Best Penetration Testing Tools (2026): A Toolkit by Phase
Key takeaways
- Penetration testing tools map to the phases of an engagement: reconnaissance, scanning & enumeration, exploitation, post-exploitation, and reporting. No single tool covers all of them — pen testers assemble a toolkit.
- The industry-standard reference is PTES (Penetration Testing Execution Standard), with a widely used condensed five-phase model.
- Most core tools are free and open source — Nmap, Wireshark, Metasploit Framework, sqlmap, ZAP, Nikto, Nuclei, John the Ripper, Hashcat, Aircrack-ng. Paid tiers (Burp Suite Professional, Metasploit Pro) add automation and reporting.
- Before you can test an asset, you have to find it. External attack-surface tools like Secably support the reconnaissance and scanning phase by discovering and continuously monitoring your internet-facing exposure.
- Choose tools by the phase and target you are testing (web app, network, wireless, credentials), not by brand.
Penetration testing is not one activity — it is a sequence of phases, and each phase has its own specialist tools. Trying to pick "the best penetration testing tool" is the wrong question; the right one is which tool fits the phase and target you are working on. A web-app tester reaches for a proxy like Burp Suite or ZAP; a network tester leans on Nmap and Metasploit; a credential attack needs Hashcat or John the Ripper.
This guide organizes the most widely used penetration testing tools in 2026 by engagement phase, so you can build a complete toolkit rather than a random pile of downloads. Nearly all of them are free and open source; where a tool has a paid tier, we say so honestly and avoid quoting prices that shift year to year.
The phases of a penetration test
The authoritative framework is the Penetration Testing Execution Standard (PTES), which defines seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. Most practitioners use a condensed five-phase model day to day:
- Reconnaissance — gather information and map the target's attack surface (domains, subdomains, hosts, exposed services).
- Scanning & enumeration — actively probe for open ports, running services, and potential vulnerabilities.
- Exploitation — attempt to confirm and leverage weaknesses to gain access.
- Post-exploitation — escalate privileges, move laterally, crack credentials, and assess impact.
- Reporting — document findings, evidence, and remediation guidance.
The tools below are grouped by where they fit in that flow.
Reconnaissance & attack surface mapping
Secably — external attack surface discovery & monitoring
Secably supports the reconnaissance and scanning phase by mapping what a target exposes to the internet: domains, subdomains, open ports, exposed services, and common web-application issues — then monitoring that surface continuously so new exposure gets caught. It is a scanning and asset discovery tool, not an exploitation framework, so it fits cleanly at the front of an engagement (and in ongoing security programs between tests).
Phase: reconnaissance / scanning & enumeration. Pricing: free scanning tools with no signup; Pro from $19/month and Agency from $49/month for unlimited scans, full port ranges, deep scanning, API, and scheduled monitoring (see pricing).
Nmap
Nmap is the classic free network scanner: host discovery, port scanning, and service and OS detection, with a scripting engine (NSE) for deeper checks. It is a reconnaissance and enumeration workhorse — every network tester uses it. Note it is a mapping tool, not a full vulnerability scanner.
Phase: reconnaissance / scanning. License: free, open source.
Wireshark
Wireshark is the standard network packet analyzer. It captures and dissects traffic at the protocol level, which is invaluable for understanding a network, spotting cleartext credentials, and debugging exploits. It analyzes traffic rather than attacking systems, so it spans reconnaissance and post-exploitation traffic analysis.
Phase: reconnaissance / traffic analysis. License: free, open source (GPLv2).
Scanning & enumeration / vulnerability analysis
Nuclei
Nuclei, from ProjectDiscovery, is a fast, template-based scanner driven by a YAML DSL and 12,000+ community templates covering web apps, APIs, network services, DNS, and cloud misconfigurations. Its speed and scriptability make it popular for automation and CI/CD security checks.
Phase: scanning / vulnerability analysis. License: free, open source (MIT); an optional paid ProjectDiscovery cloud platform is separate.
