VMblog: NetSPI Launches New Attack Surface Management Platform

On February 22, 2022, NetSPI and Travis Hoyt were featured in a VMblog article titled, NetSPI Launches New Attack Surface Management Platform. Preview the article below, or read the full article online here.

+ + +

NetSPI introduced Attack Surface Management to help secure the expanding, global attack surface. The platform delivers continuous pentesting backed by NetSPI’s global security testing team to help organizations inventory known and unknown internet-facing assets, identify exposures, and prioritize critical risks to their business.

According to Gartner’s Emerging Technologies: Critical Insights for External Attack Surface Management report, analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy.”

Attack Surface Management is a core component of NetSPI’s Penetration Testing as a Service (PTaaS) delivery model. It complements the company’s established Penetration Testing and Adversary Simulation technology-powered services to provide a full suite of offensive security solutions for its customers.

“You don’t know what you don’t know, and what you don’t know can hurt you,” said Travis Hoyt, Chief Technology Officer at NetSPI. “What we have built here is a comprehensive solution to shadow IT and asset management challenges. Attack Surface Management provides an opportunity for organizations to continuously enhance their security posture, improve their penetration testing strategies, and ultimately reduce the probability and impact of a costly cyberattack.”

Continue reading NetSPI Launches New Attack Surface Management Platform on the VMblog.


VentureBeat: Pentesting Firm NetSPI Expands Into Attack Surface Management

On February 22, 2022, Travis Hoyt was featured in a VentureBeat article titled, Pentesting Firm NetSPI Expands Into Attack Surface Management. Preview the article below, or read the full article online here.

+ + +

Exposure of internet-facing enterprise assets and systems can bring major risks for security. And yet in many cases, enterprises aren’t even aware of all the internet-facing assets they have — which of course makes it impossible to go about securing those assets and systems.

As digital transformation continues turning all enterprises into internet companies, to one degree or another, this problem of exposed assets and systems is growing fast. And that has led to the emergence of a new category of security technology: External attack surface management, or EASM.

The technology — sometimes referred to simply as attack surface management, or ASM — focuses on identifying all of an enterprise’s internet-facing assets, assessing for vulnerabilities and then remediating or mitigating any vulnerabilities that are uncovered.

A separate discipline within security is penetration testing, or pentesting, in which a professional with hacking expertise performs a simulated attack and tries to breach a system, as a way to uncover vulnerabilities that need to be addressed.

Today, enterprise pentesting firm NetSPI announced that it’s bringing the two worlds together, with the debut of its new attack surface management offering. The solution integrates the company’s pentesting experts into the attack surface management process, as a way to improve the triage and remediation of risky exposures, said Travis Hoyt, CTO at NetSPI.

“EASM does not typically include manual pentesting — at least not in the way NetSPI incorporates it into our new offering,” Hoyt in an email to VentureBeat.

However, “both are necessary to truly accomplish a holistic, proactive security program,” he said. “In today’s threat environment, conducting a pentest once a year is no longer effective given the rate at which the attack surface is changing. EASM ensures that corporate networks have constant coverage and attack surface visibility.”

Continue reading Pentesting Firm NetSPI Expands Into Attack Surface Management on VentureBeat (reporting by: Kyle Alspach).


NetSPI Launches New Attack Surface Management Platform

The offering leverages innovative technology and expert pentesters to help organizations discover and secure all assets on the external attack surface.

Minneapolis, MNNetSPI, the leader in enterprise penetration testing, today introduced Attack Surface Management to help secure the expanding, global attack surface. The platform delivers continuous pentesting backed by NetSPI’s global security testing team to help organizations inventory known and unknown internet-facing assets, identify exposures, and prioritize critical risks to their business. 

According to Gartner’s Emerging Technologies: Critical Insights for External Attack Surface Management report, analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy.” 

Attack Surface Management is a core component of NetSPI’s Penetration Testing as a Service (PTaaS) delivery model. It complements the company’s established Penetration Testing and Adversary Simulation technology-powered services to provide an integrated, full suite of offensive security solutions for its customers.

