Vonahi vPenTest is an automated network penetration testing platform that walks the attacker path from external reconnaissance through internal network compromise. Sherlock EoP Auditor is a Windows endpoint surface scanner that finds local privilege escalation paths on individual hosts. The tools test different layers of the same attack chain. vPenTest answers "can an attacker get a foothold in our network?" EoP Auditor answers "once an attacker has a foothold on a Windows host, can they become SYSTEM?" The honest practitioner posture is to run both. They complement, they do not compete.
What Vonahi vPenTest tests
Vonahi vPenTest is a continuous automated penetration testing service delivered as a SaaS platform. The tool simulates the steps a real attacker would take from outside the network through internal lateral movement. The standard vPenTest engagement covers external attack surface enumeration, internal network reconnaissance, credential attack simulation, lateral movement attempts plus exploitation of common network-level misconfigurations.
Specific attack categories vPenTest exercises include exposed network services (RDP, SMB, SSH), credential reuse across systems, Kerberoasting, AS-REP roasting, NTLM relay, weak service account passwords, Active Directory misconfigurations, network segmentation gaps plus exposed management interfaces. The reports map findings to the standard pentest scoring rubric (critical / high / medium / low) and provide proof-of-exploitation evidence for each finding.
vPenTest runs on a recurring schedule, typically monthly or quarterly. The platform automates the orchestration that traditional human penetration testers perform manually. The output is a real penetration test report with executive summary plus technical detail. The cost structure is subscription-based, scaling with the size of the network being tested.
What Sherlock EoP Auditor tests
Sherlock EoP Auditor is a Windows endpoint surface scanner focused on local privilege escalation vectors. The tool runs on a single Windows host and enumerates the conditions that would allow a regular user account to escalate to SYSTEM or other privileged identity on that machine.
Specific attack surfaces EoP Auditor enumerates include third-party Windows services running as SYSTEM with weak access controls, kernel driver attack surfaces, named pipe authorization gaps, scheduled task misconfigurations, COM object permission issues, registry key ACL gaps, file system permission vectors on privileged executables plus token impersonation opportunities. The tool surfaces findings as a structured report with severity rating plus remediation guidance.
EoP Auditor runs on demand against a single host. It is not a continuous platform; it is a point-in-time forensic audit of the local Windows attack surface. The use case is endpoint hardening assessment, post-incident review of compromised hosts, third-party software vendor evaluation plus pre-deployment security validation of new Windows server roles.
The attack chain layering
The reason these two tools coexist in mature security programs is that they map to different stages of the attack lifecycle.
A real attacker walks a predictable sequence: initial access (phishing, exposed service exploit, supply chain) plus internal reconnaissance plus credential theft plus lateral movement plus privilege escalation plus data exfiltration or ransomware deployment. vPenTest exercises the first four stages. It answers questions about how attackers move through the network once they have an initial foothold. EoP Auditor exercises the privilege escalation stage. It answers questions about what happens after an attacker lands on a specific Windows host.
The two tools are most valuable when run together. A vPenTest finding that "attacker can compromise host X via credential reuse" is materially worse if EoP Auditor on host X also finds "attacker can escalate from compromised user to SYSTEM via vulnerable third-party service Y." The combined finding is "attacker can compromise host X and immediately gain SYSTEM-level control of it." That is the chain that turns a network breach into a domain compromise.
Running only vPenTest misses the privilege escalation layer entirely. The reports will surface network-level findings but cannot tell you whether a foothold on a given host becomes a SYSTEM-level compromise. Running only EoP Auditor misses the network attack path layer. The reports will surface endpoint-level findings but cannot tell you whether attackers can reach those endpoints from outside or laterally.
Coverage matrix
The honest practitioner answer to "which tool should we buy" is "both, for different reasons." The coverage matrix:
External attack surface: vPenTest covers, EoP Auditor does not.
Internal network reconnaissance: vPenTest covers, EoP Auditor does not.
