Browse Definitions :
Definition

Pen Testing as a Service (PTaaS)

Pen Testing as a Service (PTaaS) is a cloud service that provides information technology (IT) professionals with the resources they need to conduct and act upon point-in-time and continuous penetration tests. The goal of PTaaS is to help organizations build successful vulnerability management programs that can find, prioritize and remediate security threats quickly and efficiently.

In IT security, it is common practice for businesses to hire reputable, white hat testers to come in and proactively look for attack vectors that could be exploited. Inviting an outside entity to try and breach a network, server or application may sound counter-intuitive, but it’s also one of the best ways to identify and remediate difficult-to-spot security issues. 

Terms to Know: penetration test;  cloud service;  vulnerability management;  white hat;  attack vector

How PTaaS works

In the old days, before cloud computing, pen test results were delivered after the conclusion of the testing period. While the information was helpful, the historical nature of the data often made it difficult for in-house security teams to prioritize and fix test results.

Automated pen tests conducted through a software as a service (SaaS) delivery model can fix this problem by allowing customers to view their data in real time in an executive dashboard that displays all relevant data before, during and after the test is performed. Just like traditional pen testing services, PTaaS vendors also provide their customers with resources for parsing vulnerabilities and verifying the effectiveness of a remediation. Typically, PTaaS vendors provide their customers with a knowledge base to assist in-house security teams with remediations, and as an added value, some vendors provide optional assistance from the actual testers who discovered a vulnerability.

PTaaS is well-suited for organizations of any size. Most platforms are very flexible and can accommodate everything from a full testing program to custom reporting features for customers whose regulatory requirements pose heavy compliance burdens.

Pen Testing as a Service should not be confused with cloud pen testing. PTaaS is a delivery platform, while cloud pen testing seeks to identify security gaps in a specific cloud infrastructure. 

Terms to Know: cloud computing;   software as a service;  real time;   executive dashboard;   parse;   knowledge base;   regulatory compliance;   compliance burden

Benefits of Pen Testing as a Service

One of the biggest benefit of PTaaS is the control it gives the customer. Companies with less experience in the security industry gain a partner and a platform that provides them everything they need to build a successful threat and vulnerability management program.

In addition to presenting the progress and status of all open engagements, PTaaS cloud platforms make it easy for customers to request and scope new engagements. Other benefits include:

Flexible purchasing options: Automated, manual and hybrid pen test services can be budgeted for and procured through a monthly, quarter or yearly subscription or on an as-needed basis.

Continued access to real-time data: As an existing vulnerability or exploit evolves over time, the data related to it is updated.

Flexible reporting options: Many PTaaS platforms can aggregate and correlate findings from multiple sources and provide result sets that meet the needs of multiple stakeholders.

Automation: Automated workflows make vulnerability scanning for external network and unauthenticated web applications easier to conduct

Terms to Know: project scope;   security exploit;   aggregate;   stakeholder;   network vulnerability scanning

Challenges of using PTaaS

When vulnerabilty orchestration is automated, customers can manage budget and internal resources more efficiently, which in turn, allows them to run more tests. Some companies are not in a place where they can manage additional testing cycles, however.

Newer and underfunded security programs sometimes struggle to remediate the vulnerabilities discovered during annual penetration testing, let alone weekly, monthly, or quarterly testing. Because security budgets are finite in many organizations, it may be hard to justify the additional costs for extra tests and remediation efforts.

What to look for in a PTaaS supplier

There are a few core elements potential customers should look at when evaluating automated, manual or hybrid penetration testing services, including the reputation and history of the vendor.   

In addition to providing a robust library for remediation instructions, other notable product features include:

  • The ability to aggregate and correlate data from multiple sources.
  • The ability for multiple testers to work simultaneously on the same project and combine findings in a single workspace for reporting.
  • The ability to normalize confidence and severity across scanners to improve hits and reduce false positives.
  • The ability to generate reports in multiple file formats.
  • The ability to customize report templates for specific types of tests.
  • The ability to track trends over time and monitor remediation completion time.
  • The ability to integrate reporting with enterprise ticketing and governance, risk and compliance (GRC) systems.

Terms to Know:  reputation management;   library;   file format;   template

The PTaaS vendor landscape

Notable vendors in the PTaaS space currently include:

NetSPI – According to their website, NetSPI is a top penetration testing company and cybersecurity solution provider trusted by 7 of the top 10 U.S. banks.

Cobalt.io – According to their LinkedIn profile, Cobalt.io is a Pentest as a Service platform and on-demand vulnerability management engine.

Breachlock – According to their website, BreachLock’s cloud platform enables customers to run automated scans and request manual testing and retests with one click.

Synack – According to their website, Synack crowdsources their security testing platform.

Praetorian -- According to their website, Praetorian helps their clients find, fix, stop and solve cybersecurity problems across an enterprise or product portfolio.

Terms to Know: cybersecurity;   on-demand;   crowdsourcing

This was last updated in January 2020
Networking
  • subnet (subnetwork)

    A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP ...

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard protocol on the internet that ensures the reliable transmission of data between...

  • secure access service edge (SASE)

    Secure access service edge (SASE), pronounced sassy, is a cloud architecture model that bundles together network and cloud-native...

Security
  • intrusion detection system (IDS)

    An intrusion detection system monitors (IDS) network traffic for suspicious activity and sends alerts when such activity is ...

  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

  • digital signature

    A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or...

CIO
  • product development (new product development)

    Product development -- also called new product management -- is a series of steps that includes the conceptualization, design, ...

  • innovation culture

    Innovation culture is the work environment that leaders cultivate to nurture unorthodox thinking and its application.

  • technology addiction

    Technology addiction is an impulse control disorder that involves the obsessive use of mobile devices, the internet or video ...

HRSoftware
  • organizational network analysis (ONA)

    Organizational network analysis (ONA) is a quantitative method for modeling and analyzing how communications, information, ...

  • HireVue

    HireVue is an enterprise video interviewing technology provider of a platform that lets recruiters and hiring managers screen ...

  • Human Resource Certification Institute (HRCI)

    Human Resource Certification Institute (HRCI) is a U.S.-based credentialing organization offering certifications to HR ...

Customer Experience
  • What is lead-to-revenue management (L2RM)?

    Lead-to-revenue management (L2RM) is a set of sales and marketing methods focusing on generating revenue throughout the customer ...

  • What is relationship marketing?

    Relationship marketing is a facet of customer relationship management (CRM) that focuses on customer loyalty and long-term ...

  • contact center burnout

    Contact center burnout refers to physical, emotional and mental exhaustion experienced by contact center employees.

Close