SAINT has been around almost as long as SATAN, the original open source penetration testing tool. In its early days, it was largely a collection of penetration tools, mostly scripts. Today it is a sophisticated combination of vulnerability testing and penetration testing, all well-automated. The tool combines active vulnerability scanning, content scanning, web application scanning, mobile assessments, network device firmware assessments, configuration auditing, penetration testing, social-engineering and reporting, all under a single pane of glass.
We tested the SAINTBox hardware appliance, but you also can get the product as software to install on your own platform. SAINT is and has been a Unix/Linux-based tool. It does run on Macs today, however. One of the things that we've always liked about the product is that it is a very nice mix of vulnerability scanning and penetration testing. Today, although it still maintains that profile, it has broadened and deepened its coverage related to the types of environments it can cover. For all of that, this is a pretty bare-bones hardcore workhorse and we always have liked it for that. This is a clear case of picking what you do and doing it very well. It is, essentially, a hacker toolkit in a box.
We started out by connecting our console and running the configuration. We rebooted and then went to the SAINT site to generate our key. Key in hand, we browsed to the SAINT web address (for our device) and loaded the key. We were ready for our first scan.
We scanned a list of IP addresses in our deception network. Our list contained both Linux and Windows virtual machines. We had results very quickly. Setting up a scan was quite simple so, if we were into immediate gratification, this would have served nicely. Not bad for a quick-start guide that is only one page long. The user guide is over 400 pages, so there is nothing trivial about SAINT's docs.
We don't have room to go through all of SAINT's customization features - there are a lot - but suffice it to say that you can pretty much create your own preferred scanner/pen testing tool without creating a lot of confusion and pain in the process. Of course, there are scan policies that you can customize and there is a good set of visualizations which makes analysis easier.
Reporting is equally comprehensive and you can export to CSV or XML files as well as third-party devices, such as Splunk, Cisco FireSIGHT and QRadar. You can create an exclusion list so that vulnerabilities that have been deemed acceptable risks won't continue to show up in scans. And you can create a quarantine policy that lets you quarantine severely vulnerable devices automatically based on your rule set.
Another nice feature is custom severity sets. This lets you customize severities based on your organization's policies and risk appetite. Documentation is complete, well-illustrated and comprehensive. We ran into no problems that we could not solve by reading the docs. Support is offered at no cost but, if you want, an advanced fee-based support option is available as well.
The website is largely marketing speak, but there is a customer portal with such assets as system requirements publicly available. Pricing is very attractive, long a hallmark of SAINT.