ForestGuardian vs. Penetration Testing: The Missing Layer Between Penetration Tests

One question that comes up in almost every conversation we have: Does ForestGuardian replace penetration testing? It doesn’t, and honestly, we’d push back on any vendor that claimed their product did. But that framing, replace or don’t replace, misses the more useful question, which is the strengths of each approach and how they fit together in a real security program.

What a Pentest Is Actually Doing

A penetration test asks a very specific question: given this starting point, how far can a skilled attacker move through this environment during this window of time? Experienced operators chain together misconfigurations, overprivileged accounts, exposed services, and business logic gaps to see how close they can get to the things that matter most: what domain controllers, financial systems, R&D information, and customer data.

The output, when it’s done well, is a narrative. Not a list of CVEs (Common Vulnerabilities and Exposures), but a story: here’s how the team moved from a consultant’s laptop or device on the network to Domain Admin, here’s what we touched along the way, and here’s what stopped us and what didn’t. That story is what actually lands with executives and boards. It answers the “so what?” in a way that a spreadsheet of findings simply doesn’t.

None of that is replaceable, and we’re not trying to replace it. But manual testing has an inherent constraint that no amount of skilled human effort can overcome: it’s a point-in-time assessment. The engagement ends, the report goes out, and the environment keeps changing underneath you. New accounts are created, groups are adjusted to address some access problems a business unit raised, GPOs are tweaked, and cloud integrations are added. By the time the next test starts, you’re assessing a meaningfully different environment than the one in last year’s report, and nobody formally documented what changed between assessments.

Manual testing is expensive and often at least mildly disruptive, so most organizations can only justify running these engagements once or maybe twice a year. That’s a long time without structured visibility into how identity risk is drifting.

The Automated Pentest Gap

Automated attack simulation tools try to close some of that gap, and the idea makes sense: run scheduled checks, replay known attack paths, make sure the remediations you put in place are holding. These tools are genuinely useful for a specific purpose: validating that a particular condition that was true before is still true today. If you closed a known attack chain last quarter, they can help you verify it’s still closed.

What they can’t do is tell you much about what’s changed in ways they weren’t explicitly programmed to look for. They lean on signatures and predefined scenarios, and real Active Directory environments are complicated in ways that don’t always map cleanly into scripted playbooks. You also still end up with snapshots, knowing what was true at the time of the last run, not how the environment has been shifting day by day. At their worst, these tools produce output that feels more like scanner noise than a coherent picture of where the actual risk lies.

What ForestGuardian Does

ForestGuardian approaches this from a completely different angle. Rather than simulating an attacker on a schedule, it continuously models the identity layer, specifically Microsoft Active Directory and Entra ID, and tracks how that structure changes over time.

The narrow focus is intentional. ForestGuardian isn’t trying to do broad infrastructure scanning. It’s building a structural model of identities, groups, permissions, and their relationships, then asking: what paths exist from this account to that critical resource, and what changed to create or close them? That question gets answered continuously, not episodically. When a new group is added, an account’s privileges change, or a trust relationship shifts, ForestGuardian picks it up and updates the model. A security team can look at what’s changed in the last week or month and immediately understand which of those changes actually matter from an attacker’s perspective, without waiting for anyone to schedule an assessment.

It’s also read-only by design. ForestGuardian observes and models; it doesn’t execute anything or touch configurations. That’s not a limitation; it’s what makes it safe to run continuously in production environments without operational risk.

The Part Where They Actually Work Together

ForestGuardian is the ongoing layer that keeps you from flying blind between tests, and penetration testing is what you bring in to validate the most important findings it surfaces.

ForestGuardian tells you which accounts, groups, permissions, and trust relationships create viable paths to critical assets right now, showing you how that picture shifts as everyday changes accumulate. Administrators constantly make changes under business pressure, not because they’re being careless, but because organizations move and access requirements change. ForestGuardian makes that drift visible and puts it in an attacker-relevant context.

When a pentest comes around, teams can use that context to scope it differently. Instead of guessing where to point the testers, you come in with a clear view of which paths exist and which remediations you’re trying to validate. That makes the engagement more useful and makes the findings easier to act on afterward, because you already have the baseline to compare against.

It also helps fix one of the more dysfunctional patterns in security programs: the pre-assessment cram session, where teams scramble in the weeks before an annual test to guess what might be found and patch as much as possible under pressure. When you have continuous visibility into identity risk, that pressure mostly goes away because you’re no longer guessing.

The Business Case for Continuous Identity Security

The way we’d frame it for a business decision-maker is this: penetration testing is a periodic, deep dive into what can go wrong. It belongs in board-level risk conversations, meets regulatory expectations, and produces evidence that shows whether your controls actually hold up under real attack conditions. Nothing replaces that.

ForestGuardian addresses the gap that exists in the other 50-51 weeks of the year, or however long it’s been since the last test. It gives you a continuous, explainable picture of how identities in Active Directory and Entra ID can be abused, and how that exposure is changing as your organization operates. Run them together, and you end up with fewer surprises when tests happen, a better return on both internal and external security resources, and a much clearer line between the everyday changes your IT and identity teams make and the actual risk those changes introduce.