“You don’t know what you don’t know, and what you don’t know can hurt you,” said Travis Hoyt, Chief Technology Officer at NetSPI. “What we have built here is a comprehensive solution to shadow IT and asset management challenges. Attack Surface Management provides an opportunity for organizations to continuously enhance their security posture, improve their penetration testing strategies, and ultimately reduce the probability and impact of a costly cyberattack.”

Key capabilities of NetSPI’s Attack Surface Management include: 

  • Comprehensive Asset Discovery: NetSPI’s Attack Surface Management technology platform leverages automated scanning and orchestration technology to map, identify, and inventory all assets and improve attack surface visibility.  
  • 24/7/365 Continuous Testing: The cloud-native, dynamic application monitors the attack surface continuously and alerts when a high-risk exposure is detected. It provides simplified and always-on attack surface visualization to view your entire external attack surface in a single platform. 
  • Manual Exposure Triaging: The NetSPI Attack Surface Management (ASM) Operations Team triages high-risk exposures to validate the exposure, evaluate the risk it poses to your business, support your team with remediation advisory, and escalate worrisome exposures to our penetration testing team to investigate further. 

“The current attack surface management market is reliant on technology. But to find critical exposures that put your organization at risk, human intuition is required,” said Aaron Shilts, CEO at NetSPI. “Our ASM Operations Team is rooted in 20 years of manual penetration testing expertise. We bring a human-centric, strategic approach to the market that will help security leaders get a better handle on their evolving attack surface.” 

The Attack Surface Management (ASM) platform also features simple set-up, tracking and trending data over time, asset intelligence, Slack and email integrations, open source intelligence gathering, asset and exposure prioritization, port discovery, and more. For additional details on its capabilities and features, download the attack surface management data sheet.

To learn more or get started with Attack Surface Management, email or visit our website.

About NetSPI 

NetSPI is the leader in enterprise penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three out of the five FAANG companies, the world’s largest healthcare organizations, the largest global cloud providers, and many of the Fortune® 500. Its platform driven, human delivered Penetration Testing, Adversary Simulation, and Attack Surface Management services are supported by dynamic technology platforms and a dedicated team of global penetration testing experts. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn

Media Contacts:
Tori Norris, NetSPI 
(630) 258-0277 

Amanda Echavarri, Inkhouse for NetSPI 
(978) 201-2510 


How to Improve Your Attack Surface Management Strategy

NetSPI employs many former CISOs and security leaders, myself included. When discussing the challenges that we faced in those roles, we all agreed that one of the greatest challenges was keeping up with constant change to our attack surface.

New things pop up on the external network all the time, often without IT awareness. And it’s up to security leaders to keep track of all assets AND understand the risk of every exposure. In other words, keeping up with the rapidly evolving external attack surface is not for the faint of heart.

To help, NetSPI launched Attack Surface Management, a platform-driven, human delivered offering that mitigates attack surface risks. Pulling from lessons learned during the R&D of Attack Surface Management (ASM), I want to share some advice on how you can adjust your cyber attack surface management strategy to ultimately keep pace with the rate of change security leaders are experiencing today.

What is Attack Surface Management?

First, it’s important to understand what the attack surface is.

An attack surface is an accumulation of all the different points of entry on the internet that stores your organization’s data (external-facing assets). This includes your hardware, software, your digital assets uploaded to the cloud, and much more.

Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, it helps organizations improve their attack surface visibility, asset inventory, and understanding of their assets and exposures.

Attack Surface Management Use-Cases

Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If the threat actors are successful, the outcomes may vary, but are undoubtably negative. Those outcomes could include:

  • Deployment of malware on your network for the purposes or ransomware, or even worse killware.
  • Extraction of employee data such as social security numbers, healthcare data, and personal contact information, which could become a nightmare for privacy teams as privacy legislation across the globe continues to grow.
  • Threaten to block access to your financial records with ransomware, then hold you hostage for more not to publicly disclose that data.