Credential attacks (Kerberoasting, NTLM relay, password reuse): vPenTest covers, EoP Auditor does not.
Network segmentation testing: vPenTest covers, EoP Auditor does not.
Local privilege escalation surface: EoP Auditor covers, vPenTest does not at the depth a host-level audit reaches.
Third-party Windows service authorization gaps: EoP Auditor covers, vPenTest does not (these are local-host findings invisible to network-level testing).
Kernel driver attack surface: EoP Auditor covers, vPenTest does not.
Named pipe authorization gaps: EoP Auditor covers, vPenTest does not. This is the attack class behind several recent Windows privilege escalation findings including the PARTY LINE disclosure category Sherlock Forensics surfaces in our Labs disclosure tracker.
COM object permissions: EoP Auditor covers, vPenTest does not.
Scheduled task misconfigurations: Partial overlap. vPenTest may catch network-reachable task abuse; EoP Auditor catches local-host task misconfigurations.
Active Directory misconfigurations: vPenTest covers extensively, EoP Auditor covers the host-side trust relationship impacts only.
Cost and operational characteristics
Vonahi vPenTest is a SaaS subscription scaling with the size of the network being tested. The annualized cost for a mid-market organization typically runs five figures USD. The platform requires an agent install on an internal network host that orchestrates the internal phase of the test. The reports are professional penetration test reports suitable for compliance evidence (SOC 2, PCI DSS, HIPAA), customer security questionnaires plus board-level reporting.
Sherlock EoP Auditor is a one-time per-license tool that runs on demand against individual Windows hosts. The tool is suited for endpoint hardening assessment, third-party software vendor evaluation, post-incident host audits plus pre-deployment validation. It is not a continuous platform; it is a forensic audit utility. The cost structure is per-license, materially below the SaaS pentest tier.
The operational pattern that mature security teams adopt is to run vPenTest on a recurring cadence (monthly or quarterly) for continuous attack-path visibility plus run EoP Auditor on demand against specific hosts that vPenTest flags as high-value plus on new Windows server deployments before bringing them into production. The tools answer different questions and bill against different budget lines.
When each tool is the right starting point
Choose vPenTest first if the question your security program needs to answer is "are we exposing exploitable attack paths to the internet or to compromised internal hosts?" This is the right starting question for organizations early in their security maturity, organizations with compliance reporting requirements for penetration testing plus organizations that want continuous attack-path visibility as their core security telemetry source.
Choose Sherlock EoP Auditor first if the question your security program needs to answer is "are our Windows endpoints hardened against local privilege escalation?" This is the right starting question for organizations with known third-party software heterogeneity plus organizations doing post-incident response that need to verify whether a compromised host could have been further escalated plus organizations evaluating new Windows server software before deploying.
Choose both if you are a mature security program serious about defense in depth. The two tools cover different layers of the same attack chain. Running only one leaves the other layer untested. The combined cost is still materially below traditional human penetration testing engagement rates while providing both layers of automated coverage.
What this means for security planning
The mistake security programs make is treating automated security tools as substitutes for each other. They are not. Each automated tool covers a specific attack surface layer. Picking one and skipping the others creates blind spots in exactly the surfaces that real attackers exploit.
Sherlock Forensics responds to ransomware and breach incidents across mid-market and enterprise customers. The patterns we see consistently across post-incident investigation are organizations that had ONE security tool deployed (typically network-layer or endpoint-layer but not both) plus organizations that had multiple tools deployed but with major overlap (multiple EDR products, no privilege escalation auditing). The breach pattern follows the gap.
The Sherlock Forensics services practice handles ransomware response, breach investigation plus court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock PST Viewer for mailbox forensics during breach analysis, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for privilege escalation surface assessment. Talk to our team about incident response or proactive security assessment.
Two tools, two layers, one defense in depth posture. Get on the EoP Auditor early access list for the privilege escalation layer. Talk to our team about pairing it with vPenTest or with other network-layer testing in your security program.