October 4, 2022
Realizing the ROI of Penetration Testing as a Service

The global pentesting market is expected to grow from $1.4 billion in 2022 to $2.7 billion by 2027—an increase driven by regulation and compliance, the continual barrage of cyber attacks on organizations, and the increased use of business-critical mobile and web applications. These same drivers are also behind the emergence of a new way of delivering penetration testing: PTaaS, or Penetration Testing as a Service.

Traditionally, penetration testing has been done rather infrequently. An annual pen test of an organization’s network is common. When it comes to application development, a penetration test has typically been a one-off at the end of the project. But modern DevOps approaches and today’s constantly changing cloud and hybrid corporate environments demand pentesting on a more continuous basis.

While traditional pentesting is still appropriate for some organizations, for organizations with frequently changing systems or software, PTaaS offers a greater return on investment. PTaaS is penetration testing delivered as recurring, dynamic assessments with a predictable billing cycle.

Maximizing the ROI of pen testing

The difference between a one-off penetration test and a PTaaS program of continuous testing is like the difference between waiting until the end of the year to mow the grass versus paying for a weekly lawn service. By the end of the year, the grass is two feet high, weeds and sticker bushes are flourishing, and the flower beds are overtaken—requiring much more work to remediate than if the lawn had been maintained.

Similarly, a one-off test at the end of application development or once a year of an enterprise estate will find issues that are costlier and more time-consuming to fix than if testing had been done throughout.

A traditional penetration test can run anywhere from $20,000 to $100,000 depending on the scale of what is being tested. In contrast, the PTaaS model offers recurring assessments that are usually delivered at a savings over multiple single-test engagements. Here are some of the ways PTaaS saves time and overhead, allowing organizations to realize a greater ROI over traditional engagements:

Quicker time to market
PTaaS enables quicker time-to-market than traditional penetration tests because the product is not held up at the end of the life cycle for a cumbersome testing and remediation process. This allows organizations to realize the ROI of new software or upgrades more quickly.

Reduced admin overhead
PTaaS reduces administrative overhead compared to traditional testing. With traditional engagements, the client and vendor must take the time to come to an agreement on scope, pricing and terms before every engagement. With the continuous delivery model of PTaaS, these agreements are already in place unless the client opts to alter the scope.

Efficient testing process
PTaaS saves time from the testing process, which in turn translates to cost savings. Because pen testers are continually exposed to your software and systems, they get to know it better. When there are changes and updates, they can more quickly home in on the areas that need to be looked at. (Crowdsourced offerings, which will provide a revolving door of testers, will not provide this advantage.) What’s more, PTaaS offerings use a platform as a centralized communication center between pen testers, developers and security teams, enabling rapid, direct communication and minimizing the need for additional meetings.

Quicker remediation
Pen testers can, via a PTaaS platform, deliver test results in real time, recommend remediation steps, and answer follow-up questions from developers and security teams. Developers and security teams have quick access to findings and vulnerabilities, minimizing the mean time to remediate and narrowing the window for exploitation.

The cost of letting vulnerabilities slide

Perhaps the most important ROI of PTaaS  is from discovering and remediating a critical vulnerability in software or systems before a threat actor is able to exploit it. The average cost of a data breach is now an all-time high of $4.35 million, which takes into account costs from detection and escalation; post-breach response, litigation, and regulatory fines; notification activities; and lost business.

According to a Thales report, 52% of organizations have experienced a breach, 18% in the last 12 months, and 43% report an increase in attacks from the past year. What’s more, by 2025 cyber crime is predicted to cost the global economy $10.5 trillion.

Finding those critical vulnerabilities is not a given with every PTaaS offering, however, because not all providers are able to offer the appropriate level of manual testing. Manual testing conducted by experienced, think-like-an-attacker penetration testers will find deeper issues than automated scans are capable of. Human pen testers can use creativity and intuition to attack networks and applications in ways that software-driven testing lacks. In fact, a HackerOne survey found that the majority of security professionals believe humans are more effective than machines when it comes to finding unknown security vulnerabilities.

Converge Cybersecurity’s PTaaS offering uses our bench of veteran penetration testers to get to know your systems and software on a deep level with regular testing via an as-a-service model. Further strengthening the case for ROI, we offer PTaaS at a savings of 20% to 30% compared to traditional testing engagements.

And now, here’s what to look for in a provider.

About the Author
Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at CBI, A Converge Company. Shaun brings over 20 years of experience in the information security field with a core focus on providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...