For decades, businesses have employed penetration testing, simulating cyberattacks on their IT systems—to uncover vulnerabilities that hackers could exploit. Traditionally, this process was manual, requiring skilled professionals to probe defenses meticulously, look for any chink in the security armor, and use creativity, technical expertise, and an understanding of attacker strategies. While effective, manual testing can be time-consuming and costly.
Today, technological advancements, including artificial intelligence (AI) and machine learning, have transformed the landscape. Automated network penetration testing tools streamline vulnerability discovery by scripting repetitive tasks and running them on a schedule, making regular testing more accessible, even for smaller organizations.
Information Security Buzz spoke with Alton Johnson, an ethical hacker who began his journey at the age of 11 and has become a leader in penetration testing. After gaining experience at several top cybersecurity firms, Johnson created his own automated network pen testing tool and started Vonahi Security as a Founder and Principal Security Consultant. Johnson now applies his unique blend of manual expertise and automation to deliver faster, more cost-effective security solutions for organizations of all sizes.
Shaping Future Approaches
When asked how this shaped his approach to penetration testing today, he said as a kid, he was once hacked while using AOL chat rooms. Surprisingly, the person responsible showed him exactly how they did it, sparking his fascination with hacking. This experience led Johnson to dive deeply into coding, which soon became a passion—empowering him to create tools and solutions he couldn’t find elsewhere. “Instead of relying on the internet or other developers to bring my ideas to life, I had the freedom to build and innovate on my own terms,” he said.
This perspective has shaped his mindset over the years. In every situation or challenge, he’s constantly searching for ways to improve things. Observing how processes work always sparks his curiosity. Early on, he’d think, “I know how to code—how could I streamline this?” This mindset has had a major influence on his career. When he began working professionally in penetration testing, he focused on building his expertise in the field, while drawing on his background in coding. But as he progressed, it became clear that many processes within cybersecurity were inefficient and time-consuming, which pushed him to explore ways to make them faster and more effective.
There Must be a Better Way
People often view hackers as if they’re magicians, marveling at their ability to type out lines of code and make extraordinary things happen. To Johnson, it was incredible that they could perform such sophisticated, seemingly magical tasks in the field. Yet, when they returned to document our work, they were stuck with tedious, repetitive tasks—copying sections, moving severity icons, and laboriously piecing everything together. “After doing this for years, I couldn’t help but think there had to be a more efficient way. It just didn’t make sense to spend hours on Microsoft Word after such advanced work in the field.”
Combining his skills in hacking and coding sparked ideas on how he could improve the pen-testing process, which is how Vonahi came to be. Johnson’s goal was to build a tool for himself that would make him a more efficient pen tester after leaving his last job. He then began doing contract work with the aim of standing out in the market, completing projects faster, offering competitive rates, and handling more work.
“As I shared these ideas on LinkedIn, people started reaching out, asking, “I hear you’re working on automating network pen testing—how can I sign up?” At that point, I was simply a pen tester with no background in sales or marketing, so this was all new to me. But that’s when things really took off. I realized that MSPs genuinely needed the solution I was building. From there, I had to learn about pricing and hiring as demand grew. Learning to code early on has shaped my approach to everything; I’m always looking for ways to make things better and faster.”
The More Things Change
Johnson says, for the most part, many of the penetration testing services that were offered when he began his career are still very much the same. “One of the biggest changes I’ve seen since I began my career is the rise of cloud-based environments. When I started my first job, the cloud was still seen as a novelty, something many people thought might just be a passing trend. But it’s here to stay, and it has reshaped penetration testing.”
Instead of traditional on-prem network penetration testing, we’re now dealing with cloud environments, he explains. “Many companies are hosting their systems in platforms like Azure and AWS, and throughout my career, I’ve witnessed a significant shift toward the cloud. However, in terms of network penetration testing itself, the core process hasn’t changed much. I’ve noticed that even within other cybersecurity companies, their approaches have largely remained the same, which led me to take my own path. Six or seven years on, the industry practices are still where they were when I began.”
To Automate, or Not to Automate?
He believes automated tools excel at tasks that involve repetitive human actions. “There’s plenty of debate around this, but my perspective is simple: any task I can perform manually multiple times is something that can be automated. When a process is done every day, there’s no reason it can’t be automated. This has certainly proven true in pen testing. When I first explored automated network pen testing, I had my own doubts, as I hadn’t seen it fully realized yet. But as we’ve advanced with Vonahi and completed over 40,000 assessments over the years, I’ve been genuinely impressed by how we’ve tackled what seemed like challenging hurdles.”
Johnson adds that by collaborating and conducting thorough research, we keep finding ways to improve. Automated network pen testing effectively replicates the repetitive tasks people perform manually. An added advantage is the ability to incorporate insights from various pen testers into the code, creating scalability and enhancing the tool’s impact. The limitations, in his view, lie in areas that require subjective judgment or human interaction, like social engineering and vishing attacks. That’s where automation falls short for now.
Pen-Testing for SMEs
There are many perspectives on this, but he believes that small and medium-sized businesses should prioritize penetration testing. Once they understand what a pen test entails, they should move forward with it, as it’s the closest simulation of a real-world hacker targeting their environment. Some might argue for starting with a risk assessment or establishing policies and procedures first, but in reality, if an attack were to happen tomorrow, businesses wouldn’t have the insight into an attacker’s likely path or actions.
What’s exciting about Vonahi’s approach is that they’ve managed to take the traditional aspects of manual network pen testing and automate them, making the process faster, more affordable, and accessible to more businesses worldwide. By reducing the cost and turnaround time, they’ve lowered the barrier to entry, allowing businesses to gain valuable insights quickly—even as soon as the next day. In his view, understanding how an attacker would target an environment is essential, and a penetration test is one of the most effective ways to gain that perspective.
Will AI, ML Play a Role?
When asked about the future role of AI and ML in penetration testing, he said their impact is likely to be substantial. The release of ChatGPT, for example, created a wave of excitement and demonstrated that AI isn’t just another passing trend. Over the past few decades, tech has seen many concepts appear and fade, but AI is different—it’s rapidly expanding across industries, from autonomous robots to self-driving cars.
In penetration testing, he expects to see much more automation and AI-driven tools because AI has access to far more information than individual pen testers. It can make decisions faster and analyze large volumes of data more efficiently, drawing on vast knowledge from diverse sources to inform its actions.
Though there are limitations, Johnson believes the progress made in recent years is just the beginning. AI’s capabilities in penetration testing will likely become increasingly valuable, offering enhanced speed and insight. He sees these advancements as early, but already impressive, indicators of the significant role AI will play in the field.
Future Directions in Penetration Testing
The demand for swift and effective security practices grows as the cybersecurity landscape continues to evolve. Combining the accuracy of manual penetration testing with the scalability and efficiency of automation enables businesses of all sizes to strengthen their security defenses. With advancements in AI and machine learning leading to even more sophisticated solutions, the future of penetration testing promises to be increasingly accessible, cost-effective, and powerful.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
