information gathering, vulnerability analysis, and exploitation tools.

The Kali Linux OS can be customized down to the kernel to fit a company’s explicit needs, without incurring any licensing issues.

Key Features:

  • Includes more than 600 penetration testing tools
  • FHS compliant
  • Wireless device support
  • Live USB boot
  • Ability to create software versions for specific testing situations
  • Automatic tool optimization for various use cases


  • Combines a wide array of pen testing tools into a single platform
  • Multilanguage support
  • Free-to-use and open-source


  • Steep learning curve

Get Kali Linux

3. w3af

W3af is a web application audit and attack framework that sends specially crafted HTTP requests to the target application to see if it’s vulnerable. The tool is divided into two main components: the core coordinates the process, and individual plugins identify and exploit vulnerabilities. These plugins are separated into multiple sections, such as discovery, audit, and brute force, making it easier to find the capabilities you need for specific scenarios.

There are execution options within w3af as well, allowing testers to not just find vulnerabilities but to attempt to exploit them manually or through automation using provided tools. W3af offers both a GUI and a command-line interface.

Key Features:

  • Identifies over 200 vulnerabilities
  • Offers GUI and command line interfaces
  • Both manual and automated pen testing capabilities
  • Uploading and downloading files to databases


  • Determines database schemas automatically
  • Compatible with multiple Oss
  • Free-to-use and open-source


  • False positives can occur
  • GUI isn’t incredibly intuitive

Get w3af

4. sqlmap

sqlmap uses automation to identify threats that leave databases vulnerable to SQL injections. sqlmap supports six different SQL injection techniques, including error-based, out-of-band, Boolean-based, UNION-query-based, stacked queries, and time-based blind. It supports a wide array of servers, including MySQL, SQLite, Microsoft SQL Server, IBM DB2, Microsoft Access, and many others.

sqlmap’s automated toolset makes it relatively easy to identify vulnerabilities for testing purposes, and enables users to then transition to manual exploitation techniques as the test scenario demands.

Key Features:

  • Supports six SQL injection techniques
  • Works with dozens of database servers
  • Automatic password hash format recognition and dictionary-based cracking
  • Uploading and downloading files to databases


  • Compatible with Linux and Windows
  • Password cracking features
  • Free-to-use and open source


  • False positives can occur
  • No GUI

Get sqlmap

5. John the Ripper

John the Ripper is a password-cracking tool that’s typically used to identify weak passwords or subpar password policies that put company assets at risk. It supports a wide array of hash and cipher types, numbering in the hundreds, and it’s compatible with fifteen different platforms. Additionally, the tool is able to run dictionary and brute-force attacks and offers several testing modes, including single crack, wordlist, and incremental.

There are two versions of John the Ripper available. First, you have the GNU-licensed one, which is free and open source. With John the Ripper Pro, you get additional features – such as performance optimization, multilingual wordlists, and 64-bit architecture support – and while this version comes with a price tag, it’s pretty low, ranging from $39.95 to $185.00 depending on the upgrade and support level.

Key Features:

  • Offline password cracking tool
  • Supports dictionary and brute-force attacks
  • Automatic password hash format recognition
  • Compatible with Windows and Unix-based systems (including Mac)
  • Built-in common password list featuring passwords in 20+ languages


  • Can automatically use all three cracking modes sequentially if a single one isn’t specified
  • Modules are available to create compatibility with MySQL, LDAP, and more
  • Can crack multi-encrypted formats
  • Automatic multithread detection
  • Free-to-use and open-source version, with low-cost Pro options


  • Setup is cumbersome
  • No GUI

Get John the Ripper

6. Wireshark

Wireshark is a protocol and vulnerability analysis tool that analyzes packets and network protocols to assess network environments and activity. It essentially allows pen testers to get a granular understanding of how traffic passes across a network, allowing them to identify connection issues or find weaknesses that are potentially exploitable.

When assessing real-time data, Wireshark offers filtering capabilities to allow pen testers to focus on specific types of information. Additionally, there are visualization tools to simplify reviewing network streams.