You can incorporate an attack surface management solution to detect known, unknown, and potentially vulnerable public-facing assets, as well as changes to your network. Effective asset management and change control processes are challenging, and even the most well-intentioned organizations often see this as an area of opportunity for improvement. Common reasons organizations invest in attack surface management include:

  • Continuous observability and risk management
  • Identification of external gaps in visibility
  • Discovery of known and unknown assets and Shadow IT
  • Risk-based vulnerability prioritization
  • Assessment of M&A and subsidiary risk

Explore additional attack surface management use-cases: Download our data sheet.

3 Ways to Improve Your Attack Surface Management Strategy

As I noted earlier, attack surface management is not for the faint of heart. The volume of data many technology-based external attack surface management (EASM) solutions generate can be hard to consume and even harder to make actionable. But there are three ways you can improve your strategy to minimize risk and better secure your organization.

Incorporate Human Expertise

Most of today’s attack surface management solutions are heavily reliant on technology. But what’s missing in the market are comprehensive solutions that intersect innovative technology with human intuition. Humans find vulnerabilities that tools miss and can provide business context to each exposure. There’s no replacement for human talent.

Additionally, many organizations rely solely on technology, but the reports scanners sent over generate noise for clients and contain many false positives. By adding manual exposure triaging to your attack surface management workflow, you can limit the noise and only focus on the exposures that matter most to your business.

At NetSPI, our ASM Operations Team pulls from its 20+ years of manual penetration testing expertise to provide the intuition and insight needed to help you prioritize the areas of weakness on your attack surface. We can provide you with additional context to determine next steps, help you triage exposure, evaluate the risk it poses to your business, advise your team on remediation strategies, and prioritize manual testing techniques to find business-critical vulnerabilities tools often miss.

Enable Always-on, Continuous Penetration Testing

An attack surface monitoring solution needs to manage risks to your attack surface via ongoing, continuous monitoring. If your current attack surface management solution is not truly continuous, or if you’re unable to effectively reason about the data the solution is generating, you’re giving adversaries ample time to find risky exposures before you do.

NetSPI helps your security teams stay on top of changes to your attack surface by providing a 24/7/365 ongoing assessment of your organization’s external-facing assets. This is achieved through our automated scan orchestration technology, Scan Monster.

We use a multitude of automated and manual methods including open source intelligence (OSINT) to identify data sources such as business entities, IP addresses, domains, employee information, and sensitive company data. 

Coupling this technology with our human expertise provides a robust, around-the-clock attack surface management strategy gives you comprehensive visibility that enables you to effectively manage risk.

Prioritize Exposures Based on Risk

Many organizations today scan for external-facing assets and then send reports and alerts over without any context. This creates noise, and wastes time, money, and resources to parse through the data.

Attack surface management isn’t your day job. Cybersecurity leaders have an entire portfolio of controls to consider and solutions that just feed a torrent of data distracts you and your teams from focusing on the real threats to your business.

What are the critical risk factors that will affect the business? Who are the potential threat actors? Which vulnerabilities should I remediate first? Which exposures are most likely to be exploited?

NetSPI’s ASM Operations Team and our ASM platform will help you identify the answer to these questions. In the Attack Surface Management technology platform you can group assets based on risk using the tagging function to create a risk-based view of your attack surface.

You can also view your results over time to measure your ability to reduce risk. We deliver results to clients that are meaningful, validated, and help organizations understand the true risks on their attack surface. This way, you can prioritize your time and effort on critical exposures that matter.

NetSPI’s Attack Surface Management

So, how do you minimize risk and ensure full visibility of your attack surface? By integrating an attack surface management strategy that is human delivered, continuous, and risk-based.

We created our Attack Surface Management offering based on these three pillars – and we’re thrilled to formally launch it to the public today. Ready to learn more about our service and technology platform? Visit

Detect and Protect the Unknown with NetSPI's Attack Surface Management – Learn More!