OpenVAS / Greenbone
OpenVAS is the scanner engine inside Greenbone Vulnerability Management, distributed free as the Greenbone Community Edition. It is the leading open-source network vulnerability scanner and a common free alternative to commercial products like Nessus.
Phase: vulnerability analysis. License: free (Community Edition); commercial Greenbone Enterprise appliances and feed available on subscription.
ZAP (formerly OWASP ZAP)
ZAP is a free web-application dynamic scanner and intercepting proxy — the leading open-source alternative to Burp Suite. Note the project has changed stewardship: it left OWASP and the core team joined Checkmarx in 2024, so it is now branded "ZAP by Checkmarx," while remaining free and open source.
Phase: scanning / web-app testing. License: free, open source (Apache-2.0).
Nikto
Nikto is a fast web-server scanner that checks for outdated software, dangerous files, and common misconfigurations. It is noisy and not stealthy, but excellent for quick coverage of a web server during enumeration.
Phase: scanning / web enumeration. License: free, open source (GPL).
Exploitation
Metasploit
Metasploit is the de facto standard exploitation framework. The open-source Metasploit Framework provides a huge library of exploits, payloads, and auxiliary modules; Metasploit Pro (from Rapid7) adds automation, reporting, social-engineering campaigns, and collaboration.
Phase: exploitation / post-exploitation. License: Framework free and open source (BSD-style); Metasploit Pro is commercial, quote-based.
Burp Suite
Burp Suite from PortSwigger is the industry-standard web-application testing platform — an intercepting proxy plus a suite of manual and automated tools. The Community edition is free with manual tools; Professional adds the full toolkit and scanner; Enterprise runs org-wide automated DAST.
Phase: web-app scanning / exploitation. License: Community free; Professional is a paid per-user annual subscription; Enterprise is quote-based. (PortSwigger adjusted pricing in early 2026 — check the vendor for the current figure.)
sqlmap
sqlmap automates the detection and exploitation of SQL injection flaws, including database fingerprinting, data extraction, and, where possible, command execution. It is the standard tool for turning a suspected injection point into confirmed impact.
Phase: exploitation (web/database). License: free, open source (GPLv2).
Post-exploitation & credential attacks
John the Ripper
John the Ripper is a long-standing password and hash cracker with wide format support, best known for flexible CPU-based cracking. The community "Jumbo" build extends its format coverage significantly.
Phase: post-exploitation (credential attacks). License: free, open source (core GPLv2); a paid Pro build also exists.
Hashcat
Hashcat is the fastest GPU-accelerated password cracker, supporting a vast range of hash types and attack modes. Where John excels at flexibility, Hashcat excels at raw speed on modern GPUs.
Phase: post-exploitation (credential attacks). License: free, open source (MIT).
Wireless testing
Aircrack-ng
Aircrack-ng is a complete suite for Wi-Fi (802.11) security auditing: packet capture, handshake collection, and WEP/WPA/WPA2 key cracking. It is the standard toolkit for wireless penetration testing.
Phase: reconnaissance / exploitation (wireless). License: free, open source (GPLv2).
The platform: Kali Linux
Kali Linux
Kali Linux is not a single tool but a Debian-based Linux distribution from OffSec that bundles 600+ penetration testing tools — including most of those above — in one ready-to-use workstation. It is the most common starting point for a pentest environment.
Phase: all (platform). License: free to download and use.
