The right tool can make or break a pentest or red team exercise. While many of the tools in Kali are tried and true, they are not always the best fit for every scenario. It is crucial to know where to turn for different needs, ensuring you’re adequately equipped to meet a variety of objectives. Incorporating mainstream penetration testing tools and lesser-known, but just as powerful, tools can elevate your offensive maturity, helping cover more internal and external attack surfaces that you may have overlooked.
There are many powerful, lesser-known tools that can help push the boundaries of pentesting, particularly around cloud and OSINT. These tools may not get as much time in the spotlight, but they’re just as potent (if not more so) in certain use cases.
Here are 14 underrated pentesting tools that deserve a spot in your arsenal.
| Tool | Ease of Use | Output | Main Competitors | Capability Focus | Available On | Free/Paid |
| Caldera | Easy to Moderate | Adversary emulation, reports on attack success/failure | Atomic Red Team | Adversary emulation, MITRE ATT&CK simulation | GitHub | Free |
| Silent Trinity | Moderate | C2 framework for post-exploitation | Empire, Cobalt Strike | Post-exploitation C2 via C# & .NET | GitHub | Free |
| Pacu | Moderate | AWS vulnerability and configuration exploitation | WeirdAAL, ScoutSuite | AWS misconfigurations and exploitation | GitHub | Free |
| ScoutSuite | Easy | Cloud misconfiguration and permission audit | CloudSploit | Cloud security auditing (multi-cloud) | GitHub | Free |
| Cookiebro | Very Easy | Browser cookie management and tracking control | EditThisCookie | Cookie management, session replay attacks | Chrome/Firefox Add-ons | Free |
| WeirdAAL | Moderate | AWS privilege escalation and misconfiguration exploits | Pacu, CloudSploit | AWS privilege escalation | GitHub | Free |
| DigitalOcean | Easy | Cloud infrastructure provisioning and testing | AWS, GCP | Cloud infrastructure management | DigitalOcean | Paid |
| GoPhish | Easy | Phishing campaign metrics and success rates | PhishMe, King Phisher | Phishing simulation and user interaction tracking | GitHub | Free |
| Infection Monkey | Easy | Lateral movement, network attack simulations | Caldera, Atomic Red Team | Breach and attack simulation & Lateral Movement | GitHub | Free |
| Atomic Red Team | Easy to Moderate | Individual MITRE ATT&CK techniques | Caldera | MITRE ATT&CK technique simulation | GitHub | Free |
| Stratus Red Team | Moderate | Cloud-native attack techniques for AWS | Atomic Red Team | AWS-specific adversary emulation | GitHub | Free |
| GD-Thief | Moderate | Google Drive enumeration | Ls command | Google Drive OSINT and misconfiguration enumeration | GitHub | Free |
| DVWA | Easy to Moderate | Vulnerability exploitation in web apps (XSS, SQLi, RCE) | OWASP Juice Shop, Hackazon | Web application security testing | GitHub | Free |
| Hackazon | Moderate | Exploitation of modern web app vulnerabilities, including APIs | DVWA, OWASP Juice Shop | Modern web app vulnerability simulation | GitHub | Free |
Caldera
By the same folks responsible for the ATT&CK matrices, Caldera by MITRE gets the No.1 spot because it is the most undervalued tool in this article. Caldera is an automated adversary emulation platform that allows red teams and blue teams to simulate attacks based on real-world threat models. It’s packed with powerful tools for testing defensive capabilities and even allows you to create custom adversary campaigns. It includes:
Prebuilt adversary profiles: Caldera comes pre-loaded with adversary profiles that simulate specific threat actors. These profiles replicate the tactics, techniques, and procedures (TTPs) used by real-world adversaries, allowing you to see how well your defenses stand up to different attack strategies. Meaning you can easily test how your environment would handle an attack like APT29 or FIN7 without needing to manually script attacks and without worrying about scope-creeping an APTs known tradecraft.
Modular plugin architecture: Caldera is built on a plugin-based architecture, meaning you can extend its capabilities through various modules.
Adversary emulation plans: You can build custom adversary campaigns by stringing together techniques from MITRE ATT&CK. These plans allow you to simulate everything from phishing attacks and initial compromise (often that harvest tactics to test for), through persistence, lateral movement, and exfiltration. Caldera also allows you to set specific attack goals, such as gaining domain admin access or accessing sensitive files.
