Automation vs. Manual Testing.
Where automation earns its keep, where it misses by design, and the seams where a human reviewer must take over — paired against the manual techniques that resist tooling.
Where automation earns its keep
- Directory + parameter fuzzing.
ffufagainst a quality wordlist surfaces 80% of forgotten endpoints in minutes. Humans cannot beat this volumetrically. - Reflected XSS in clearly tainted params.
Dalfoxor Burp Active Scan finds the obvious sinks. Tag-and-attribute reflection patterns are well-covered. - Classic SQLi in URL/POST params.
sqlmapagainst a parameter that the developer didn't bind correctly. Time-based and union-based both well-handled. - Known-CVE checks.
nucleiagainst a fingerprinted stack. Templates encode the exact request shape; minimal tester time per finding. - Response-shape diffing. Send 50 payloads, compare response sizes/codes/headers, sort by deviation. Surfaces inconsistencies a human eye would miss.
- TLS posture checks.
testssl.sh,sslyze. Mechanical and complete.
Where automation goes silent
- Business logic. The attack is a legitimate sequence of legitimate calls — discount stacking, race-condition double-spend, multi-step authorization checks. No fuzzer reconstructs intent.
- Authorization across pages and roles. User A creates resource, User B retrieves via guessed ID. Scanner runs as User A only and never sees the gap.
- Stored XSS where source and sink are decoupled. Attacker submits form A, payload renders on admin dashboard B. Dynamic scanner never crosses the surface boundary.
- Authentication-state coupling. Action requires state X set by prior action Y. Scanner replays in isolation and gets a 400 instead of the vulnerable path.
- Logic-based IDOR. ID is a UUID, not enumerable. Manual analysis needed to recognize that the UUID is exposed in a sibling endpoint's response.
- Authentication bypass via parser confusion. Trailing newline, unicode normalization, JSON parsing differences between auth layer and app layer. Requires hypothesis-driven testing.
Allocation rule
- Day 1. Run all automation in parallel while you walk the application manually. Both inputs feed day 2.
- Day 2–N. Manual testing on the surfaces automation can't reach. Use automation output as a triage map, not as findings.
- Last day. Re-run automation against any changes the team made during testing. Confirms regressions in real time, before the report.
Rule of thumbIf 80% of the findings in a report came from automated scanner output, the engagement underdelivered. The unique value of a human tester is exactly the findings automation cannot reach. Bill accordingly.
Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Pentest Methodology — Canonical Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Recon & Discovery
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Recon Tooling — Operator Reference
- Reference Operator Toolkits — Catalog & Reference
- Background Social Engineering & Phishing
- Background Pentester Foundations & CTF Practice
From reference to evidence