Nmap is a port scanner more than a penetration testing tool, but it aids pen testing by flagging the best areas to target in an attack.

Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing.

Nessus is a widely used paid vulnerability assessment tool that is best for experienced security teams, and should be used in conjunction with pen testing tools.

Metasploit helps IT security teams find and test vulnerabilities – and analyze the results so remediation steps can be done efficiently.

PortSwigger Web Security's Burp is a top-rated web vulnerability scanner used in a great many organizations and is found in most penetration testing toolkits.