Automated red and blue team exercises: Caldera can be used for both red and blue team exercises. As a red team tool, it automates attack sequences, while for blue teams, it generates reports and provides insights on which defenses were triggered and how effectively they responded. Allowing you to test your organization’s detection and response capabilities in real-time without manual intervention.
Reporting and visualization: After running a simulation, Caldera generates detailed reports that map your defense’s success or failure against specific attack techniques. The tool provides clear, visual feedback, often showing which techniques were successfully blocked, which triggered alerts, and where there were gaps in coverage. This makes it invaluable for tuning detection and monitoring tools like SIEMs and EDRs.
Real-time execution of ATT&CK techniques: Caldera allows you to execute specific ATT&CK techniques in real time. For example, if you wanted to test how your defenses to respond to PowerShell attacks, you could select the appropriate technique from the ATT&CK matrix and run it directly in your environment. Caldera will then show whether your defenses detected the technique, and if not, you can adjust and run it again. This gets red teams off the retest hamster wheel.
Caldera also has an extremely user-friendly web interface. Even without deep knowledge of red-teaming tactics, you can build and execute complex attack chains through a drag-and-drop interface. Making it accessible for both technical/non-technical and junior/senior team members alike.
Though many security teams are aware of Caldera, it doesn’t get as much attention in pentesting circles compared to manual tools like Metasploit. Its automation and built-in adversary tactics make it perfect for saving time and increasing efficiency in red-team exercises. It’s a great way to test defenses against real-world attack tactics based on the MITRE ATT&CK framework and drive home the impact part of the risk factor. It literally makes our pentesting lives easier in every conceivable way we ask for, yet many teams don’t use it.
Use case: Simulate CVE-2020-1472 (ZeroLogon) by using Caldera’s automation to test defenses against privilege escalation on Windows Domain Controllers. Else; afraid of APT11? Use Caldera to mimic one of their campaigns and test your defense-in-depth.
Silent Trinity
Silent Trinity is a post-exploitation command-and-control (C2) framework written in C# and .NET, allowing it to blend into Windows environments more easily than other C2 tools. It’s a stealthy alternative to frameworks like Cobalt Strike, and its ability to leverage the .NET infrastructure makes it highly effective in bypassing defenses. It’s also open source which means you don’t need the thousand-dollar license to use it.
While many pentesters rely on well-known C2 frameworks like Cobalt Strike and Covenant, Silent Trinity’s integration with .NET makes it especially dangerous for post-exploitation activities in Windows systems because of its ability to pass as a native process.
Use case: Use Silent Trinity to exploit CVE-2021-1675 (PrintNightmare) by gaining remote code execution on Windows systems and maintaining persistent access.
Pacu
Pacu is an AWS exploitation framework designed by Rhino Security Labs. With Pacu, pentesters can identify and exploit security misconfigurations in AWS environments, such as over-permissioned IAM roles or exposed S3 buckets. It can be used from both an external perspective (finding attack vectors without initial access) and an internal one (after obtaining credentials). It’s broader in scope, covering multiple phases of AWS pentesting, from enumeration to exploitation.
As cloud environments become more central to modern infrastructure, tools like Pacu should be in the limelight. Yet, it’s often overshadowed by traditional, non-cloud-focused tools (again, like Metasploit- square peg, round hole). Pacu excels at finding and exploiting misconfigurations in AWS environments and exploits AWS-specific weaknesses that other tools miss. Its modular structure lets you customize tests to uncover everything from over-permissioned IAM roles to exposed EC2 instances.
Use case: Exploit CVE-2019-10758 (unauthenticated access to AWS S3 buckets) by using Pacu to enumerate S3 buckets and access sensitive data.
ScoutSuite
ScoutSuite is a multi-cloud security auditing tool that analyzes AWS, Azure, and GCP environments for misconfigurations. It provides a comprehensive view of cloud security risks by inspecting permissions, network setups, and policies. You’d use ScoutSuite to enumerate/do situational awareness and use Pacu to exploit.
Though similar to CloudSploit, ScoutSuite’s multi-cloud support and user-friendly reports make it a go-to for cloud audits.
Use case: Use ScoutSuite to identify misconfigured AWS permissions that would allow an attacker to exploit CVE-2021-45046 (the dreaded Log4j) on an improperly secured server.
Cookiebro
Cookiebro is a simple but powerful browser extension for managing cookies and tracking scripts. While not a pentesting tool in the traditional sense, Cookiebro gives you granular control over web tracking, helping you understand and analyze how a web app behaves.
