Table of Contents
1. Summary
Penetration testing has long been a technique used by organizations to find vulnerabilities in their systems and applications, enabling them to improve practical security outcomes, satisfy customer requests for third-party attestation, support M&A due diligence activity, and meet regulatory requirements. The value derived from penetration testing is significant, illuminating previously unknown weaknesses and granting security teams the ability to shore up defenses.
There are challenges with a legacy penetration testing (“pen test”) approach, however. Legacy pen tests often leverage the expertise of just one or two penetration testers (“pen testers”), which can limit the type or overall quality of the pen test. Because of the limited pool of pen testers found at most legacy pen testing service providers, scheduling can often require weeks or months of lead time. Moreover, it can be several weeks before the report containing all of the findings from the pen test is ready for delivery.
Penetration testing as a service (PTaaS) builds on the efficacy of penetration testing methods and adds modern SaaS-like features, such as an interface that clients access to review centralized findings—vulnerabilities that have been exploited, potentially in real time, direct communications with pen testers, standardized testing methods, and integrations with other technologies.
While pen testing is quite mature, the PTaaS space is young. For this reason, the definition of PTaaS—and PTaaS solutions—will likely evolve over the next few years as the space matures.
This GigaOm Radar report highlights the various PTaaS vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating PTaaS Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
To better understand the market and vendor positioning (Table 1), we assess how well solutions for PTaaS are positioned to serve specific market segments.
- Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
In addition, we recognize two deployment models for solutions in this report: SaaS-only and hybrid solutions.
- SaaS-only solutions: These solutions are available only in the cloud. Designed, deployed, and managed by the service provider, they are all-inclusive. The big advantage of this type of solution is their simplicity and their integration capabilities with other technologies.
- Hybrid solutions: These solutions are meant to be consumed from a SaaS but also include the option to deploy bastion hosts (or other technologies) in on-premises environments or within private clouds. This allows the PTaaS solution to deliver both internal and external assessments.
Table 1. Vendor Positioning
Market Segment |
Deployment Model |
|||
|---|---|---|---|---|
| SMB | Enterprise | SaaS | Hybrid | |
| Astra Security | ||||
| Bugcrowd | ||||
| BreachLock | ||||
| Cobalt | ||||
| HackerOne | ||||
| Software Secured | ||||
| Synack | ||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating PTaaS Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
Key Criteria |
||||||
|---|---|---|---|---|---|---|
| Built-In Vulnerability Scanners | Integration with SDLC Technologies | Automated Workflows | Enhanced Communications | Agile Pen-Testing Methods | Crowdsourcing Pen Testers | |
| Astra Security |
|
|
|
|
|
|
| Bugcrowd |
|
|
|
|
|
|
| BreachLock |
|
|
|
|
|
|
| Cobalt |
|
|
|
|
|
|
| HackerOne |
|
|
|
|
|
|
| Software Secured |
|
|
|
|
|
|
| Synack |
|
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 3. Evaluation Metrics Comparison
Evaluation Metrics |
|||||
|---|---|---|---|---|---|
| Solution Ecosystem | Flexibility | Risk Reduction | Feature Set | Speed | |
| Astra Security |
|
|
|
|
|
| Bugcrowd |
|
|
|
|
|
| BreachLock |
|
|
|
|
|
| Cobalt |
|
|
|
|
|
| HackerOne |
|
|
|
|
|
| Software Secured |
|
|
|
|
|
| Synack |
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for PTaaS
As you can see in the Radar chart in Figure 1, BreachLock, Bugcrowd, HackerOne, and Synack are Mature solutions that deliver broad capabilities through their respective platforms. BreachLock is a solution that integrates AI technology with a thoughtful testing methodology to deliver comprehensive tests at scale, despite its choice to use in-house pen testers instead of crowdsourced testers. Bugcrowd, a long-time player in the bug bounty space, has extended successfully into the PTaaS market and brings with it years of engineering experience.
HackerOne is also a veteran of the bug bounty space and offers a PTaaS solution that is simple and intuitive for users while it integrates with Amazon Web Services (AWS) Security Hub for a standout feature. HackerOne also offers staff augmentation capabilities through its professional services organization. Synack is a good solution that delivers on the promise of simplicity and effectiveness.
Alone in the Innovation/Platform-Play quadrant is Cobalt, the first to market in the PTaas space. It capitalizes on its extensive PTaaS experience and rapid development of new features to deliver a solution that is both simple to use and incredibly effective. The Cobalt solution scores well across the board on the key criteria and even offers staff augmentation capabilities through its professional services.
The Innovation/Feature-Play quadrant contains just two vendors. Astra Security, which was spun out of the 2018 Techstars accelerator, has a good breadth of features but doesn’t offer crowdsourced testers. Finally, Software Secured, which started as a boutique penetration testing firm serving financial organizations, now offers a PTaaS solution that takes a holistic view of the space, offering both pen testing services and consultative expertise for remediation activities, all included in a single price.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Astra Security
Astra Security, which started in the Techstars accelerator in 2018, focused initially on application security, then expanded to include PTaaS. Astra’s PTaaS solution bundles a cloud vulnerability scanner that provides tests for Open Web Application Security Project (OWASP); SysAdmin, Audit, Network, and Security (SANS); and other controls. It also provides a variety of pen testing services, including web app, cloud, mobile, API, and blockchain testing. Pricing for the pen testing service starts at $4,500 a year for one “target,” which is defined as a URL. The result of a pen test can be shared publicly via a certificate that is provided upon completion.
