Back
Gartner Hype Cycle for Security Operations: Key Considerations When Selecting Your PTaaS Partner
We’re excited to announce that NetSPI was named as a key Penetration Testing as a Service (PTaaS) vendor in Gartner’s Hype Cycle for Security Operations, 2021. In the report, PTaaS was named an Innovation Trigger, with the technology-enabled service categorized as a “breakthrough” that “generates significant media and industry interest.” At NetSPI, our unique approach to PTaaS allows us to deliver a more specialized offering to customers than our peers in the space.
This report comes at a pivotal time where more organizations are beginning to understand the importance penetration testing plays in their overall cybersecurity strategy. For organizations looking at PTaaS solutions, it can be difficult to assess which solutions fit which needs, and what factors require careful consideration. Fortunately, Gartner’s report (in tandem with this article) can help business leaders and security practitioners better understand the PTaaS market and what the right solution can do for their organizations.
What is PTaaS?
PTaaS refers to enterprise security testing that is delivered through a technology platform. This tech-enabled approach combines traditional manual penetration testing techniques and the use of advanced technologies to detect vulnerabilities more efficiently and effectively, while delivering a modern, SaaS-like experience to end users. According to Gartner’s hype cycle analysis, PTaaS offers many benefits, providing “point-in-time and continuous application and infrastructure pentesting services which traditionally relied on human pentesters using commercial/proprietary tools.” With costly cyber-attacks increasing in prevalence, the importance of understanding and addressing cyber risk is greater than ever, making PTaaS a core component of enterprise attack surface management.
While penetration testing services themselves aren’t new, it is only recently that the industry has begun enabling penetration testing through software as-a-service (SaaS) platforms. Gartner lists the following as the top PTaaS penetration testing delivery model benefits:
- Faster scheduling and execution
- Real-time communications with testers
- Visibility of test results
- Workflow automation via tool integrations (DevOps, ticket management)
- Access to a large pool of testers with specific subject-matter expertise
- An outcome-driven approach
Bug Bounty vs. Traditional Pentesting vs. PTaaS
Just like all security testing approaches are not equal, all PTaaS providers aren’t equal either. When you look at the security testing industry as whole, we see 3 primary ways to leverage a third party for penetration testing from a manual perspective:
- PTaaS
- Traditional penetration testing
- Bug bounty
Many large programs will run a combination of testing from multiple sources. It is typical to see an enterprise use their internal testing team, bug bounty programs, and external/third party pentesting providers. This is where understanding the difference between PTaaS solutions and traditional penetration testing becomes important.
NetSPI is the only PTaaS provider rooted in traditional penetration testing. But because we are technology-driven, our customers receive all the PTaaS benefits Gartner identified that other traditional testing firms cannot offer. Most PTaaS providers are technology-driven, like NetSPI, but leverage a talent pool that consists of independent contractors (often “security researchers”), versus NetSPI which leverages vetted full-time employees.
Let’s put aside the fact that is it difficult to validate the motives and ethics of your pentesting team when they are not vetted as thoroughly as full-time employees are. The biggest challenge with bug bounty PTaaS programs is that service, quality, project management, and other key methodology factors often lack consistency. And with pentesting, consistency is key.
From our conversations within the industry, we’ve heard there are major gaps in completeness of PTaaS assessments that leverage a pool of independent contractors. The level of effort wanes as the rewarding, critical vulnerabilities are found, and researchers tend to move on to opportunities with greater opportunity for compensation. For organizations that need to show consistency and completeness, bug bounty driven PTaaS programs leave a lot to be desired. Add to this, the issue of bench depth and expertise limitations, and it becomes clear that you cannot build an enterprise testing program based around a self-service PTaaS model dependent on independent contractors.
Sound like somewhere you’d like to work? We’re hiring! Visit https://www.netspi.com/careers/ to learn more.
Considerations for Assessing PTaaS Solutions
As with any emerging technology or service, researching the various offerings in the market and deciding upon the right one can feel like a daunting task. To this effect, the Gartner report offers criteria prospective buyers can use to understand which PTaaS solution best meets their needs.
Pulling from Gartner’s criteria list and my personal experience in the pentesting space, here are five things business and security leaders should consider when evaluating PTaaS vendors:
- Evaluate whether your organization needs a vulnerability assessment exercise or penetration testing exercise: Both the services may appear similar at first glance, however there are significant differences in cost and deliverables. The vast majority of critical severity findings are found through human effort. Many providers will tell you they will run a pentest, but they just run scans on your environment, which will produce a lot of lower-level findings and noise, but it will not find the critical vulnerabilities that proper and sophisticated penetration testing through an expert will produce.
- Identify and evaluate the pentesting requirements that PTaaS vendors will be able to fulfill: PTaaS is well-aligned to application pentesting and external infrastructure testing. However, not all vendors can effectively scale to meet the needs of enterprise organizations, or provide the ongoing hands-on collaboration needed to effectively deter and manage vulnerabilities. This is where NetSPI’s traditional methodologies delivered through PTaaS help the most. Running tests through any organization is complicated and requires a high-level of communication and support. Many other PTaaS providers, offer a self-service model that doesn’t scale properly in an enterprise environment.
- Prioritize compliance and quality: Knowing compliance will remain a driving factor for pentesting programs, business leaders should select a PTaaS provider that fulfils all their compliance requirements while also going beyond “checking a box”.
- Seek true partners: No one has time to weed through hundreds of pages of PDFs to understand their organization’s current threat environment. Instead, look for PTaaS players that provide customized and tailored guidance throughout the lifecycle of their service. NetSPI’s PTaaS solution allows customers to login and see steps to remediation and instructions to re-create all vulnerabilities we identified during each engagement. A static PDF cannot offer that level of granularity or insight.
- Know what is important to your organization: Every company has unique challenges. The better your PTaaS provider understands the goals you are looking to accomplish and why, the better results you will see.
Final Words
PTaaS solutions are not one size fits all. Some might offer features that won’t be relevant to the specific or strategic needs of your organization, while others might have blind spots that will end up leaving your organization vulnerable.
In general, business and security leaders considering PTaaS solutions as a core component of their security program should seek those providers that offer a platform-driven approach with a well-organized team of subject matter experts driving the testing and execution of every engagement.
They should also look for solutions which offer flexible options for testing, which can be catered and scaled to meet their specific and strategic needs. By following the guidance here and in the Gartner Hype Cycle for Security Operations report, organizations will be well on their way to better and more efficient security outcomes.
For additional help and criteria to consider, download our guide: How to Choose a Penetration Testing Company.