In the right hands, Cookiebro also allows you to steal and replay authenticated session cookies, effectively mimicking authenticated users and bypassing the need for credentials. This opens opportunities to escalate privileges and gain unauthorized access to web applications, SSO dashboards, and an infinite number of possibilities.
Use case: Discover potential session hijacking opportunities by analyzing how session cookies are handled on a site vulnerable to CVE-2015-2080 (Jetty cookie vulnerability).
WeirdAAL
WeirdAAL (AWS Attack Library) is a highly specialized tool that focuses on exploiting weaknesses in AWS environments. Now, this may sound eerily similar to Pacu because it automates privilege escalation techniques and leverages existing access to perform AWS attacks. But where WeirdAAL earns its spot is in exploiting AWS vulnerabilities and misconfigurations by leveraging pre-existing AWS access. Its primary function is to automate privilege escalation techniques and other internal AWS attacks. It’s a great tool for red teams or pentesters who already have a foothold in an AWS environment and want to escalate privileges or further their control.
Use case: Use WeirdAAL to simulate privilege escalation techniques and exploit CVE-2020-10748 (improper S3 bucket configurations leading to privilege escalation).
DigitalOcean
We’re getting pretty fringe here, but I never executed a red team op without it. Though primarily a cloud provider, DigitalOcean is your one-stop server shop. Need to host an evilginx server to MiTM? Done. Need to phish 1,000 targets? No problem. DigitalOcean’s simplicity makes it an ideal environment for not only hosting all your nefarious resource needs but also building pentesting labs and simulations.
While AWS, Azure and GCP dominate the cloud space, I find DigitalOcean to be clean cut, low cost, and straightforward without 20 screens and 100 options to configure before launching resources. This allows pentesters to quickly spin up isolated environments to test tools like Pacu or WeirdAAL. It’s also Terraform friendly.
Use case: Use Terraform templates to quickly and easily spin up C2 infrastructure.
GoPhish
GoPhish is an open-source phishing framework that allows you to simulate phishing attacks, gather metrics, and track user interactions. It’s easy to set up and run campaigns providing detailed reports on how many were delivered to user inboxes (and which errored out), users opened emails, clicked links, and entered credentials.
Red teams may bypass GoPhish due to its perceived lack of sophistication compared to more complex commercial tools, but its lightweight, open-source nature makes it perfect for rapid deployment and minimal resource requirements. It’s also great for teams who want to scale phishing campaigns without the overhead of larger frameworks. The fact that it’s underrated is more a matter of preference and perception — teams assume “more robust” means “better,” but in this red teamer’s opinion, GoPhish strikes a sweet balance between simplicity and efficiency.
Use case: Run a simulated phishing campaign containing a malicious word doc with a macro that will execute when it’s opened.
Infection Monkey
Infection Monkey by Guardicore is a breach and attack simulation tool that tests your network’s ability to handle one thing: lateral movement. It doesn’t mimic malware, it is malware, which makes it both scary and exciting. But it’s malware with just one goal: move and copy. So, it will test a number of lateral movement and privilege escalation techniques, propagate, and do it again.
Infection Monkey is hands down one of the best worms I’ve ever seen in action. It’s user-friendly, quick to spin up, and to my knowledge, there’s nothing else like it out there — but I don’t hear anyone talking about it. This tool is a beast for a few reasons: it builds an attack tree as it moves through your environment, showing each hop and compromise in real-time. You can literally watch the path it takes and know exactly which technique succeeded at each step, which makes targeted remediation a breeze. And when it comes to reporting, it doesn’t just stop at MITRE ATT&CK, it also aligns with zero trust principles. That’s a big deal because with so many organizations diving headfirst into zero trust without really understanding it, Infection Monkey lets you actually test granular access controls and segmentation, giving you definitive baselines.
Use case: Set it off on literally one box anywhere in the environment and watch it do its frightening magic.
Atomic Red Team
Atomic Red Team (ART), developed by Red Canary, is a collection of scripted tests that map directly to MITRE ATT&CK techniques. It can be run in PowerShell or bash and allows pentesters (or defenders) to simulate specific attack behaviors, but its power is in the sheer number of tests available. There are over 900 known techniques baked into the framework.
