June 1, 2022
What to Look for in a Penetration Testing as a Service [PTaaS] Provider

Penetration testing is sometimes criticized for merely providing point-in-time results. This is a valid concern given today’s cloud and hybrid environments, with the infrastructure of many organizations changing from month to month. With the threat landscape also constantly evolving, it’s safe to say a once-a-year penetration test is simply not enough anymore.

That’s not to imply pentesting is without value—quite the opposite. In a survey of security professionals, 97% agreed that penetration testing saves their company money in the long run by preventing security breaches. 88% said it helps their organization build better security processes, and 85% said results from penetration tests provide valuable insights their organization can use to improve developer and security team training.

However, expenses for recurring testing on a more frequent basis add up quickly and can be cost-prohibitive. 71% of security pros said the cost of pentesting limits their organization’s ability to test more frequently. So what’s an organization to do?

Enter Penetration Testing as a Service, or PTaaS. PTaaS has emerged as a model for delivering pentesting on a frequent, continuous basis that keeps pace with organizational changes and DevOps agile methodologies through a subscription that provides a more cost-effective rate than standalone services.

PTaaS services can vary depending on the provider, but in general, there are a few important features to look for when considering which service to sign with.

  1. Human, hands-on-keyboard approach

More organizations are signing up for continuous penetration testing, but many of the solutions available are automated, software-driven solutions. The trouble is that automation alone doesn’t cut it when it comes to finding critical vulnerabilities in your environment or software applications. The flexibility and creativity of the human brain mean manual testing can root out clever vulnerabilities and attacks that automation may miss. It takes human intelligence to instinctively sense when to dig deeper and when to move on. Look for a provider who provides manual testing and not just a glorified vulnerability scan.

  1. Dedicated expertise and experience

Your penetration testing service is only going to be as good as the experts who conduct the tests, so be sure your PTaaS provider’s penetration testers have the breadth of experience and the qualifications to give you the value you need. Certifications like OSCP are useful to get a sense of the chops of a provider’s experts.

Another facet to consider is how dedicated the provider is to your organization. Some PTaaS providers use a crowdsourced model, which means your organization will be assigned to a different penetration tester every time. This inhibits the ability to form a consistent relationship with a tester who thoroughly knows your organization’s estate and your applications. A crowdsourced model also reduces the level of standardization possible – the ability of testers to do the same things over again in a repeatable fashion, optimizing results and providing faster outcomes.

  1. Useful, actionable reporting

Reporting is a big part of a successful penetration test. What good is a penetration test if the results aren’t presented to you and other stakeholders in a way you can understand and act on? A report should provide both a high-level executive summary as well as a more detailed technical view of the findings, covering risks, impact, vulnerability details, attack vectors, proofs of concept, prioritized remediation paths, and mitigation recommendations.

  1. DevSecOps friendly

PTaaS plays a significant role in the DevSecOps goal of shifting security left. When you test your applications at an early stage and test repeatedly, you get ahead of security problems. Not only does this result in a more secure application, it also avoids the need to do a costly rebuild later in the process.

A good PTaaS provider offers access to some sort of dashboard where business, technology and security teams can all view the testing status as needed, reducing vulnerability remediation lead time and increasing visibility into potential risks and priorities. These portals save direct costs and reduce effort and should be secured by best-in-class features, configurations and controls. Look for a portal that integrates with your Azure or Jira technology stack, supporting your DevSecOps initiative to seamlessly integrate security into the development process.

  1. Packages to fit your needs

No organization is the same, nor is its infrastructure or development process. Look for a PTaaS provider that offers a standardized subscription service with a scope that works for your organization. Whether you need testing for your environment, externally or internally, or on your web or mobile applications, look for a provider that offers a range of services that fit your needs.

Get more out of pen tests

Before you talk to a PTaaS provider, be sure you clearly understand what you are looking for in a pentesting service. Do you need to make your apps more secure? Are you looking to eliminate critical vulnerabilities from your ecosystem? When you understand your needs clearly, you’re better positioned to find a provider who has the expertise to match those needs.

Whether you’re looking for pentesting of your network estate or support for your DevSecOps initiatives with application testing, CBI can help. Learn more about CBI’s PTaaS offering when you download our datasheet.

About the Author
Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at CBI, A Converge Company. Shaun brings over 20 years of experience in the information security field with a core focus on providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...