I've done more penetration tests than I can count. Thousands. Maybe tens of thousands at this point. I've lost track. And if there's one thing I've learned from all those hours staring at terminals, it's this.
The hacking part is fun. The reporting part is a special kind of torture.
And everything in between? The recon. The enumeration. The screenshots. The ticket writing. The repetitive, soul-crushing, mind-numbing busywork that eats up 70 percent of your engagement?
That's the part that's killing pentesters. Not the WAFs. Not the EDR. The boring stuff.
So let's talk about automating it. All of it.
The Real Problem Nobody Talks About
Here's what the bug bounty bros and the red team influencers won't tell you. They post the cool stuff. The pwn. The chain. The reverse shell. The domain admin screenshot that gets a thousand likes on Twitter.
They don't post the four hours they spent manually mapping subdomains. They don't post the spreadsheet they built to track 200 findings across three scopes. They don't post the report they wrote at 2 AM that their client barely read.
That's the part no one glorifies. And it's the part that makes senior pentesters quit the game.
I watched it happen to people I respected. Brilliant hackers. People who could find a logic flaw in an OAuth flow in their sleep. They burned out. Not because the work got harder. Because the work got boring. The same recon steps. The same report templates. The same copy-paste findings over and over again.
So they left. Went to Google. Went to management. Went to do something where the paycheck didn't depend on how many hours they spent running Amass manually.
I get it. I almost did the same thing in 2016.
What Should Actually Be Automated
Let me be specific. Because "automate everything" is lazy advice. You need to know what's worth automating and what's not.
Recon and enumeration. This is the low-hanging fruit. If you're still manually running individual tools and copying output between terminals, you're wasting your life. I use a pipeline I built years ago. It chains together subdomain enumeration, port scanning, service detection, screenshotting, and initial vulnerability scanning into one workflow. I kick it off, go make coffee, come back, and I have a structured data set to work with.
Tools like Nuclei, Naabu, HTTPx, and a few custom scripts I wrote do 90 percent of what I used to do by hand. The other 10 percent still requires a human brain. And that's fine. That's the part you want to keep manual.
Evidence collection. Screenshots. Curl commands. Response headers. Proof of concept payloads. All of it should be captured automatically. I use a combination of projectdiscovery tools and custom Python scripts that tag every finding with the exact request and response that proves it. No more "I think I saw this" energy. The evidence is there. Clean. Timestamped. Reproducible.
Report generation. This is the one that changed my life. I stopped writing reports from scratch years ago. Now I use templated markdown files that pull from a structured JSON output of all my findings. The tool fills in the severity, the CVE reference, the remediation steps, the affected asset. I review it. I add the narrative. I add the context that makes a client actually care. But I don't start from a blank page anymore.
That alone saved me probably 200 hours last year.
Ticket management. If you're tracking findings in a spreadsheet, stop. Use a database. Use a tool. Something that lets you query, filter, deduplicate, and export without manually formatting cells. I use a lightweight SQLite setup that feeds directly into my report generator. It's ugly. It works. I don't care what it looks like.
What You Should NOT Automate
Okay. Here's where I push back on the automation bros.
Don't automate the thinking. Recon tools will find subdomains. They won't tell you which one is interesting. Vulnerability scanners will flag a misconfiguration. They won't tell you if it's actually exploitable in your specific context. That judgment call? That's your job. That's the part that makes you worth what you charge.
I've seen junior pentesters run an automation suite, get 500 findings, and send the client a report that's 90 percent noise. The client ignored it. The engagement was a waste. Not because the tools were bad. Because there was no human filtering the output.
Automation without intelligence is just noise at scale.
Don't automate the client relationship. The call where you explain the critical finding. The email where you contextualize the risk. The follow-up where you check if they actually patched it. That stuff matters. A robot can't do that. Not yet. And honestly, I hope it never fully can.
Don't automate creativity. The weird edge case. The business logic flaw that no scanner will ever find. The parameter tampering that only works because you understood how the application actually works. That's art. You can't script art.
The Stack I Actually Use
Since you're going to ask, here's what my current pipeline looks like. Nothing fancy. Nothing that requires a $50K budget.
Recon starts with a bash script I call the launcher. It fires off subfinder, amass, assetfinder, and dnsx in parallel. Output gets merged, deduplicated, and fed into httpx for live probing. Anything that responds gets screenshotted with eyewitness and queued for nuclei scanning.
Vulnerability scanning runs in two passes. First pass is broad. Nuclei with a curated template set. Second pass is targeted. Custom nuclei templates I wrote for the specific tech stack. Both feeds go into a SQLite database.
The report generator pulls from that database. It's a Python script that takes the JSON output and spits out a markdown file with sections for executive summary, technical findings, and remediation. I edit it. I add the story. But the skeleton is done in minutes, not hours.
Total time from kickoff to first draft report? About 4 hours for a standard web app engagement. Used to take me two full days.
That's not a typo.
The Mindset Shift
Here's what I really want you to take away from this. Automation isn't about being lazy. It's about being strategic.
The pentesters who are going to thrive in the next five years aren't the ones who can run the most tools. They're the ones who can build the systems that run the tools for them. They're the ones who spend their brainpower on the hard problems and let the machines handle the repetition.
I'm not saying become a developer. I'm saying become a pentester who can code well enough to not hate their life.
That's a different skill set. And it's one that most people in this industry are completely ignoring. They're so busy learning the latest exploit technique that they never stop to ask why they're still manually taking screenshots in 2025.
The answer is embarrassing. They just never thought about it.
The Boring Stuff Is Where the Money Is
Let me say this one more time because it's important.
The pentester who can deliver a clean, well-structured, evidence-backed report in half the time is the one who gets rehired. The one who gets referrals. The one who gets the 10K engagement instead of the 2K one.
Clients don't pay you for the hack. They pay you for the clarity. For the report that makes their CISO look good in a board meeting. For the findings that are actually actionable.
And you can't deliver that if you're buried in busywork.
Automate the boring stuff. Protect your brain for the interesting stuff. That's the play.
Want Agents That Hunt While You Sleep?
Look. If you're automating recon and report generation, you're already thinking right. But why stop there?
I built something for the next level. AI-Native OSINT: The 2026 Investigator's Toolkit is a collection of AI agents that do the investigative legwork for you. Subdomain mapping. People search. Dark web cross-referencing. Threat intel correlation. All running autonomously while you sleep, eat, or pretend to listen in a standup.
This is what OSINT looks like when you stop treating it like manual labor and start treating it like an engineering problem.
Automate the grind. Keep the edge.
Top comments (0)