A Framework for Automated and Visualized Penetration Testing
Corressponding author's email:
vanntth@hcmute.edu.vnDOI:
https://doi.org/10.54644/jte.2026.1971Keywords:
Penetration Testing, Security vulnerability, Automation, YAML workflow, VisualizationAbstract
The fragmentation of command-line tools in penetration testing creates inefficient scenarios, additional manual use, and inconsistent results, all of which can make workflows extremely problematic for complex security testing scenarios. This paper presents EzPentest, a framework designed to automate and visualize penetration testing through a single web interface. EzPentest's novelty is its YAML-based workflows, which support conditional logic, looping, and parallelization to create flexible and repeatable testing processes. Key to the use of EzPentest, is the parser engine which will convert the output of different tools into a standardized JSON output, this transformation standardizes vulnerability analysis and reporting. Along with its parser, EzPentest has a modular approach to allow the community to enhance and share the workflows that will connect various tools to create holistic penetration testing scenarios. In experiments with benchmark applications, as in DVWA and bWAPP, EzPentest achieves the highest detection rate of 89.39%. As demonstrated, EzPentest is more than simply an solution to provide scalable, accessible, and collaborative penetration testing, it is an open community resource that is particularly beneficial in educational institutions as it makes easier to understand an advanced area of software vulnerability assessing and security testing and allows small-to-medium enterprises to undertake initiatives to automate pentesting.
Downloads: 0
References
H. M. Adam, W. Widyawan, and G. D. Putra, “A review of penetration testing frameworks, tools, and application areas,” in Proc. 2023 IEEE 7th Int. Conf. on Information Technology, Information Systems and Electrical Engineering (ICITISEE), Nov. 2023, pp. 416–421, doi: 10.1109/ICITISEE58992.2023.10404397. DOI: https://doi.org/10.1109/ICITISEE58992.2023.10404397
Faraday Security, “Faraday: Collaborative penetration testing platform,” 2025. [Online]. Available: https://faradaysec.com
A. Muharrom and R. Saktiansyah, “Analysis of vulnerability assessment technique implementation on network using OpenVAS,” Int. J. Eng. Comput. Sci. Appl. (IJECSA), 2023. DOI: https://doi.org/10.30812/ijecsa.v2i2.3297
K. Abdulghaffar, N. Elmrabit, and M. Yousefi, “Enhancing web application security through automated penetration testing with multiple vulnerability scanners,” Computers, vol. 12, no. 11, art. no. 235, Nov. 2023, doi: 10.3390/computers12110235. DOI: https://doi.org/10.3390/computers12110235
C. Skandylas and M. Asplund, “Automated penetration testing: Formalization and realization,” Comput. Security, vol. 155, art. no. 104454, 2025, doi: 10.1016/j.cose.2025.104454. DOI: https://doi.org/10.1016/j.cose.2025.104454
ProjectDiscovery, “Nuclei: Fast and customizable vulnerability scanner based on templates.” [Online]. Available: https://nuclei.projectdiscovery.io/
PTES, “The penetration testing execution standard (PTES) technical guidelines.” [Online]. Available: http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
National Institute of Standards and Technology, “Technical guide to information security testing and assessment,” NIST Special Publication 800-115, 2008. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
ISECOM, “The open source security testing methodology manual (OSSTMM) 3.0,” 2015. [Online]. Available: http://www.osstmm.org/OSSTMM.3.pdf
ISSAF, “The information systems security assessment framework (ISSAF) overview.” [Online]. Available: http://www.issaftesting.org/ISSAF_Overview.pdf
Tenable, “Nessus Professional.” [Online]. Available: https://www.tenable.com/products/nessus
N. P. Kumar, “AIPenTool: A unified approach to automated penetration testing for enhanced network and web application security,” in Proc. 2025 Int. Conf. on Intelligent and Innovative Technologies in Computing, Electrical and Electronics (IITCEE), Jan. 2025, doi: 10.1109/IITCEE64140.2025.10915305. DOI: https://doi.org/10.1109/IITCEE64140.2025.10915305
W. Pan, J. Han, and M. Y. Yin, “Scorpio: An automated penetration testing tool and its integration with a cyber range,” in Proc. 2021 2nd Int. Conf. on Electronics, Communications and Information Technology (CECIT), 2021, doi: 10.1109/CECIT53797.2021.00197. DOI: https://doi.org/10.1109/CECIT53797.2021.00197
M. C. Ghanem and T. M. Chen, “Reinforcement learning for intelligent penetration testing,” in Proc. 2018 2nd World Conf. on Smart Trends in Systems, Security and Sustainability (WorldS4), Oct. 2018, pp. 185–192, doi: 10.1109/WorldS4.2018.8611595. DOI: https://doi.org/10.1109/WorldS4.2018.8611595
T. Huizinga, “Using machine learning in network traffic analysis for penetration testing auditability,” Nov. 2019. [Online]. Available: https://rp.os3.nl/2018-2019/p39/report.pdf
D. Suhartono, “The usage of machine learning on penetration testing automation,” Aug. 2023, doi: 10.1109/ICE3IS59323.2023.10335188. DOI: https://doi.org/10.1109/ICE3IS59323.2023.10335188
Acunetix, “Acunetix web vulnerability scanner.” [Online]. Available: https://www.acunetix.com/
Digininja, “Damn Vulnerable Web Application (DVWA).” [Online]. Available: https://github.com/digininja/DVWA
MME, “bWAPP (buggy web application).” [Online]. Available: http://www.itsecgames.com/
Downloads
Published
How to Cite
Issue
Section
Categories
License
Copyright (c) 2026 Journal of Technical Education Science
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Copyright © JTE.