I don’t hear many pentesters using Atomic Red Team, but almost every purple teamer I know relies on it. The reason? Even though it’s scripted and signature-based, plenty of EDR solutions still miss these techniques — despite them being well-known and published. The beauty of Atomic Red Team is that you can throw a whole arsenal of techniques at a system and quickly gauge how well your controls are holding up. Or you can zoom in on individual techniques and sub-techniques, and because it’s modular, you can run these over and over to fine-tune detection, tweak rules, and make sure things are blocked, alerting properly, or showing up in your telemetry.
Use case: Use Atomic Red Team to emulate CVE-2018-8174 (Double Kill) by running T1203 – Exploitation for Client Execution, T1176 – Browser Extensions, T1068 – Exploitation for Privilege Escalation, and T1133 – External Remote Services, to test browser exploit defenses.
Stratus Red Team
Stratus Red Team by DataDog focuses on cloud-native adversary emulation, particularly in AWS environments. Atomic Red Team, mentioned above, covers a wide array of environments, but Stratus hones in on the unique challenges posed by cloud-native architectures, making it an attractive option for organizations embedded in AWS.
Almost nobody outside heavy cloud CI/CD has heard of it, but the pros doing a lot of cloud-native and containerized workloads (Kubernetes) especially in DevOps-heavy organizations, rely on it frequently because it provides insight into cloud-specific attack vectors that are often overlooked by traditional security tools. It’s no secret that misconfigurations in cloud resources are the leading cause of breaches, and Stratus helps narrow the focus by targeting these vulnerabilities directly.
Use case: Simulate adversary behavior targeting Amazon EKS clusters, particularly focusing on T1543.003 (Create or Modify System Process: Kubernetes). This technique involves exploiting misconfigurations in EKS clusters to gain unauthorized access or escalate privileges by modifying or creating new Kubernetes pods and was contributed by community user Dakota Riley.
GD-Thief
Ever been lost in the maze of Google Drive, overwhelmed by endless files, folders, and subfolders, wishing you could just “ls -l” them all? Enter GD-Thief. It is an open-source tool that enumerates and scrapes Google Drive for publicly accessible files. It’s ideal for discovery and SA on documents, spreadsheets, or other sensitive data left in shared drives.
For cloud OSINT, Google Drive is a treasure trove of information, if you can find it. While tools like SpiderFoot provide broader OSINT capabilities, GD-Thief gives pentesters a targeted way to enumerate specific cloud storage assets.
Use case: Use GD-Thief to scrape publicly accessible files that could reveal credentials or internal documents, potentially leading to further exploitation.
DVWA (Damn Vulnerable Web Application)
DVWA is a deliberately vulnerable web application designed to provide a safe space for security professionals and aspiring pentesters to practice and refine their web application penetration testing skills. It has multiple levels of vulnerability (low, medium, high, and impossible) to help users test a wide range of skills including SQL injection, cross-site scripting (XSS), file inclusion, and command injection.
While widely known in boot camps and training classes, DVWA is often overlooked by more experienced pentesters who turn to more complex tools. However, it remains a relevant platform for testing and refining skills from script kiddies to advanced operators. DVWA is also self-hosted, lessening the likelihood you’ll scope creep or test something you’re not permitted to touch (BBP/VDPs anyone?). Any hypervisor can help you partition resources necessary to host it.
Use case: Pentesters can practice exploiting CVE-2018-6574 (Remote Code Execution via improper input validation). In DVWA’s “command execution” module, you can inject shell commands via a form input and elevate to remote command execution. This exercise allows pentesters to better understand the techniques attackers use to gain remote control over web servers.
Hackazon
Hackazon is another vulnerable web application designed to simulate a real-world e-commerce site with modern web technologies. Developed by Rapid7, it provides a realistic environment for security professionals to test vulnerabilities commonly found in dynamic web applications, including RESTful API misconfigurations, SQL injection, XSS, and client-side vulnerabilities. Hackazon is excellent for mimicking the complexity of modern web apps used by organizations today.
Hackazon replicates a full, real-world dynamic shopping site with various modern vulnerabilities that aren’t always found in other training environments, but it’s often overshadowed by DVWA and other vulnerable web apps due to its more complex setup. But if you’re looking to beef up on API and client-side skills, it’s a great place to start.
Use case: Hackazon can be used to test for SQL injection vulnerabilities (CVE-2019-12384) by targeting the application’s product search feature. Pentesters can inject malicious SQL queries via the search form to retrieve sensitive customer data like payment details. Additionally, the inclusion of an API makes it an ideal platform for API-based testing and exploiting improper authorization or input validation.