What Is PTaaS (Penetrating Testing As A Service)?December 7, 2022 - 2 min read
What is Penetration testing?
Pen testing or penetration testing is a common security practice that you see in the corporate world to find out how vulnerable a particular asset or group of assets is. It’s used to help developers and companies stay secure and ensure they are resilient and secure in this ever-changing cyber world.
Penetration testing is where a security analyst simulates or investigates an IT (Information Technology) system (Web Application, Cloud, Network, API) with the aim to find any exploitable vulnerabilities. It is not uncommon to perform penetration tests on the application layer however it also extends into the network, cloud, IoT & API layers. The expected output of such an exercise is a report with detailed information discussing the method of discovery, Severity, Risk and associated remediation recommendations for the discovered vulnerabilities.
Examples of such discovered issues could include code-related weaknesses such as an OWASP Top 10 issue, a combination of host and web application weaknesses which result in a breach if combined, an authorization issue which could only be discovered by leveraging a logical weakness but to name a few examples….
Traditional Penetration Testing has its drawbacks….
- It’s labour intensive and expensive.
- It does not scale very well.
- It alone does not keep pace with the rapid pace of change.
- It’s a point-in-time assessment in a changing world.
What is Penetration Testing as a Service (PTaaS)?
Penetration Testing as a Service (or PTaaS for short) is when a provider delivers a hybrid solution combining the best of both technical automation and human intelligence.
Penetration Testing as a Service (PTaaS) is not automation, that’s scanning. Penetration Testing as a Service (PTaaS) is a hybrid. Human curiosity for depth, automation for breadth.
It delivers continuous and on-demand coverage and discovers issues automated tools generally can’t discover (Contextual/Business logic or complex multi-step vulnerabilities).
With Penetration Testing as a Service (PTaaS) one can access their results in real-time instead of waiting for a report to be developed. When a discovered vulnerability is fixed, one can retest on-demand without engaging expensive consultants. Reporting is on demand also.
Compare this to a traditional Penetration Test. If you performed a Penetration Test in May, you’d get your results in June and that’s it. Once you get your results you will no longer know if those vulnerabilities stay fixed or if new issues pop up.
Traditional penetration testing does not keep pace with changes in your environment or the fact that new vulnerabilities are discovered every day. Today you may look secure, tomorrow a new vulnerability is known about, now you have a problem you did not have yesterday, without any of your systems changing!!
Basically, the key points of Penetration Testing as a Service (PtaaS) over traditional Pentest are as follows:
- Scalability – Automation is everywhere but Humans do depth. Need both
- Speed – no dealing with consultants, contracts, scoping, on-demand is rapid.
- Cost – No per/day fees. Generally, Penetration Testing as a Service(PTaaS) is a fixed license.
- Continuous Assessment coupled with a deep test lead by an expert security person.
- You can see with those four points alone that Penetration Testing as a Service(PTaaS) gives a major advantage over the traditional method.
Edgescan provides Penetration Testing as a Service (PTaaS) through our Smart Vulnerability Management Platform. We also offer ASM (Attack Surface Management) which is built into our platform which gives organizations continuous visibility over their entire attack surface. To boot, we validate all automated output so everything you are informed about is accurate, clean, risk rated and with zero white noise.
How does Penetration Testing as a Service (PTaaS) work.
It’s a combination of both automation for scale and humans for depth and coverage. When PTaaS is enabled this results in a continuous feed of validated vulnerabilities.
Penetration Testing as a Service (PTaaS) also delivers coverage for assessment of vulnerabilities which are generally not discovered by scanning such as logical, authorization or business logic vulnerabilities.
PTaaS also includes continuous or on-demand assessments and validation to help keep pace with change as an application, cloud or API changes over time.
Benefits of PTaaS:
- Rapid: Retesting on demand to verify mitigation at no extra cost or reliance on consultant availability.
- Efficient: Low administrative overhead and documentation required to deliver the Penetration Test.
- Infinite: Continuous, validated assessment with on-demand deep expert-driven penetration testing.
- Forecastable: Fixed license-based cost.
- Integrations and constant: Continuous monitoring, Attack Surface Management (ASM) and alert integration into a variety of alerting and ticketing systems. https://www.edgescan.com/technology-integrations/
- On-demand: On-demand reporting for any period of time per asset including assertation that the asset underwent a Penetration Test (PTaaS) by certified experts. API based reporting for GRC integration.
- Reporting: Custom reporting including E.g;, closed vulnerabilities, vulnerability age, posture trending and other security metrics.
- Break down silos of data: Integration of PTaaS output in the same repository as continuous vulnerability management output.
- Remediation tracking: Internal Service Level Agreement (SLA) tracking, designed to help ensure high-severity vulnerabilities are mitigated in a timely manner.
- Prioritization: CISA Exploit Catalogue mapping to help identify high-priority discovered vulnerabilities and aid prioritization. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Focused: The Penetration Testing as a Service Team are already familiar with the asset if it is being currently managed by Edgescan allowing for the human expertise to focus on complex and severe vulnerabilities whilst the technical vulnerabilities are discovered by Edgescan technology