receiving, by a computer system, publicly-available information associated with a distributed system, wherein the publicly-available information is provided absent an authentication process;

processing, by the computer system, the publicly-available information to identify an input feature related security features of the distributed system;

determining, by the computer system, a classification category and a confidence score for the input feature, wherein the classification category is selected from a plurality of classification categories that map to potential risk and exposure of the distributed system, and wherein determining the classification category and the confidence score comprises applying a set of inputs associated with the distributed system to a trained machine-learning (ML) model; and

upon determining the classification category and the confidence score, generating a penetration test to execute for the distributed system, wherein the penetration test is customized based on the related security features, classification category and the confidence score.