Twin Cities Business: The Malware Pandemic

On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. Preview the article below, or read the full article online here.

+ + +

In the information technology world, Log4j could become the equivalent of a particularly virulent Covid variant—and for businesses, a potentially bigger danger.

Log4j is an open-source, Java-based utility that logs error messages in software applications. In early December, a cybersecurity staffer with the Alibaba Cloud service in China discovered a vulnerability—a flaw—in Log4j that could open millions of businesses and other organizations to cyberattacks. A second flaw was found shortly afterward.

Compared to a data breach releasing sensitive information of millions of retail customers, the dangers of Log4j’s flaws are harder for non-IT people to understand. But as a cybersecurity threat, Log4j could become a disaster of pandemic proportions. That’s because innumerable organizations have the utility in their IT networks—and many don’t even know it’s there. Log4j could allow cybercrooks worldwide to steal data, encrypt servers, shut down factory floors, deceive companies into wiring them money, and demand thousands, even millions, of dollars in ransom.

Lurking in the shadows

Every software program inevitably and unavoidably has vulnerabilities. Over time, most bugs get fixed. But as in the case of Log4j, a tiny flaw in a widely used software component can explode throughout networks worldwide.

A flaw could be something that isn’t visible, notes Aaron Shilts, CEO of Minneapolis-based cybersecurity firm NetSPI, which specializes in network penetration testing and “attack surface management” for its business clients. More than 50 percent of NetSPI’s work involves testing applications—which Shilts terms “the lifeblood of any enterprise” —for vulnerabilities. 


Lifewire: Why Unwanted Tracking Is on the Rise

On February 18, 2022, Nabil Hannan was featured in a LifeWire article titled, Why Unwanted Tracking Is on the Rise. Preview the article below, or read the full article online here.

+ + +

It’s never been easier to track your possessions thanks to gadgets like Apple AirTags, but they also contribute to a growing privacy problem.

Apple recently said it would improve AirTag safeguards after reports of people being tracked surreptitiously using AirTags. However, some experts say Apple’s efforts won’t be sufficient to protect users.

“Even with the personal safety guide released by Apple, consumers are still subject to increased risks, as it only gives consumers some tools to use if they suspect their device has been compromised,” Nabil Hannan, managing director at cybersecurity firm NetSPI, told Lifewire in an email interview.

AirTags or CreepTags?

AirTags send out Bluetooth signals that nearby Apple devices can detect. Many people have claimed they’ve been tracked by people using AirTags without their knowledge.


Mainframe Security Misconceptions

There are two types of people. Those who know they have a mainframe and those who don’t. Regardless of the category you fall into, I think we can all agree that mainframe security is not prioritized today.

But it should be. 

Mainframes are important. They’re often used in highly regulated industries that have high-volume transactions. Think financial services, insurance companies, healthcare providers, government, airlines, and giant retailers that have been around for 15+ years.

Mainframes are built to be exceptionally resilient and are extremely fast and reliable for processing high volume, small transactions, such as ATM and credit card transactions or airline ticketing. Given the data is stored in one single place, mainframes make it easy to access and share data across an organization.

So, why don’t we prioritize mainframe security? 

Because it’s misconstrued.

In this article, I’ll debunk four mainframe security misconceptions and answer many of the questions I receive regularly, including:

  1. Why don’t we see regular mainframe breaches? 
  2. What would happen if my mainframe was breached? 
  3. Can a mainframe get infected by malware?
  4. Who is responsible for mainframe security?
  5. Should I pentest my mainframe?

There are many “mainframes” according to popular connotations. The IBM Z series, OpenVMS, HP Non-Stop, and the IBM iSeries, to name a few. In this article, I’ll focus on IBM z/OS given it is the mainframe of choice for the vast majority of organizations. Let’s get started.

“The mainframe rarely gets breached”

Mainframes are just as likely to experience a breach as any other system, but many wrongly assume it to be inherently secure. It can experience buffer overflows, ransomware attacks, and zero-day vulnerabilities. It’s a different architecture, but there’s nothing magical about it.

