Penetration Testing as a Service (PTaaS)
Human Intellect + Automation + Analytics
Unique Hybrid Approach
Our penetration testing as a service (PTaaS) is a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability management and cyber analytics. The pen testing platform provides an in-depth automated vulnerability assessment, automatically validates risk, and then rates that risk against a suite of risk databases. Penetration testing as a service (PTaaS) can be used to assess web applications, APIs and network/cloud devices.
Certified Experts Bring Intelligence
This is where the Edgescan advantage comes into full play. The unique intelligence behind the hybrid penetration testing solution comes from our team of security experts who are battle-hardened with industry accreditations such as CREST, OSCP, CEH. Their experience and expertise provides critical insight which uniquely supplements our automated penetration testing services platform.
Learn More about Penetration Testing as a Service (PTaaS)
How the Penetration Testing Process Works
Many of the Edgescan solutions are utilized when conducting pen tests. The scanning engine assists and speeds up recon and discovery allowing Edgescan to scale continuous testing without losing accuracy.
1. During an assessment, the Edgescan validation engine queries millions of vulnerability examples stored in our data lake.
2. Vulnerability data is then run through our proprietary analytics models to determine if the vulnerability is a true positive.
3. If it meets a certain numeric threshold it is released to the customer; we call this an auto-commit vulnerability.
4. If the confidence level falls below the threshold, the vulnerability is flagged for expert validation by an Edgescan security analyst.
Our hybrid process of advanced scanning automation and cyber analytics combined with human intelligence is what differentiates us from scanning tools and traditional pen testing services.
We provide real and actionable results.
Certified security analysts.
Battle-hardened experts.
Human intelligence.
A penetration test is delivered by our certified experts who focus on testing sensitive areas of an asset that can’t be discovered by an automated scanner such as complex business logic and authorization weaknesses which are contextual to your unique web application,
API or network deployment. Their analysis results in the discovery of issues automated tools usually miss such as contextual/business logic or complex multi-step vulnerabilities.
Edgescan is an ISO27001 and CREST certified organization, and our security analysts are seasoned experts and carry a range of industry credentials including CREST, OSCP and CEH certifications.
Benefits of Using a Penetration as a Service Testing Solution
View results in a ‘single pane of glass’
View results in a ‘single pane of glass’ that seamlessly integrates other Edgescan solutions such as risk-based Vulnerability Management, External Attack Surface Management, App and Web/API security. Vulnerability intelligence is shared across all five solutions ensuring accuracy and fast remediation.
Risk-rated results with prioritized remediation
By evaluating the asset priority, business risk, and compensating controls the true impact of the vulnerability and security gaps can be determined.
The platform employs risk-rating systems like CVSS EPSS, and CISA KEV, and our own EVSS score, resulting in superior risk-based data to enable accelerated identification of high-risk issues and rapid remediation.
Flexibility to remediate and retest as often as needed
Retesting covers findings discovered during automated scanning and manual pen testing and is explicitly verified by our testing team – which ensures comprehensive remediation. No additional costs of or overhead of traditional pentesting.
Integrate with existing tools
Validated vulnerability data is fed into existing workflows for easy implementation into hundreds of technologies and solutions: bug tracking, risk dashboards, ticketing systems, etc.
Supplying existing tools with validated, accurate vulnerability data on demand and over time is tremendously beneficial to SecOps and DevOps teams alike for auditing and trend analysis.
Types of Penetration Testing: API, Web Application, Network, Device
API PTaaS
Continuous assessment using a combination of both automated tooling and certified CREST/OSCP expertise, smart API specific security automation and human expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support.
Web Application PTaaS
Continuous web application assessment using a combination of both automated tooling and certified CREST/OSCP expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support. Authenticated and unauthenticated testing for complete web application coverage.
Network/Device PTaaS
Continuous internal and external assessments of networks, hosts and devices, using a combination of both automated tooling and certified CREST/OSCP expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support. Authenticated and unauthenticated testing for complete web application coverage.
PTaaS FAQs
The answers are “yes” and “yes”. Since penetration testing, or “pentesting”, is designed to find exploitable security vulnerabilities and unintentional data exposure, thereby, helping organizations manage risk, meet compliance mandates, and maintain safe business continuity, it should be conducted on a regular basis. New vulnerabilities and exploits are discovered weekly, if not daily, and, to discover and mitigate the critical ones, pentesting should be executed regularly.
So how often should your organization run pentests? As there is no specific, mandatory time frame, it depends on the size and industry type of your organization, your available resources, and the scale of testing you want to conduct. Follow what is best for your organization’s overall security strategy and risk tolerance.
Pentesting as a Service (PTaaS) should be an integral component to your overall security strategy. While common security technologies and tools like data encryption (AES), network traffic encryption (TLS), next gen firewalls (NGFWs), web application firewalls (WAFs), Secure Web Gateways (SWGs), Data Loss Protection (DLP), and Vulnerability Management (VM) all provide tremendous benefit to any enterprise’s security program, pentesting complements these tools and provides a different, but necessary, function. Pentesting finds exploitable vulnerabilities and unintentional data exposure in hosts, end points, applications, web applications and APIs – functions that these tools do not do.
