5 Minutes With… Alton Johnson, Founder & General Manager at Vonahi Security

In the latest instalment of our cybersecurity industry executive interview series we speak to Alton Johnson (pictured) Founder & General Manager at Vonahi Security, about the firm’s vPenTest solution, dispel the the biggest myths about automated penetration testing, the shift towards automated platforms and the growing presence of AI…

• Tell us about your company and what you do.

Vonahi Security was started out of frustration with the way traditional cybersecurity companies were handling penetration tests. The process was slow, repetitive, overly manual, and frankly, outdated.

We built vPenTest to change that. It’s an automated network penetration testing platform that takes the manual steps and streamlines them into a simple, wizard-style workflow. From start to finish, the entire test is guided and automated, so organizations get the same outcomes of a traditional pentest without the inefficiency.

Our bigger goal is to help MSPs bring network penetration testing to their customers without the high price tag or the long wait times. By making pentesting more affordable and accessible, we’re leveling the playing field so that smaller organizations can get the same level of security testing that’s usually reserved for Fortune 100 companies.

• What makes vPenTest different from other pentesting options?

vPenTest stands out because it’s affordable, scalable, continuous and designed to be repeatable for MSPs and their customers. Traditional providers not only cost a lot, but they often take weeks or months to deliver a report that may already be outdated by the time it’s in your hands. With vPenTest, MSPs can get results in less than a day, and they can keep testing as often as they need.

Another big differentiator is that Vonahi Security is CREST accredited in EMEA, which means our methodology and processes meet globally recognized standards for penetration testing. That gives our partners and their customers extra confidence that they’re getting real, credible testing and not just another vulnerability scan dressed up as a pentest. Combining that accreditation with automation makes vPenTest both trustworthy and highly efficient.

• What’s the biggest myth about automated penetration testing?

The biggest myth is that it cannot be done. For years, companies tried to sell automated pentesting as a buzzword without ever proving it, so a lot of people understandably became skeptical.

Since 2019, we have been proving every single day that automated pentesting does work. With advances in technology, we have been able to take all the manual steps and map them into a logic tree that knows how to move through each phase of a pentest. That means vPenTest does not just spit out scan results. It actually simulates attacker behavior and determines the next step in a test, the same way a human would.

• How can IT and security teams show their defenses really work?

The simplest way is to run a penetration test. When you do, you are putting your defenses to the test against simulated real-world attacks.

If your defenses are configured properly, they will block or alert as expected. If they do not, the pentest will expose gaps that need fixing. Either way, you come away with clear evidence of whether your defenses are doing their job or not. It is not theory, it is proof — and that is exactly what boards and executives want to see.

• What should companies look for when choosing a pentesting provider?

They should focus on three things:

1. Pentest vs. vulnerability assessment: Confirm it is a true pentest. Ask if post-exploitation results are included. If the answer is no, it is just a vulnerability assessment.
2. Remediation testing: Check whether retesting is included. Paying a premium for one test and then more just to confirm fixes is not cost-effective.
3. Deliverables: Review sample reports. Look for detailed findings, recommendations, evidence and ideally a narrative that walks you through what was tested and what was found.

Picking the right provider is about making sure you are getting real, actionable results and not just a PDF of scan output.

• How do you see pentesting changing over the next few years?

I think we will see a major shift toward automated pentesting platforms, especially with the rise of AI. New vulnerabilities appear every single day, and traditional once-a-year testing simply cannot keep up.

Automation will make it possible for organizations to test far more often and at a lower cost. AI will make tests smarter and more adaptable, bridging the gap between what a human pentester does and what a platform can automate. I see continuous pentesting becoming as standard as patching or backups. It will just be part of how companies operate.

• What have been the toughest challenges in cybersecurity over the past year?

The biggest challenge is keeping up with the sheer volume of vulnerabilities and new technologies. Every week, new vendors and solutions appear, many of them powered by AI.

For organizations, that makes it harder to know what is real and what is just marketing hype. They are under pressure to protect themselves against evolving threats, but they also have to wade through a noisy vendor landscape to find the ones that actually deliver value.

• And what new opportunities have come up?

The demand for automated pentesting has grown tremendously. More companies are realizing that traditional testing just cannot keep up, and they need something more scalable.

AI has also opened new doors on both sides. For vendors like us, it means we can build richer, more detailed testing capabilities. For organizations, it means they have access to new tools that help them stay secure without adding massive costs or overhead.

• What’s the top priority for cybersecurity in 2025?

Adopting AI. While AI isn’t perfect, the reality is that it has indeed provided a lot of opportunities for improvements in the cybersecurity space. When used correctly, it can help organizations identify risks, organize data within their environments and ultimately provide value with things that would once require a slow, manual process, including security vulnerability remediation.

• What trends do you think will shape the industry in 2026?

AI is going to continue shaping the industry. It is now much easier to create new security testing tools, and companies are finding ways to use AI to strengthen their day-to-day security posture. I believe AI will move from being something experimental to being embedded in the everyday operations of most organizations. It will not just be an add-on, but rather part of the foundation of how cybersecurity is done.

• What technology will have the biggest impact this year?

AI, hands down. While it’s often just used as a marketing technique, it has a lot of value to offer when used correctly. How organizations and vendors leverage AI to help their organizations will make a massive difference in how 2026 plays out for them. 

• What’s the best part of your job and the hardest part?

The best part of my job is seeing organizations that couldn’t afford a pentest years ago now being able to get the same service I used to provide Fortune 100 organizations. I haven’t gotten over that yet. I know it’s become “normalized” nowadays, but seeing vPenTest go from a personal project to a platform that’s meaningfully providing value to organizations around the world is still mind-blowing and game changing to me. It’ll take me awhile to get over it, because I was told it’s not possible for a long time and now we’re proving it today.

The hardest part of my job is trying to implement all the ideas that I have. As an innovator, my mind never sleeps. I constantly have ideas about how to bring more value to the market — with the current solution (vPenTest), other ideas, etc.

• What’s the best piece of advice you’ve ever received?

While this advice hasn’t been given to me, one of the best quotes I’ve seen was “Luck is one of the by-products of those who take the most action,” by Grant Cardone. When Vonahi Security was still in its early days, this inspired me to continue to take action, despite the chances of low success. At some point, I got lucky, and people started picking up the phone to call me. This wouldn’t have been possible if I hadn’t increased my chances of getting “lucky” by waking up every day and taking action to create something of value. This has also removed fear from my mindset, as I believe now that anything is possible with enough action, despite how crazy it may sound to some.