Contrary to popular assumptions, mainframes can be infected by malware – and it would work well. Malware infection is not limited to phishing emails. It can be introduced to mainframe systems directly (placed there by a programmer), remotely (via any remote management protocol such as FTP, or SSH), or via an undiscovered or unpatched software vulnerability (just like any other operating system!).

With the critical workloads running on these systems, the impact of a high-risk vulnerability being exploited could severely damage customer and business operations.

We do not see mainframe security issues making headlines or being talked about at the board level because many companies operate them with a “security through obscurity” mindset. IBM does not publicly publish the security details in authorized program analysis reports (APARs). By not providing vulnerability details publicly, it is perceived that external attackers and internal personnel threats cannot gain access to information that could put an enterprise at undue risk. However, attackers and internal threats can get ready access to z/OS and other platforms and use them to develop attacks and find vulnerabilities.

It’s important to understand that mainframes are computers. Really important and complex computers, but computers, nevertheless. And they can and do experience breaches – we are simply not always made aware of the incidents.

“Mainframes are old”

Tesla has its roots in the Model T. Does that make Tesla old and outdated?

IBM unveiled the first mainframe computer system, System/360, in 1964. Since then, do you think IBM stopped innovating? Not exactly. The images below illustrate what people often picture when they think of mainframes (left) and what a modern mainframe looks like (right).

Graphic representation of what people often think of. in regards to mainframes
What a modern mainframe looks like.

You either refresh your tech or you don’t. It is not the mainframe technology itself that is old, it’s that organizations are not refreshing their mainframe systems when required.

Government organizations are known to maintain legacy systems. In 2017, research released on the government’s systems found that the U.S., overall, has more than 3,400 IT professionals employed to maintain legacy programming languages, such as COBOL.

Another key issue with this misconception is that mainframes are viewed as too outdated or complex for anyone new to learn. Because of this misconception, hands-on mainframe security training is nearly non-existent today. To help fill this gap, I developed Evil Mainframe, a first-of-its-kind z/OS penetration testing primer for pentesters and mainframe security professionals.

“IBM is responsible for my mainframe security”

Talk to any cloud security expert and they will understand the concept of the Shared Responsibility Model. It dictates the security obligations of a cloud computing provider – IBM included – and its users to ensure accountability. This model should also apply to the mainframe.

IBM controls all vulnerabilities and patch management in a silo for z/OS. They release patches quietly, which can give people a false sense of security. In a perfect world, IBM z/OS might operate similarly to how the Microsoft Security Response Center operates and encourages ethical hackers to stress test its systems.

People remain the easiest attack vector for mainframe breaches, whether it’s through phishing, social engineering, or brute force. Nothing about the mainframe itself prevents this (remember it’s just a computer), but security leaders are responsible for creating policies, implementing security awareness training, and educating defensive teams to detect and prevent attacks on the user side – just as they would for any other platform.

“I don’t need to perform mainframe pentesting”

The mainframe is a monolith of federated data and storage environments all hosted under one system. I call it a ‘data center in a box’. If an adversary gained access to the mainframe, they could exfiltrate data, delete data, access all collateral that supports your business operations in a single platform. 

As I’ve reiterated throughout this article, cyberattacks are possible in a mainframe. It has Java, web apps, etc. just like any other platform. Yet, mainframes are often left out of enterprise vulnerability management programs. We perform application pentesting, cloud pentests, and external network tests regularly, so why do we overlook the mainframe? It’s like getting a physical, but the doctor doesn’t examine your heart.

To improve your mainframe security posture, you don’t need all the bells and whistles. Mainframe penetration testing is a basic security activity you can do to:

  • Eliminate the false sense of security that accompanies mainframe systems.
  • Validate your detective controls and capabilities – are you detecting the pentesters in the system? 
  • Do more with less. The number of people that operate and manage these technologies is dwindling. A pentest can help you prioritize the riskiest vulnerabilities and work as an extension of your team.
  • Comply with regulatory pressures. As mentioned earlier, mainframes are often found in highly regulated industries – and regulators are getting smarter. Get proactive with your testing strategy.
  • Avoid a mainframe outage and continue doing business in a meaningful way.