Key Features:

  • Real-time vulnerability analysis
  • Packet filtering, sorting, and grouping
  • Exports in several formats, including XML, CSV, PostScript, and plain text
  • Reads data over Ethernet, 802.11, USB, and more


  • In-depth network traffic analysis
  • Packet identification with color-coding for simple viewing
  • Compatible with Windows, Linux, MacOS, and Fedora
  • Free-to-use and open source


  • May struggle with encrypted traffic
  • Requires libraries to run
  • Works for analysis but doesn’t offer intrusion detection

Get Wireshark

7. Hashcat

Hashcat is an advanced password recovery tool that functions as a cracker, and it can manipulate hash keys generated by over 350 hash types, including SHA, NTMLv1, NTMLv2, MD5, and many more. Essentially, it takes readable data and converts it to a hashed state. Then, it uses brute force, dictionaries, rainbow tables, and more to find matches, and that information allows it to crack passwords.

Typically, Hashcat is used to find weak passwords within a system. But it’s also capable of cracking more complex passwords, making it useful for finding shortcomings in password policies. Based on what Hashcat findings, companies may determine their password requirements need to be strengthened to guard against password attacks.

Key Features:

  • Can navigate 350+ hash types
  • Cracks multiple hashes simultaneously
  • Automatic performance tuning
  • Harnesses GPU power to accelerate the process
  • Multiple attack types, including dictionary, combinator, brute force, mask, and rule-based


  • Compatible with multiple OSs, including Windows, Linux, and macOS
  • Frequently updated
  • Potentially the fastest password cracker available (based on creator claims)
  • Free-to-use and open source


  • Need to retrieve password hash before using Hashcat

Get Hashcat

8. Zed Attack Proxy

Zed Attack Proxy – also known as ZAP – allows pen testers to conduct man-in-the-middle attacks to inspect and modify traffic between a browser and a website. In turn, ZAP reveals web application vulnerabilities. It was created and is maintained by the Open Worldwide Application Security Project (OWASP), and ZAP can help organizations comply with the OWASP Application Security Verification Standard (ASVS).

ZAP is also continuously evolving, and OWASP solicits feedback from its user community to identify areas for potential improvement. As a result, pen testers end up steering the direction of the tool over time, as they give the company insights into the boots-on-the-ground level experience.

Key Features:

  • Web application vulnerability detection
  • Passive scanning
  • Automated scanning
  • Port identification
  • Maintained by OWASP
  • Available in 29 languages


  • User-friendly interface
  • Compatible with Windows, Linux, and Mac
  • Free-to-use and open source


  • Configuration is somewhat complex
  • May require plugins for specific features


9. Aircrack-ng

Aircrack-ng is a suite of Wi-Fi network security testing tools. It covers four key areas. First, there’s monitoring, which handles packet capturing and data exporting for further processing. Next, there are attack-oriented features, including packet injection tools. After that, you have testing capabilities that allow you to check card and driver capabilities, as well as a capable cracking tool.

With Aircrack-ng, you can crack a variety of security standards, including WEP, WPA-PSK, and WPA2-PSK. Generally, it relies on brute-force techniques that focus on known passwords, but other testing methods are also supported through the suite.

Key Features:

  • Multiple methods for cracking passwords, including brute force, dictionary, and WPS
  • Comprehensive tool suite to cover all Wi-Fi testing bases
  • Capable of recovering 40-, 104-, 256-, and 512-bit WEP keys


  • Command line-based use is straightforward
  • Compatible with multiple OSs


  • No GUI, relies strictly on command line interfaces
  • Takes up a lot of system resources when in use

Get Aircrack-ng

10. BeEF

BeEF – which stands for Browser Exploitation Framework – is a web browser scanner that allows pen testers to launch client-side attacks by leveraging the browser. Essentially, it assesses the security positioning of the browser and identifies weaknesses. Then, once it hooks a browser – which involves getting the victim to run a file named hook.js on their browser, a step that usually requires steering the person to a website that contains the file – it’s capable of executing exploits and injecting payloads.

Because BeEF involves a degree of social engineering, the testing process can alert companies to employee-level security issues and clarify the need for cybersecurity training to protect against social engineering attacks.

