Aligning Automated Penetration Testing and Risk Management