While mostly associated with VM tools, pentesting and vulnerability scanning are not the same.
While vulnerability scans provide details on what vulnerabilities are present, penetration tests add more insight by verifying if these vulnerabilities could be leveraged to gain access within the tested environment.
Delivered as a service to offer greater scale, agility, and risk awareness versus traditional onsite pentesting tools and processes, PTaaS provides organizations of all sizes with the ability to expose and mitigate vulnerabilities without the need for significant human resources.
While there are many details involved in pentesting, the process can be described in several phases:
1. Planning and reconnaissance – pentest goals are defined, and intelligence is gathered (e.g., email server, network and domain names),
2. Scanning – tools are used to understand how a target responds to intrusions, typically using both static and dynamic analyses (e.g., SQL injections, brute force attacks),
3. Gaining access – attacks are staged to discover the target’s vulnerabilities,
4. Maintaining access – Advanced Persistent Threats (APTs) are imitated to verify if vulnerabilities can be used to maintain access,
5. Analysis and device configuration – results are compiled into a report and then used to configure security device settings (e.g., WAFs, NGFW) before tests are run again.
The above process is conducted against externally accessible targets, such as the company’s website, email and domain name servers (DNS) to emulate an outside attacker, as well as against internal targets to imitate a malicious insider or disgruntled employee. Typically, a combination of automated tools and human-led testing and verification processes are used in any pentesting strategy.
The Edgescan PTaaS is a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability management and analytics. PTaaS can be used to assess web applications, APIs and network/cloud devices utilizing risk rating methodologies to prioritize remediation. The platform employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Edgescan Validated Security Score (EVSS) to risk-rate results.
The Edgescan PTaaS solution utilizes the Edgescan security team’s extensive technical expertise as well as the entire suite of applications within the Edgescan platform to provide vulnerability assessment, exposure validation, and risk ratings. Edgescan security experts offer battle-hardened security experience combined with countless industry accreditations such as CREST, OSCP, and CEH, to provide clients with deep wisdom and insight to readily resolve their security needs.
Penetration testing is where a security analyst simulates or investigates an IT (Information Technology) system (Web Application, Cloud, Network, API) with the aim to find any exploitable vulnerabilities. It is not uncommon to perform penetration tests on the application layer however it also extends into the network, cloud, IoT & API layers. The expected output of such an exercise is a report with detailed information discussing the method of discovery, Severity, Risk and associated remediation recommendations for the discovered vulnerabilities.
Examples of such discovered issues could include code-related weaknesses such as an OWASP Top 10 issue, a combination of host and web application weaknesses which result in a breach if combined, an authorization issue which could only be discovered by leveraging a logical weakness.
It’s labour intensive and expensive.
It does not scale very well.
It alone does not keep pace with the rapid pace of change.
It’s a point-in-time assessment in a changing world.
Traditional penetration testing does not keep pace with changes in your environment or the fact that new vulnerabilities are discovered every day. Today you may look secure, tomorrow a new vulnerability is known about, now you have a problem you did not have yesterday, without any of your systems changing!
Rapid: Retesting on demand to verify mitigation at no extra cost.
Efficient: Low administrative overhead and documentation required to deliver the penetration test.
Infinite: Continuous, validated assessment with on-demand deep expert-driven penetration testing.
Forecastable: Fixed license-based cost.
Continuous monitoring across your entire asset portfolio utilizing our External Attack Surface Management (EASM) solution
Event alerts: alert integration into a variety of alerting and ticketing systems th
On-demand: On-demand reporting for any period of time per asset including assertation that the asset underwent a Penetration Test (PTaaS) by certified experts. API based reporting for GRC integration.
Reporting: Custom reporting including E.g;, closed vulnerabilities, vulnerability age, posture trending and other security metrics.
Break down silos of data: Integration of PTaaS output in the same repository as continuous vulnerability management output.
Remediation tracking: Internal Service Level Agreement (SLA) tracking, designed to help ensure high-severity vulnerabilities are mitigated in a timely manner.
Prioritization: CISA Exploit Catalogue mapping to help identify high-priority discovered vulnerabilities and aid prioritization. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Focused: Our security analysts are already familiar with the asset allowing for the human expertise to focus on complex and severe vulnerabilities whilst the technical vulnerabilities are discovered by Edgescan scanning technology
Penetration Testing as a Service is not automation, that’s scanning.
Penetration Testing as a Service (PTaaS) is a hybrid solution that leverages human curiosity for depth and automation for breadth and analytics for verification and risk-based results.
Penetration testing as a service (PTaaS) is a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability management and analytics; it assesses for vulnerabilities which are not discovered by legacy scanning tools such as authorization or business logic. PTaaS can be used to assess web applications, APIs, cloud assets, and network devices utilizing risk rating methodologies to prioritize remediation.
With PTaaS results can be accessed in real-time instead of waiting for a report to be developed. When a discovered vulnerability is fixed, one can retest on-demand without engaging expensive consultants. Reporting is on demand also. Compare this to a traditional Penetration Test. If you performed a Penetration Test in May, you’d get your results in June and that’s it. Once you get your results you will no longer know if those vulnerabilities stay fixed or if new issues pop up.