Abstract: Advanced Persistent Threat (APT) pose serious risks to the network security and privacy of government agencies, businesses, and other organizations. In current red team testing, there is a lack of clear guidance on the sequence of attack actions. This leads to low efficiency in threat reasoning and verification. To address this issue, this paper introduces an attack graph construction method based on partial order planning. This method can quickly, accurately, and orderly predict potential threat paths. Additionally, existing threat assessment metrics mainly focus on general threat evaluations. They often overlook the difficulty of exploiting threats in real network environments. To overcome this, we propose a risk assessment model that combines CVSS with agent depth. This approach provides a more comprehensive measurement of risk by considering both vulnerability severity and the complexity of exploitation in specific network settings. Finally, we designed an automated penetration testing tool based on attack graphs. This tool can autonomously collect information, perform penetration testing, and conduct post-penetration activities based on attack paths, achieving full-process automation. Validation in multiple network environments shows that our proposed methods can effectively infer attack sequences and efficiently evaluate the feasibility of attack paths. This ultimately enables the successful verification of automated penetration attacks, enhancing overall network security.