Penetration testing is a widely used technique that identifies vulnerabilities in a web application by simulating attacks from a malicious user. Successful penetration testing requires accurate information about a web application's structure and also an effective way to determine when simulated attacks would have been successful. Current approaches to penetration testing use information gathering techniques, such as web crawling, that are incomplete, and detect successful attacks using heuristics that, in practice, miss many successful attacks. In my recent work, I developed a penetration testing approach, sdapt, that addresses these limitations by combining several of the analysis techniques I had developed in previous projects. sdapt uses wam to gather interface information to identify potential input vectors to a web application and figure out how to pass input validation checks on input fields. It also leverages wasp to identify when an attack has succeeded. In the empirical evaluation of sdapt, I found that it was able to identify almost three times as many vulnerabilities as a conventional penetration testing approach.