Here is a sample of the potential for (and against) automation in network penetration testing:
- Start with an overall way of organizing your information from multiple tools. Many consider Faraday, but if you don't like it, comment about your experience and I'll provide other recommendations. There is a commercial service, Dradis Pro that many consider to be equivalent or better than most other options for organizing pen test data.
- Give the pen test a good start with a tool such as discover.sh. This will provide a lot of focus and coordination between tools.
- Leverage nmap. If you want to see "all vulns", then consider using version detection, the shodan-api NSE script, and the vuln NSE category of scripts with the script arguments to show all vulnerabilities that could potentially be tried.
nmap --open --randomize-hosts --min-rate 450 --script shodan-api,vuln,reverse-index --script-args vulns.showall -sSUV -pT:0-,U:7,9,11,13,17,19,36-37,42,49,53,67,69,88,111,123,135,137,139,161-162,177,213,259,260,407,445,464,500,523,623,1604,1645,1812,5353,5632,6481,6502,10080,17185,49152
- Leverage other nmap NSE scripts, including third-party ones such as vulscan. Find more on GitHub that relate to your targets. Now you'll feel that you're doing more manual work!
- Instead of starting with Nessus or Metasploit, integrate them with what you've done with nmap using tools such as nmap2nessus and metasploitHelper.
- You can even run Nessus scripts manually, such as seen here -- https://security.stackexchange.com/a/3037/140
- Go further! Try harder! Focus on the attack paths instead of the tools. For example, what about authentication or privilege escalation? What about LFI or IDOR, or as you said, Path traversal. Typically you will want to explore these issues with Burp Suite Professional or an alternative at the webapp layer, but there are so many other layers that can be explored, e.g., DB, middleware, mobile, mainframe, vehicular (i.e., CAN Bus), embedded systems, et al.