scroll it

Penetration Testing as a Service: Not All Models are Created Equal

Jeff Barker, VP of Product
0% read

If you are thinking Penetration Testing as a Service (PTaaS) is what you need to make material improvement to your resilience and posture, you should consider that not all models are created equal.  

Before jumping into the difference between PTaaS models, it’s helpful to review the challenges with legacy penetration testing that have driven the emergence of PTaaS.

What is PTaaS and How Does It Differ from Traditional Pentesting?

Penetration testing has been around since the 90s (technically since the 60s), arguably with little process innovation. Since its inception, it’s been a separate, project-driven engagement with significant lead times that runs periodically at best and yields a static report that does little more than satisfy the regulators. A CISO of a large organization summed it up as:

All the money we spent on security testing and remediation yesterday is gone. We don’t learn anything from the process or leverage the data strategically. We claim success if the regulators are satisfied.

Along comes the PTaaS model, which promises material improvement over legacy penetration testing, creating a more agile testing process to better keep pace with today’s continuous integration and continuous deployment schedule. 

According to the sources ChatGPT pulls from, PTaaS takes the concept of penetration testing and delivers it as a subscription-based or on-demand service. This means that organizations can access penetration testing services without the need to maintain an in-house team of ethical hackers or undergo periodic testing manually. 

It continues to describe the advantages of PTaaS as:

  1. On-demand testing
  2. Scalability
  3. Automation and Tools
  4. Continuous monitoring and testing
  5. Remediation guidance

If you dig into these PTaaS attributes that make up what we’ll call Standard PTaaS, you’ll notice the primary focus is on improving test provisioning and efficiency. And while that represents progress to a more agile testing process, the actual testing model must also evolve from the traditional limited diversity of the “two-tester” model. 

Otherwise, PTaaS simply performs the same insufficient testing more quickly. In other words, we need a solution that both streamlines the provisioning and management of penetration testing and evolves the test execution model to materially improve testing outcomes. The PTaaS solution that can accomplish both improved efficiency and improved efficacy is Synack PTaaS.

Traditional Pentesting Standard PTaaSSynack PTaaS
– Project-driven
– Long testing lead times
– Limited tester diversity
– Static report of results
– Compliance focused
– On-demand testing
– Scalable
– Automation and tools
– Continuous testing
– Limited tester diversity
– Remediation guidance
– On-demand testing
– Scalable
– Automation and tools
– Continuous testing
– Increased tester diversity
– Incentive testing model
– Test coverage visibility
– Full test control (stop/pause)
– Remediation verification
– Root cause analysis
– SecOps integrations

Analyst reports today do a fairly good job describing the provisioning and efficiency improvements but fall short on test efficacy and outcomes, so let’s dive deeper on the need for improved efficacy and outcomes. 

How Synack’s PTaaS Model Provides Better Testing

First, with the increasing complexity of application/service delivery architectures it’s reasonable to assume that one or two testers will NOT have the depth of knowledge and expertise to sufficiently reduce your risk of having vulnerabilities that could lead to ransomware or other business impacting compromise. 

The Synack PTaaS model brings at least an order of magnitude of more testers to the attack surface that are highly incentivised based on the complexity, quality and reporting completeness of their findings. The higher the impact the higher the compensation. This model offers significantly increased testing skill diversity and effort to better validate the cyber resiliency of in scope assets (web, mobile, API, infrastructure). Moreover, all findings are maintained in a common testing platform enabling root cause analysis, which means you can also improve the underlying processes so as to not create the same vulnerabilities going forward. 

A Synack PTaaS solution also offers full visibility and control of the testing activities. This provides the organization with details into test coverage, allows them to directly interact with the testers and even stop/pause a test. Understanding the testing coverage is vital to ensure you’re testing all the correct assets at the proper depth.

The final attribute of the Synack PTaaS solution is integration with your security and operational processes. We hear statements like, “Our SOC doesn’t have access to vulnerability findings from penetration testing.” That’s not surprising for traditional pentesting results delivered as a PDF and the added complexity of rotating testing providers. 

With Synack PTaaS the results are stored on the platform and easily available by members of the security team and other systems. Some common points of integration are ticketing like ServiceNow and Jira, correlating with SIEMs like Splunk for test findings and coverage data and SOARs like Microsoft Sentinel.

Synack PTaaS is for organizations that want to: 

  1. Get more out of their security testing investment to ensure that testing can keep pace with the rate of software development; 
  2. Reduce risk of exploitable vulnerabilities; 
  3. Understand and fix the root causes of issues that undermine your security posture, and; 
  4. Confidently accelerate business initiatives without compromising security.

Better Security is Better for the Business

I know you’re probably accustomed to hearing claims of improved security posture and reducing vulnerabilities, but the notion of a security program having a positive impact on accelerating key business initiatives is probably a foreign concept. 

With the benefits of the Synack PTaaS program you can confidently accelerate business initiatives like digital transformation. According to a recent survey, 82% of organizations believe they experienced at least one data breach during a digital transformation process. Instead of relying on the traditional “no news is good news” approach of defensive security controls, Synack PTaaS enables organizations to proactively assess the security posture associated with strategic business initiatives on a continuous basis. 

As you integrate PTaaS into your offensive security (penetration) testing strategy, we believe it’s vital to consider a solution that materially improves testing outcomes necessary for today’s increasingly complicated and dynamic attack surface, sophisticated adversary and rapid rate of change. For most organizations, Synack PTaaS will streamline the provisioning and management of penetration testing and evolve the test execution model to deliver test outcomes that have a real, positive impact on the business.