Final Words

Mainframe security should be prioritized and it’s up to you to drive your security strategy. You have best practices for all your other platforms – apply them to your mainframes as well! Business and security leaders that have mainframe systems, or realized they operate on a mainframe after reading this article, must take ownership over their mainframe security. By getting proactive with mainframe security, we can prevent breaches, stay ahead of regulators, and ultimately reduce organizational risk.

Ready to get proactive with your mainframe security? Connect with NetSPI for your mainframe penetration testing needs.

TechNewsWorld: 49ers Blitzed by Ransomware

On February 15, 2022, Nabil Hannan was featured in a TechNewsWorld article titled, 49ers Blitzed by Ransomware. Preview the article below, or read the full article online here.

+ + +

While their downstate rivals the Los Angeles Rams were busy winning Super Bowl LVI, the San Francisco 49ers were being clipped in a ransomware attack.

News of the attack was reported by the Associated Press after cybercriminals posted documents to the dark web that they claimed were stolen from the NFL franchise.

In a public statement obtained by TechNewsWorld, the team noted: “We recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network.”

Looking for Street Cred

Nabil Hannan, managing director at NetSPI, a penetration testing company in Minneapolis, maintained that it’s unusual for a ransomware gang to post exfiltrated data on the web without making any ransom demands.

“I would assume this is due to the fact that they weren’t able to hold any critical systems hostage,” he told TechNewsWorld.

“The gang may have been able to encrypt/steal some files or systems that were categorized as non-critical, but they likely knew that they wouldn’t be able to receive any ransom payout for such information,” he surmised.

“Most likely this was an act to get ‘street creds’ and pose that they were able to steal information from such a high profile organization to show their reach and ability to break into any system,” he said.


SHRM: Concerns Linger Following UKG Ransomware Attack

On February 1, 2022, Nabil Hannan was featured in SHRM’s article on the UKG ransomware attack. Preview the article below, or read the full article online here

+ + +

Along ordeal for customers of Ultimate Kronos Group (UKG) is nearing an end. The vendor has restored its time-keeping and payroll services after a ransomware attack disrupted the lives of thousands of HR professionals and employees alike.

But experts say fallout from the attack will continue, given that some customer data was stolen, companies will have to transition manual records back into UKG systems and shaken clients are questioning their future with the vendor.

In a public update on Jan. 22, UKG said it had restored core time, scheduling and payroll capabilities to all customers impacted by the ransomware attack on its Kronos Private Cloud system. The statement said UKG is now focused on the “restoration of supplemental features and nonproduction environments” and is offering video-based recovery guides to help customers reconcile their data.

The outage—which lasted more than a month for many UKG clients—forced thousands of organizations to scramble to create manual workarounds. It happened during a particularly challenging time of year; employers had to find ways to pay workers holiday pay and overtime as employees worked extra shifts to cover staff shortages caused by the omicron variant of the coronavirus and ongoing resignations.

UKG and companies using its services may be facing legal action. “Unfortunately, some customer data was stolen in the attacks and that creates a secondary concern for UKG and its clients,” said Allie Mellen, a security and risk analyst with research and advisory firm Forrester. UKG confirmed in its latest public statement that the personal data of at least two of its customers had been “exfiltrated” or breached.


Cautionary Tale for HR Tech Vendors

HR technology analysts say vendors and their clients should brace themselves for similar attacks as more hackers train their sights on sensitive employee data rather than customer data.

“The reality is we’re going to see more of these attacks,” said Trevor White, a research manager specializing in HCM technologies with Nucleus Research in Boston. “The question for HR vendors is how they’ll limit disruption to their customers as they go about solving problems related to ransomware and other cyberattacks. Unless you pay the ransom, these things can take weeks to solve.”

