What Is PTaaS (Penetration Testing as a Service)?December 7, 2022 - 2 min read
What is Penetration Testing?
Penetration testing is where a security analyst simulates or investigates an IT (Information Technology) system (Web Application, Cloud, Network, API) with the aim to find any exploitable vulnerabilities. It is not uncommon to perform penetration tests on the application layer however it also extends into the network, cloud, IoT & API layers. The expected output of such an exercise is a report with detailed information discussing the method of discovery, Severity, Risk and associated remediation recommendations for the discovered vulnerabilities.
Examples of such discovered issues could include code-related weaknesses such as an OWASP Top 10 issue, a combination of host and web application weaknesses which result in a breach if combined, an authorization issue which could only be discovered by leveraging a logical weakness but to name a few examples….
Traditional penetration testing has its drawbacks….
- It’s labour intensive and expensive.
- It does not scale very well.
- It alone does not keep pace with the rapid pace of change.
- It’s a point-in-time assessment in a changing world.
What is Penetration Testing as a Service (PTaaS)?
PTaaS is a hybrid solution that combines the breadth of automation with the depth of human assessment.
PTaaS is a hybrid solution that combines the best of both scanning automation and human intelligence. It delivers continuous and on-demand coverage and discovers issues that legacy automated tools can’t discover (contextual/business logic or complex multi-step vulnerabilities).
Penetration Testing as a Service (PTaaS) is not automation, that’s scanning. Penetration Testing as a Service (PTaaS) is a hybrid solution that leverages human curiosity for depth and automation for breadth.
With Penetration Testing as a Service (PTaaS) one can access their results in real-time instead of waiting for a report to be developed. When a discovered vulnerability is fixed, one can retest on-demand without engaging expensive consultants. Reporting is on demand also. Compare this to a traditional Penetration Test. If you performed a Penetration Test in May, you’d get your results in June and that’s it. Once you get your results you will no longer know if those vulnerabilities stay fixed or if new issues pop up.
Traditional penetration testing does not keep pace with changes in your environment or the fact that new vulnerabilities are discovered every day. Today you may look secure, tomorrow a new vulnerability is known about, now you have a problem you did not have yesterday, without any of your systems changing!
How does Penetration Testing as a Service (PTaaS) work?
PTaaS is a hybrid solution that combines automation for scale and human intelligence for depth resulting in a continuous feed of validated vulnerabilities that are real and actionable. PTaaS also assesses for vulnerabilities which are not discovered by legacy scanning tools such as authorization or business logic.
PTaaS include continuous or on-demand assessments and validation to help keep pace with change as an application, cloud or API changes over time. PTasS (Penetration Testing as a Service) team of consultants are OSCP (OSCP ) and CREST (CREST-Approved) Certified.
Benefits of PTaaS:
- Rapid: Retesting on demand to verify mitigation at no extra cost or reliance on consultant availability.
- Efficient: Low administrative overhead and documentation required to deliver the Penetration Test.
- Infinite: Continuous, validated assessment with on-demand deep expert-driven penetration testing.
- Forecastable: Fixed license-based cost.
- Integrations and constant: Continuous monitoring, Attack Surface Management (ASM) and alert integration into a variety of alerting and ticketing systems. https://www.edgescan.com/technology-integrations/
- On-demand: On-demand reporting for any period of time per asset including assertation that the asset underwent a Penetration Test (PTaaS) by certified experts. API based reporting for GRC integration.
- Reporting: Custom reporting including E.g;, closed vulnerabilities, vulnerability age, posture trending and other security metrics.
- Break down silos of data: Integration of PTaaS output in the same repository as continuous vulnerability management output.
- Remediation tracking: Internal Service Level Agreement (SLA) tracking, designed to help ensure high-severity vulnerabilities are mitigated in a timely manner.
- Prioritization: CISA Exploit Catalogue mapping to help identify high-priority discovered vulnerabilities and aid prioritization. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Focused: The Penetration Testing as a Service Team are already familiar with the asset if it is being currently managed by Edgescan allowing for the human expertise to focus on complex and severe vulnerabilities whilst the technical vulnerabilities are discovered by Edgescan technology