AutoAttack vs Nessus.
Nessus Professional inventories exposures and ranks them. AutoAttack is an autonomous adversary: it exploits, chains, and proves. Black-box on the same GOAD lab, with neither tool given credentials, the gap is total.
Deploy →| Black-box | Nessus Professional exposure inventory | AutoAttack autonomous adversary |
|---|---|---|
| Run time | 24m 04s | 2m 37s |
| First Domain Admin | not reached | 0:41 |
| Domains compromised | 0 of 3 | 3 of 3 |
| Credentials recovered | 0 | 124 |
| Confirmed compromise | none | 3 Domain Admin |
Black-box comparison: neither tool was given credentials. Same GOAD vanilla snapshot, same network position, 2026-06-24.
the difference
different jobs Nessus inventories exposures and hands you a ranked list. AutoAttack runs the attack and hands you the captured chain. One says what might be reachable; the other proves what is.
0 vs 3 domains Black-box, no credentials, Nessus reached zero of three domains in 24m 04s. AutoAttack reached Domain Admin on all three in 2m 37s and recovered 124 credentials.
use both Exposure inventory and adversary emulation answer different questions. AutoAttack does not replace vulnerability management — it is the proof that a real attacker gets through anyway.