Ever feel like you’re paying too much for security testing on some applications while others might need more attention? That’s a common problem for large organizations juggling hundreds or thousands of apps. At Edgescan, we’ve created a solution that helps you right-size your security testing.
The Right Testing at the Right Time
Over the past few years, we’ve seen a shift away from traditional annual pen testing to more flexible approaches. Instead of the old “schedule it, scope it, bill it, report it” model, our customers want something more dynamic.
The challenge is clear: If you have 500 pieces of technology, maybe 100 need full pen tests because customers or regulations demand it. But what about the other 400? What’s the right level of testing?
In an ideal world, you’d pen test everything. But that’s expensive and not always the best use of resources.
How License Suggestions Work
Our license suggestions function helps solve this problem. Here’s how it works:
- We start a piece of technology with an Essentials level license (our lowest tier)
- We run assessments to see what’s actually there
- Based on what we find, we recommend the appropriate level of testing
For example, imagine a non-critical web application where you’re only doing unauthenticated testing. During scanning, we discover it has authenticated portions. We might suggest upgrading to authenticated testing for better coverage.
Two months later, after authenticated testing, we might find complex workflows and controls that scanner can’t adequately test. That’s when we might recommend upgrading to a pen test.
The process works in reverse too. We can suggest downgrading applications that no longer need intensive testing, helping you level off spending instead of watching it constantly increase.
By the Numbers
We’ve made this work at scale. As part of our right-sizing efforts:
- We’ve reviewed 8,124 applications to ensure the license was the correct fit
- Found sub-optimal licensing and recommended upgrades or downgrades on 1,846
- Our customers have actioned 1,555 changes to licenses to get them at a more appropriate level
One large customer alone has upgraded around 600 assets and downgraded about 400 others over two years.
Three Key Benefits
1. Flexibility and value: You get better bang for your buck. If you spend $100k with us, you’ll get the right testing for each asset, maximizing your security budget while making spending more predictable.
2. Mature security program: With a track record of upgrades and downgrades, you can show a dynamic, requirements-based vulnerability management program rather than following rigid checklists.
3. Better metadata: Edgescan has 19 metadata fields for each asset. We populate six based on technical context, but you provide the other 12 about business impact, compliance requirements, and risk factors. This forces a healthy maturity in your asset management program.
Works at Scale
This approach especially benefits organizations with hundreds or thousands of applications. Your assets go into the system and come out with appropriate testing levels based on their actual risk profile and technical needs.
Think of it as a funnel system that ensures each piece of technology gets exactly what it needs—no more, no less.
The metadata fields that drive our recommendations include things like PCI status, direct internet access, business criticality, information classification, and availability requirements.
By using these factors to determine the right level of testing, we help ensure your security budget goes where it matters most.
More detailed information about asset metadata attributes are available in our public-facing knowledgebase here.
Schedule a demo to see how Edgescan’s license suggestions can optimize your security budget while ensuring appropriate coverage for all your applications.