Nabil Hannan, managing director for NetSPI, an enterprise security testing and vulnerability management firm in Minneapolis, said too many organizations still focus on protecting customer data at the expense of securing employee data.

“Hackers are getting more creative and focusing more of their efforts on finding ways to lock up systems that on their face may not seem as critical but that have far-reaching impacts, like HR data,” Hannan said.


Penetration Testing Services vs. Bug Bounty Programs

While in the Kingdom of Saudi Arabia for the @Hack cybersecurity conference, we noticed a disconnect in the understanding of penetration testing. Many of the people we spoke with assumed pentesting and bug bounty programs were one and the same.

Spoiler alert: that assumption is incorrect. While they share a similar goal, pentesting services and bug bounties vary in impact and value.

In an effort to demystify the two vulnerability discovery activities, in this blog we will cover how each are used in practice, key differences, and explain the risks associated with solely relying on bug bounties.

What is a Bug Bounty Program?

Simply put, a bug bounty program consists of ethical hackers exchanging critical vulnerabilities, or bugs, for recognition and compensation. 

The parameters of a bug bounty program may vary from organization to organization. Some may scope out specific applications or networks to test and some may opt for a “free-for-all” approach. Regardless of the parameters, the process remains the same. A hacker finds a vulnerability, shares it with the organization, then, once validated, the organization pays out a bounty to the hacker. 

For a critical vulnerability finding, the average payout rose to $3,000 in 2021. Bounty payments have come a long way since 2013’s ‘t-shirt gate,’ where Yahoo offered hackers a $12.50 company store credit for finding a number of XSS (cross-site scripting) vulnerabilities – yikes.

What is Penetration Testing?

Penetration testing is an offensive security activity in which a team of pentesters, or ethical hackers, are hired to discover and verify vulnerabilities. Pentesters simulate the actions of a skilled adversary to gain privileged access to an IT system or application, such as cloud platforms, IoT devices, mobile applications, and everything in between. 

Pentesting also helps organizations meet security testing requirements set by regulatory bodies and industry standards such as PCI and HIPAA.

Pentesters use a combination of automated vulnerability discovery and manual penetration testing techniques. They work collaboratively to discover and report all vulnerability findings and help organizations with remediation prioritization. Pentesting partners like NetSPI work collaboratively with in-house security teams and are often viewed and treated as an extension of that team.

Penetration testing has evolved dramatically over the past five years with the emergence of penetration testing as a service (PTaaS). PTaaS enables more frequent, transparent, and collaborative testing. It streamlines vulnerability management and introduces interactive, real-time reporting. 

As an industry, we’ve shifted away from traditional pentesting where testers operate behind-the-curtain, then deliver a long PDF list of vulnerabilities for security teams to tackle on their own.

What is Penetration Testing?
For a more detailed definition, how it works, and criteria for selecting your penetration testing partner, read our guide.

6 Core Differences Between Pentesting and Bug Bounties

So, what are the greatest differences between pentesting and bug bounties? Let’s break it down into six components: personnel, payment, vulnerabilities, methodology, time, and strategy.


Pentesters are typically full-time employees that have been vetted and onboarded to provide consistent results. They often work collaboratively as a team, rather than relying on a single tester. 

Bug bounty hackers operate as independent contractors and are typically crowdsourced from across the globe. Working with crowdsourced hackers can open the door to risk, given you cannot be 100% confident in their intentions and motives. 

Will they sell the intel they gather to a malicious party for additional compensation? Will they insert malicious code during a test? With full-time employees, there are additional guardrails and accountability to ensure the hacking is performed ethically.


With penetration testing vendors, the payment model can vary. Cost is often influenced by the size of the organization, the complexity of the system or application, vendor experience, the scope, depth, and breadth of the test, among other factors. 

With a bug bounty program, the more severe the vulnerability, the more money a bug bounty hunter makes. Keep in mind that negotiation of the bounty payment is very common with bug bounty programs, so it is important to factor in the time and resources to manage those discussions.

