Tools Are Force Multipliers, Not Replacements
Every penetration testing engagement relies on tooling. But tools do not conduct penetration tests. People do. A scanner will flag a missing header. A skilled tester will chain that missing header with a session fixation flaw, a permissive CORS policy and an insecure direct object reference to demonstrate full account takeover. The tool found one of those four links. The tester found the other three.
That said, the right tools accelerate coverage and ensure consistency. Here are the seven tools our red team relies on in 2026 and what each actually does in a real engagement.
1. Burp Suite
Burp Suite remains the standard for web application penetration testing. It operates as an intercepting proxy, capturing and modifying HTTP/HTTPS traffic between the browser and the target application. The Professional edition includes an automated scanner, an intruder module for fuzzing and a repeater for manual request manipulation.
When we use it: Every web application and API engagement. Burp is the first tool loaded and the last one closed. We use its scanner for baseline coverage and then spend the majority of testing time in Repeater and Intruder, manually testing authentication, authorization and business logic.
Limitations: Burp's automated scanner produces false positives and misses business logic flaws entirely. It struggles with heavily JavaScript-driven single-page applications and cannot test server-side logic that requires contextual understanding. The tool finds injection points. The tester determines exploitability.
2. Metasploit
Metasploit Framework is the industry-standard exploit development and delivery platform. It provides a library of vetted exploit modules, payload generators, encoders and post-exploitation tools. The framework handles the mechanics of exploit delivery so testers can focus on target selection and lateral movement.
When we use it: Network penetration tests where we need to exploit known vulnerabilities in services, escalate privileges or pivot through segmented networks. Metasploit's Meterpreter payload provides reliable post-exploitation capability for credential harvesting and lateral movement.
Limitations: Metasploit exploits are well-known to defensive tools. Any competent EDR solution will flag Metasploit payloads. For red team engagements where stealth matters, we write custom tooling. Metasploit is a starting point, not the final weapon.
3. Nmap
Nmap (Network Mapper) is the foundational network reconnaissance tool. It discovers hosts, identifies open ports, fingerprints services and detects operating system versions. Its scripting engine (NSE) extends functionality with vulnerability detection, brute-force testing and service enumeration scripts.
When we use it: The first step of every network engagement. Nmap tells us what is running, what version it is and what ports are exposed. That information drives the entire testing strategy. We run targeted scans rather than full-range sweeps to minimize noise.
Limitations: Nmap is a reconnaissance tool, not an exploitation tool. It tells you what is there. It does not tell you whether it is vulnerable or exploitable. Aggressive scanning can trigger IDS alerts and may cause instability in fragile services. Scan configuration requires judgment.
4. OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is a free and open-source web application security scanner maintained by the OWASP Foundation. It provides automated scanning, passive analysis, fuzzing and an intercepting proxy similar to Burp Suite.
When we use it: As a secondary scanner to cross-reference Burp Suite findings. ZAP sometimes catches issues Burp misses, particularly in its passive scanning mode. We also recommend it to development teams for CI/CD pipeline integration because it is free and scriptable.
Limitations: ZAP's automated scanning engine is less sophisticated than Burp Suite Professional. Its user interface is less polished. For manual testing workflows, Burp remains superior. ZAP is strongest as an automated scanner in development pipelines rather than as a primary manual testing tool.
5. Nuclei
Nuclei by ProjectDiscovery is a template-based vulnerability scanner that has rapidly become essential in modern penetration testing workflows. It uses YAML templates to define detection logic for specific vulnerabilities, misconfigurations and exposed panels.
When we use it: Rapid scanning of large target sets for known vulnerabilities and misconfigurations. Nuclei's community-maintained template library covers CVEs within days of disclosure. We run it early in engagements to identify low-hanging fruit quickly and then focus manual testing time on areas that require human analysis.
Limitations: Nuclei is only as good as its templates. It finds what templates exist for and nothing else. It does not discover zero-day vulnerabilities or test business logic. Custom application vulnerabilities require custom templates or manual testing.
6. Cobalt Strike
Cobalt Strike is a commercial adversary simulation platform designed for red team operations. Its Beacon payload provides covert command-and-control with malleable communication profiles, in-memory execution and advanced evasion capabilities. It simulates the tooling that real threat actors use.
When we use it: Red team engagements where the objective is testing detection and response rather than finding vulnerabilities. Cobalt Strike's malleable C2 profiles allow us to mimic specific threat actor communication patterns. Its integration with MITRE ATT&CK maps our activities to documented adversary techniques.
Limitations: Cobalt Strike is expensive (approximately $5,900/year per operator). Cracked copies are widely used by actual threat actors, which means defenders are highly tuned to detect its default indicators. Effective use requires significant customization of payloads, profiles and infrastructure. It is a tool for experienced red team operators, not entry-level testers.
7. BloodHound
BloodHound maps Active Directory attack paths using graph theory. It ingests AD data and visualizes relationships between users, groups, computers, GPOs and permissions to identify the shortest path from any compromised account to domain administrator.
When we use it: Every internal network engagement that involves Active Directory. BloodHound reveals attack paths that are invisible in traditional vulnerability scans. A user with no apparent privileges may be two hops from Domain Admin through nested group memberships and misconfigured ACLs. BloodHound finds those paths in minutes.
Limitations: BloodHound requires authenticated access to Active Directory to collect data. The data collection process (SharpHound) can trigger alerts in monitored environments. It maps potential attack paths but does not execute them. The tester must validate each path manually.
The Bottom Line
These seven tools cover the core penetration testing workflow from reconnaissance through exploitation and post-exploitation. But loading them onto a laptop does not make someone a penetration tester. Understanding target environments, chaining findings across tools, identifying business logic flaws and communicating risk to stakeholders requires years of practice.
Our red team runs these tools against client infrastructure daily. The difference between a tool-driven scan and a human-driven penetration test is the difference between a list of CVEs and a demonstrated attack path to your most sensitive data. If you want the latter, you need a team that has been doing this for 20 years.