Cenzic's Hailstorm 2.6, an extensively automated penetration testing platform, gets excellent marks, especially for ease of use, configurability, reporting, integrated policies, and power. Manageability and performance are rated good. Hailstorm has many penetration tests for Web applications vulnerabilities, including buffer overflows, SQL injections and cross-scripting attacks, and infrastructure checking for outdated Web server platforms. Individual policies are well grouped into packages that can be launched easily to assure compliance with government regulations or industry best-practices guidelines. Hailstorm uses the Mozilla platform to generate real browser-based traffic to test an application. The method closely emulates the ways in which hackers attack and assists in avoiding false positives that often emerge from application scanners. Hailstorm 2.6, which is priced according to the number of applications to be secured, is priced competitively with such applications as AppScan Audit from Watchfire. During testing on a Dell Latitude D600 laptop with a 1.6GHz Pentium M processor and 512MB of RAM, Hailstorm worked well, but Cenzic recommends a 2GHz Pentium 4 or faster processor and 1GB of RAM. Policy control and configurability are superior and make it more possible for an organization to effectively do security assessments internally. Wizard-based testing is supported, but experienced penetration testers will want to advance to the robust, rich functionality that permitted testers to closely control test scope and parameters.