Additionally, one cause for concern with bug bounty payments is that instead of reporting vulnerabilities as they are found, it’s common for hackers to hold on to the most severe vulnerabilities for greater payout and recognition during a bug bounty tournament. 


Because of the pay-per-vulnerability model bug bounty programs follow, it’s no surprise that many are focused solely on finding the highest severity vulnerabilities over the medium and low criticality ones. However, when chained together, lower severity vulnerabilities can expose an organization to significant risk.

This is a gap that penetration testing fills. Penetration testers chain together seemingly low-risk events to verify which vulnerabilities enable unauthorized access. Pentesters do prioritize critical vulnerabilities, but they also examine all vulnerabilities with a business context lens and communicate the risk each could pose to operations if exploited.

Vulnerability findings aside, there are also key differences in how the results are delivered. With bug bounties, it’s up to the person who found the vulnerability to decide when to disclose the flaw to the program – or save it for a tournament as mentioned above, or even disclose it publicly without consent.

Modern penetration testing companies like NetSPI operate transparently and report findings in real time as they are discovered. Plus, pentesters validate and retest to confirm the vulnerability exists, evaluate the risk it poses, and determine if it was fixed effectively.


The greatest difference in the testing methodology of bug bounty programs and penetration testing services is consistency.

From our discussions with security leaders, the biggest challenge they face with bug bounty programs is that service, quality, project management, and other key methodology factors often lack consistency. Notably, the pool of independent contractors varies across experience and expertise. And the level of effort diminishes as rewarding, critical vulnerabilities are found and researchers move on to opportunities with greater opportunity for compensation.

Penetration testing is more methodical in nature. Testers follow robust checklists to ensure consistency in the testing process and make certain that they are not missing any notable gaps in coverage. They also hold each other accountable by working on teams. At NetSPI, our pentesters use the workbench in our Resolve PTaaS technology platform to collaborate and maintain consistency.

For any organization that has legal, regulatory, or contractual obligations for a robust security testing bug bounties simply cannot meet those requirements. Bug bounty programs are opportunistic. There is no assurance of full coverage testing as they do not adhere to defined methodology or checklists to ensure consistency from assessor to assessor, or assessment to assessment. Some bug bounties can use checklists upon request – for a hefty added cost.


While bug bounty programs are evergreen and always-on, traditional penetration testing has been limited by time-boxed assessments.

To address this, first and foremost we recommend organizations provide their pentesting team with access to source code or perform a threat modeling assessment to equip their team with information a malicious hacker could gain access to in the wild. This allows pentesters to accurately emulate real attackers and spend more time finding business critical vulnerabilities.

The pentesting industry is rapidly evolving and is becoming more continuous, thanks to the PTaaS delivery model and attack surface management. Gone are the days of annual pentests that check a compliance box. We see a huge opportunity for integration with attack surface management capabilities to truly offer continuous testing of external assets.


Penetration testing is a strategic security activity. On the other hand, bug bounty programs are very tactical and transactional: find a vulnerability, report it, get paid for it, then move on to the next hunt.

As noted earlier, penetration testing is often viewed as an extension of an internal security team and collaborates closely with defensive teams. You can also find pentesting partners that offer strategic program maturity advisory services. Because of this, pentesters deeply understand the systems, networks, applications, etc. and can assess them holistically. This is particularly beneficial for complex systems and large organizations with massive technology ecosystems.

Furthermore, strategic partnerships between penetration testing vendors and their partners lead to a greater level of trust, institutional knowledge, and free information exchange. In other words, when you work with a team of penetration testers on an ongoing basis, their ability to understand the mechanics of your company and its technologies lends itself to discovering both a greater number and higher quality of vulnerabilities.

Final Thoughts

The way penetration testing has and continues to evolve fills many of the gaps left by bug bounty programs. There is certainly room for both bug bounty programs and penetration testing in the security sector – in many cases the services complement one another. However, it is important to understand the implications and risks associated when deciding where to focus your efforts and budget. 

Discover why security operations teams choose NetSPI.