Could automated pentesting have actually detected CVE-2023-34362?

Absolutely. Path traversal vulnerabilities are among the most detectable flaws in automated scanning. Any platform testing for OWASP Top 10 vulnerabilities and performing directory traversal checks would've flagged this within the first scan. The issue wasn't technical capability—it was that organizations weren't running continuous tests.

What's the difference between automated pentesting and a manual security audit?

Manual audits happen once or twice yearly and rely on human testers following defined protocols. Automated pentesting runs continuously, tests thousands of attack variations simultaneously, and uses AI to identify complex exploitation chains. It's not a replacement for manual testing—it's a necessary complement that catches regressions before attackers do.

How would continuous scanning have changed the MOVEit response timeline?

If organizations had automated pentesting running, they would've detected the vulnerability weeks before public disclosure. Instead of discovering it through a security advisory, they'd have had internal vulnerability data with PoC exploits and remediation steps, allowing them to patch proactively rather than reactively scrambling after the breach went public.

Is continuous pentesting expensive for small organizations?

Not anymore. Cloud-based automated pentesting platforms operate on a per-scan or per-application basis, making them accessible to companies of all sizes. Many offer free scans so you can see vulnerabilities in your environment without financial commitment.

Automated Pentesting Could Have Stopped the MOVEit Breach

When a Patch Becomes a Liability

In May 2023, Progress Software's MOVEit Transfer platform became ground zero for one of the year's most damaging supply chain attacks. The vulnerability? CVE-2023-34362—a path traversal flaw in the file transfer application's web interface that let unauthenticated attackers steal files directly from the server.

Here's what makes this infuriating: the vulnerability existed for months before disclosure. Progress released a patch, but thousands of organizations didn't apply it immediately. Meanwhile, attackers had already weaponized the exploit. The Cl0p ransomware gang claimed responsibility, and by the time the dust settled, they'd breached over 2,500 organizations across finance, healthcare, and government.

The math is simple. If someone had run continuous, automated penetration testing against those vulnerable instances—before the patch even dropped—they would've caught the path traversal flaw days or weeks in, not months out.

The Attack Chain Nobody Tested For

CVE-2023-34362 works through a relatively straightforward vulnerability chain. The flaw allows attackers to navigate outside intended directories using path traversal payloads in HTTP requests. Specifically, attackers could craft URLs with sequences like ../ to escape the application's intended file access restrictions and retrieve arbitrary files from the system.

What makes this worse? It's not a new vulnerability class. Path traversal has been listed in the OWASP Top 10 for over a decade. Any modern pentesting tool worth its salt should be checking for these patterns automatically—testing hundreds of variations against different endpoints, different encoding schemes, different file paths.

But here's the thing: manual penetration testing happens once or twice a year, if you're lucky. A security team does a test, writes a report, and then everyone goes back to work. Six months later, a developer introduces a subtle change that reintroduces the flaw, and nobody knows until attackers demonstrate the problem in the wildest way possible.

Automated pentesting changes this equation. Continuous scanning with AI-driven agents can test thousands of attack vectors simultaneously—not just the obvious ones, but complex exploitation chains that string multiple vulnerabilities together. These tools are trained on millions of real CVE databases and exploit techniques, meaning they catch the patterns that humans miss.

What Would've Happened With Continuous Testing

Imagine a pentesting platform with deep knowledge of path traversal variants, OWASP Top 10 attack patterns, and the ability to chain findings into realistic exploitation paths. It would've scanned the MOVEit instances continuously, testing file access restrictions across different endpoints. Within days—not months—it would've flagged the CVE-2023-34362 vulnerability with a high CVSS score, provided a proof-of-concept payload, and recommended immediate remediation.

Organizations using tools like this would've had actionable intelligence weeks before Cl0p exploited the flaw at scale. Patches could've been prioritized. Incident response plans could've been activated. The breach could've been prevented entirely.

The sobering reality? This technology exists now. Platforms using AI agents trained on 1M+ CVEs and equipped with 200+ attack modules can scan AWS, Azure, and on-premises infrastructure continuously. They handle OWASP Top 10 vulnerabilities—SQLi, XSS, SSRF, path traversal, IDOR—and chain them into real-world exploitation scenarios using residential IP addresses for realistic scanning conditions.

MOVEit didn't need perfection. It just needed someone running automated pentesting before the attackers did. That's the lesson here: waiting for an annual security assessment is frankly absurd in 2024. You can start testing your own environment right now and see exactly what an attacker would find in the first 24 hours.