Key Features:

  • Web browser vulnerability testing
  • Browser-based attack simulations, such as clickjacking and tab nabbing
  • Phishing simulations


  • Metasploit integration
  • User-friendly setup and interface
  • Free-to-use and open source


  • JavaScript must be enabled on target browsers for the tool to work

Get BeEF

11. Nikto2

Nikto2 is a comprehensive web server scanning tool that checks for dangerous files and programs, identifies outdated server versions, and locates configuration errors. It can conduct version checks on over 1,200 server types and can identify over 6,700 known vulnerabilities. The tool also offers SSL certificate scanning, and it supports proxies, IDS evasion, and host authentication.

Nikto2 offers reports in HTML or plain text. Additionally, there are scan targeting options to narrow tests to specific areas. Plugins are also available to extend its capabilities.

Key Features:

  • Identifies more than 6,700 dangerous programs and files
  • Finds configuration errors
  • Identifies outdated server versions
  • Username guessing and dictionary attack capabilities


  • Can assess the effectiveness of intrusion detection systems (IDSs)
  • Customizable report templates
  • Easy to update
  • Free-to-use and open source


  • False positives are relatively common
  • Longer runtimes

Get Nikto2

12. Metasploit

Metasploit is a framework for detecting vulnerabilities, featuring more than 1,600 known exploits and nearly 500 payloads. Once flaws in a system are detected, the tool can document them, giving pen testers valuable information and assisting security professionals with addressing risks.

As an open-source tool, pen testers have the ability to customize Metasploit and any code used in testing to meet their needs, though they can also take advantage of prebuilt code. Metasploit supports more than 25 platforms, too, including Android, Java, PHP, Python, and many others.

Key Features:

  • Extensive database of known exploits
  • Comprehensive reporting options
  • Multiple payload types, including command shell, dynamic, meterpreter, and static
  • Works for network, server, and web application testing


  • Integrates with a variety of other pen testing tools, including Nmap
  • Automation capabilities
  • User-friendly interface
  • Compatible with Unix, Linux, Windows, and macOS
  • Community support from developers
  • Free-to-use and open source


  • High learning curve
  • Usable programming languages for creating payloads are limited

Get Metasploit

13. Ettercap

Ettercap is a web security tool that primarily assists with man-in-the-middle attacks, capturing packets and writing them back onto the network. DNS spoofing and denial of service (DoS) attacks can also be launched using the tool, allowing you to target specific devices on your network. It also provides real-time data analysis, both for protocols and network traffic.

Key Features:

  • Man-in-the-middle attack simulations
  • Credentials capturing
  • DNS spoofing
  • DoS attack simulation


  • GUI and command line interfaces
  • Compatible with Debian/Ubuntu, Fedora, macOS, OpenBSD, and more
  • Free-to-use and open source


  • No Windows support

Get Ettercap

Paid Penetration Testing Tools and Services

14. Core Impact

Core Impact is a penetration testing platform that leverages automation to simulate attacks on network infrastructure, web applications, endpoints, and more. It also comes with a comprehensive exploit library that’s regularly updated, as well as automated reporting options to capture critical information for remediation as vulnerabilities are identified. Automated retesting to confirm if remediation efforts were successful is also part of the platform.

Core Impact also offers access to pen testing professionals known as Core Agents, who can handle the technical side of the pen test.

Key Features:

  • Real-time mapping and reporting during attack testing
  • Automated test configurations
  • Multi-tester sessions with data sharing and task delegation features
  • Automate remediation validation and retesting
  • Compliance-oriented reporting for regulations like GDPR, HIPAA, and PCI DSS


  • Intuitive interface
  • Automation for simplicity
  • Comprehensive exploit library
  • Free trial available


  • Expensive
  • Limited reporting features


  • Basic: $9,450/user/year
  • Pro: $12,600/user/year
  • Enterprise: Quotes available on request

Visit Core Impact

15. Intruder

Intruder is an online vulnerability scanner that can assess vulnerabilities across servers, cloud systems, endpoints, and websites. During the analysis, you can learn about misconfigurations, encryption weaknesses, known bugs, and missing patches. Intruder also offers ongoing, automatic surface monitoring and reporting to secure your environment against new threats.