Penetration testing tools compared
| Tool | Primary phase | Category | License / pricing |
|---|---|---|---|
| Secably | Recon / scanning | External attack surface scanner | Free tools; Pro $19/mo, Agency $49/mo |
| Nmap | Recon / scanning | Network scanner | Free, open source |
| Wireshark | Recon / traffic analysis | Packet analyzer | Free (GPLv2) |
| Nuclei | Scanning | Template-based scanner | Free (MIT); optional paid cloud |
| OpenVAS / Greenbone | Vulnerability analysis | Network vuln scanner | Free (Community); paid Enterprise |
| ZAP | Scanning | Web-app DAST proxy | Free (Apache-2.0) |
| Nikto | Scanning | Web-server scanner | Free (GPL) |
| Metasploit | Exploitation | Exploit framework | Framework free; Pro quote-based |
| Burp Suite | Web-app testing | Proxy + scanner | Community free; Pro/Enterprise paid |
| sqlmap | Exploitation | SQL injection tool | Free (GPLv2) |
| John the Ripper | Post-exploitation | Password cracker (CPU) | Free (GPLv2); paid Pro |
| Hashcat | Post-exploitation | Password cracker (GPU) | Free (MIT) |
| Aircrack-ng | Wireless | Wi-Fi auditing suite | Free (GPLv2) |
| Kali Linux | All (platform) | Pentest distribution | Free |
How to choose your penetration testing toolkit
Pick by phase and target, not by hype:
- Start with reconnaissance. You cannot test what you have not found. Map the attack surface first with Nmap and an asset discovery pass — run a subdomain finder and port scan to see what is actually exposed.
- Match the target. Web app? Burp Suite or ZAP, plus sqlmap and Nikto. Network? Nmap and Metasploit. Wireless? Aircrack-ng. Credentials? Hashcat or John the Ripper.
- Prefer open source to learn. The free tools above are the same ones professionals use daily — start there before paying for automation you may not need yet.
- Automate the boring parts. Nuclei templates and scheduled scanners handle repetitive coverage so manual effort goes where it matters.
Where Secably fits
Secably is honest about its lane: it is a reconnaissance and scanning tool, not an exploitation framework. It finds and continuously monitors your internet-facing attack surface — the exposed assets a pen tester (or attacker) would map first — and flags common vulnerabilities. It does not weaponize those findings; confirming exploitability is the job of tools like Metasploit, Burp Suite Professional, and sqlmap.
That makes it a strong fit for the front of an engagement and for the gaps between formal pen tests, when you still need to know what you are exposing. You can run a free scan now — no signup required — and add continuous monitoring when you need it.
Map your attack surface before you test it
Run a free external scan to see the domains, ports, and exposures an attacker would find first.
Start a free scanFrequently asked questions
What are the main phases of penetration testing?
The authoritative framework is PTES, with seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. In day-to-day practice most testers use a condensed five-phase model: reconnaissance, scanning & enumeration, exploitation, post-exploitation, and reporting.
What are the best free penetration testing tools?
Most core pentest tools are free and open source: Nmap (network scanning), Wireshark (packet analysis), Metasploit Framework (exploitation), sqlmap (SQL injection), ZAP (web-app scanning), Nuclei (template scanning), Nikto (web-server scanning), John the Ripper and Hashcat (password cracking), and Aircrack-ng (Wi-Fi). Kali Linux bundles most of them for free.
What is the difference between a vulnerability scanner and a penetration testing tool?
A vulnerability scanner finds and reports potential weaknesses (theoretical exposure). A penetration test goes further, using exploitation tools to confirm whether those weaknesses are actually exploitable and what the impact would be. Scanners like Secably, OpenVAS, and Nuclei support the discovery and analysis phases; frameworks like Metasploit and Burp Suite Professional handle exploitation.
Do I need Kali Linux to run these tools?
No, but it helps. Kali Linux is a free Debian-based distribution that pre-installs 600+ pentest tools, saving setup time. You can also install individual tools on other systems, and browser-based scanners like Secably need no installation at all.
Is an attack surface scanner a penetration testing tool?
It supports the reconnaissance and scanning phases of a penetration test — mapping and monitoring internet-facing exposure — but it is not a full pentest suite. It finds and prioritizes exposure; it does not exploit it. Use it to feed an engagement (or to watch your attack surface continuously between tests), alongside dedicated exploitation tools.
Check your site for vulnerabilities
Run a free security scan — no signup, results in seconds.
Related Posts
Continuous Vulnerability Scanning: What It Is and How to Do It Right
Tenable Alternatives (2026): 7 Vulnerability Scanning Tools Compared