Alongside automated scanning, Intruder also has a team of certified professionals who can conduct manual penetration testing or help manage vulnerability scanning. They can assist with extending your coverage, reducing time-to-fix, and triaging identified vulnerabilities to ensure the focus is on the highest-risk issues.

Key Features:

  • Multi-surface vulnerability scanning
  • Ongoing surface monitoring
  • Automatic report generation
  • Penetration testing support from experts


  • Integrates with a range of platforms, including Microsoft Azure, AWS, Jira, Slack, and more
  • Over 11,000 security checks
  • Risk-level warnings
  • Free trial available


  • Reports could offer more detail

Pricing: Variable, based on the number of applications, number of infrastructure targets, and selected service level

Visit Intruder

16. Astra

Astra is a comprehensive penetrating testing platform and SaaS tool that covers web applications, cloud infrastructures, mobile applications, and APIs. The full suite includes a vulnerability scanner that addresses OWASP top 10 and SANS 25 vulnerabilities, as well as tools for manual pen testing. Any scan results are reviewed by experts, leading to zero false positives. The scanner is also regularly updated and can operate continuously, ensuring you’re alerted to issues associated with new vulnerabilities.

From the vulnerability management dashboard, you can review scanning and remediation details with ease. Plus, you can set up penetration tests run by the company’s experts, giving you access to pen testers if you don’t have them available. When vulnerabilities are discovered, Astra also provides step-by-step remediation instructions.

Key Features:

  • Continuous vulnerability scans
  • Manual penetration tools for web, mobile, cloud, and APIs
  • Vulnerability management dashboard
  • Penetration testing by experts
  • Assists with PCI-DSS, ISO27001, HIPAA, and SOC2 compliance


  • Scanner rules are updated weekly
  • Collaboration features that allow in-house personnel to consult with experts
  • Compliance-specific scanning
  • Login tools to limit the need for reauthorization during lengthy scans


  • No free trial
  • Limited integrations

Pricing: $199/month

Visit Astra

17. Acunetix

Acunetix is a web application vulnerability scanner that searches for more than 7,000 vulnerabilities. It also aids in prioritization, making it easier to focus remediation on areas that pose the greatest risk. False positives are minimal, which increases testing efficiency. It also offers cloud-based and on-premise deployments.

Acunetix also emphasizes speed, promising that you’ll receive 90% of your results before the scan is halfway finished.

Key Features:

  • Detects over 7,000 website vulnerabilities
  • Flexible API to support integrations
  • IAST vulnerability testing
  • Out-of-band vulnerability testing
  • Web asset discovery
  • Continuous scanning available


  • Unlimited scans
  • Detailed reporting
  • Compliance reporting available on higher-tier plans
  • Unlimited users
  • Highly scalable
  • Free demo available


  • User interface feels dated

Pricing: Quotes available on request

Visit Acunetix

18. Burp Suite

Burp Suite is a comprehensive set of penetration testing tools that allow you to identify and exploit vulnerabilities. It supports both automated and manual testing, includes a decoder for analyzing encrypted network traffic, and supports man-in-the-middle attack simulations.

The results of automated tests through Burp Suite are automatically recorded, making them easier to review. The provided web crawler also helps with application mapping, inventorying endpoints, monitoring functionality, and identifying vulnerabilities.

Another benefit of Burp Suite is access to hundreds of BApp extensions if you get the Pro version. Additionally, the API allows you to access core functionality in the suite, giving you a chance to create your own extensions or integrate the solution with other tools.

Key Features:

  • Automated dynamic scanning
  • Manual testing tools
  • Custom extension creation
  • Custom scan configurations
  • JavaScript-heavy SPA and API scanning
  • API for integrations


  • Multiple service tiers are available
  • Frequent updates to catch new vulnerabilities
  • Built-in recording features
  • Robust reporting
  • Minimal false positives


  • Free service tiers offer highly limited functionality


  • Dastardly: Free
  • Community Edition: Free
  • Professional: $499 per year (free trial available)
  • Enterprise Pay as you scan: $1,999 per year + $9 per scan hour
  • Enterprise Classic: $17,380 per year
  • Enterprise Unlimited: $49,999 per year

Visit Burp Suite

19. Invicti

Invicti is a web application vulnerability scanner that uses a Chrome-based crawler to identify risks in HTML5 websites, dynamic web applications, and more. The provided tools also help with asset discovery and detection, database security auditing, and framework vulnerability identification. Automated testing capabilities are a core part of the platform, and everything is highly configurable.

Any identified vulnerabilities are also automatically exploited when conducting tests with Invicti, but it uses a read-only format to ensure safety while confirming identified issues. Invicti is available as a cloud-based or on-premise solution.

Key Features:

  • Comprehensive vulnerability scanning
  • Out-of-date technology identification
  • Automated application security testing
  • Web asset discovery
  • Dynamic + interactive scanning
  • Remediation tracking
  • Automatic report generation
  • OWASP, PCI, and HIPAA reports


  • Unlimited users with built-in permission controls
  • Two-way integration options
  • Continuous scanning
  • Proof-based scanning to reduce false positives
  • User-friendly interface


  • No published pricing
  • URL-restricted licensing

Pricing: Quotes available on request

Visit Invicti

20. Cobalt

Cobalt is a platform that helps match businesses with qualified penetration testers. It offers real-time collaboration features, aggregate data viewing, and dynamic reporting. The platform also works with a variety of assets, including web applications, APIs, network infrastructures, cloud services, and more.

Cobalt’s global talent marketplace helps find pen testers with the specific skills needed to address your company’s tech stack. Every member is vetted to ensure their capabilities, and direct collaboration tools allow you to remain in control as the work unfolds.

Key Features:

  • Multi-surface penetration testing
  • Automated testing
  • Full testing lifecycle
  • Real-time insights
  • Comprehensive reporting
  • Multiple integrations


  • Shortened pen testing timelines
  • Accelerated find-to-fix
  • Access to on-demand experts
  • Assists with PCI-DSS, SOC2, CREST, and HIPAA compliance
  • Retesting for remediation confirmation


  • False positives can occur

Pricing: Quotes available on request

Visit Cobalt

21. Tenable Nessus

Tenable Nessus is a vulnerability assessment tool that harnesses automation to simplify testing. It’s designed to help organizations go beyond their traditional IT assets, focusing more on internet-connected attack surfaces and cloud infrastructure. It covers more than 77,000 common vulnerabilities and exposures (CVEs) and offers over 188,000 plugins.

Nessus can schedule security audits in advance. It also enables users to perform security tests and simulate attacks in a contained environment.

Key Features:

  • Configuration assessments
  • External attack surface scanning
  • Cloud infrastructure scanning
  • Prebuilt scanning policies
  • Customizable reports


  • Unlimited assessments
  • Real-time results
  • Community support included
  • Low false positives


  • Advanced support costs extra
  • Certain features only available on the Expert tier


  • Professional: $3,390 per year
  • Expert: $4,990 per year

Visit Tenable

22. Detectify

Detectify is an attack surface management tool that provides continuous discovery and monitoring across all internet-connected assets. Additionally, it has application scanning features to vulnerability identification in custom-built applications, relying on advanced crawling and fuzzing.

The testing is 100% payload based, reducing the need for validation and leading to greater assessment accuracy. The solution also has built-in collaboration tools for convenience.

Key Features:

  • Automated testing
  • Continuous discovery and monitoring
  • Vulnerability notifications
  • API for integrations
  • New security tests are released daily


  • Cloud-based platform
  • Easy configuration
  • Detailed reporting
  • 99.7% accuracy rate
  • 2-week free trial is available


  • External attack surface only

Pricing: Varies depending on the size of the attack surface and the number of assets

Visit Detectify

For more information, see our guide to the top penetration testing services.

About the Author

Find Catherine on Firewall Times

Catherine Reed

Catherine Reed is a writer and researcher with experience writing about a wide variety of topics including personal finance, technology, and staffing.