The vulnerability scanner, which can be sold separately, has enhanced capabilities like scanning “behind” a web application’s authentication, browser-based crawling, and business logic error detection. The Astra Security vulnerability scanning solution differentiates from its competitors by including robust checks against security frameworks like GDPR, SOC2, ISO, HIPAA, and PCI. This data is displayed in a dedicated compliance dashboard.
This solution is able to integrate with many CI/CD technologies like GitHub, GitLab, Jenkins, Bitbucket, and CircleCI, allowing a shift-left approach to security that can be integrated into DevOps practices. For example, a vulnerability scan can be built into the pipeline with the Astra Security solution.
Automations are key to solutions in this space, and while Astra Security states that its automations are powered through no-code configurations, there’s little evidence via customer reviews, white papers, and so on regarding the breadth and depth of what these automations can do.
This solution enables direct communication with pen testers through its platform. From the platform, users are able to log in, add team members, assign vulnerabilities to developers, comment on reports, and connect with the pen testers. Some solutions use a third-party app, like Slack, for this, which could create a risk of data leakage if the Slack channel is not properly managed. Keeping these communications inside of the Astra Security portal eliminates that risk.
This Astra Security solution does not use crowdsourced pen testers. This is a design decision that almost evenly splits the solutions in this field right down the middle. Opting for internal pen testers only can provide higher quality findings and a more comprehensive review of the attack surface.
This solution allows customers to retest findings through a simple click of a button, and along with the findings, the solution provides the assigned severity of any weaknesses as determined by the testers and the resolution steps to deal with them.
Strengths: Astra Security offers simple pricing, a publicly certifiable pen test, a robust vulnerability scanner, good integration with common CI/CD technologies, and a great scanner-driven compliance monitoring capability.
Challenges: This solution does not offer crowdsourced testers, and its automation capabilities aren’t as strong as other vendors in this report.
Bugcrowd
The addition of PTaaS to the Bugcrowd Security Knowledge Platform is not surprising; it’s a natural evolution of its capabilities in the bug bounty, vulnerability management, and attack surface management (ASM) areas. The Bugcrowd PTaaS solution offers four tiers of pen testing services, ranging from “Basic,” a vulnerability scanning product designed for narrowly-scoped pen tests, to “Max,” which includes numerous benefits like internal assessment capabilities, integration of bug bounty data, curated testing crowds, and more. It’s worth noting that the “Basic” pen test plan satisfies PCI DSS requirement 6.6.
Bugcrowd’s integration capabilities are strong. It offers mature, simple integrations with services like Jira, GitHub, IBM’s SOAR, Qualys scanners, ServiceNow, Slack, and Trello. In addition, Bugcrowd offers a full-featured webhook implementation, as well as an API that can be used to develop custom integrations.
Automation is a central component of a good PTaaS solution, and Bugcrowd has made it a priority to use automation to streamline as much of pen testing as possible. From onboarding, which leverages a self-guided questionnaire the customer fills out within the Bugcrowd portal, to scoping, discovery, and scheduling, few processes are manual. The result is a pen test that can be acquired and delivered within a few days, instead of weeks. Currently, only the Basic and Standard tiers of pen testing offer this level of automation.
While Bugcrowd and most PTaaS vendors strive to deliver just the right amount of detail in reports to properly explain a finding’s significance, there are times when additional information is needed. In such cases, Bugcrowd clients are able to communicate directly with testers via the platform. For custom engagements, a private Slack channel is provided. If the client feels they need someone with more technical expertise to ask the questions, an in-house Bugcrowd security engineer will engage with the tester on behalf of the client. Both of these options can help resolve a variety of use cases aimed at speeding up the discovery and remediation processes.
Requests to retest findings can be made from the customer dashboard, although the retest capability may be a paid option depending on the pen test tier purchased by the customer.
Crowdsourcing pen testers offers significant advantages, but how it happens can vary from vendor to vendor. A machine learning algorithm is used to match the client’s requirements to the skills of pen testers in the pool. This process is unlike that of some vendors who perform these steps manually, often reusing the same “top testers” for several engagements. A noteworthy feature in Bugcrowd allows clients to specify that new testers should be used across pen testing engagements, whereas in the past they would have to vet and select a whole new pen test vendor to achieve this diversity of testers. So, this approach greatly simplifies the client experience.
Strengths: The Bugcrowd PTaaS solution delivers strong automation capabilities that achieve real-world time savings for clients. Bugcrowd offers simple, direct communication methods that can be augmented by in-house security engineers as needed. Bugcrowd is a feature-rich, broadly applicable PTaaS solution.
Challenges: The automation capabilities for pen test tiers above “Standard” are still being developed, leaving more elaborate pen testing engagements with more manual effort compared to the “Basic” and “Standard” tiers.
BreachLock
BreachLock’s focus on advancing pen testing into the “as-a-service” age, combined with purposeful implementations of AI technologies to drive speed and quality, results in a streamlined experience for clients. The BreachLock PTaaS solution covers web and mobile apps, network, cloud, and social engineering, delivered through a combination of AI-led vulnerability scanning and expert analysis. The result is a pen testing engagement for which testers spend less time on mundane discovery tasks and more time on challenges unique to each client.
The solution’s pricing is simple compared to some other solutions in this space, which is welcome, considering many parts of legacy pen testing are overly complex or cumbersome. Some solutions also offer a catalog of other pen testing-like activities that can be purchased easily, but BreachLock’s doesn’t offer that at this time.
The BreachLock PTaaS solution’s mostly automated onboarding process leverages a questionnaire that asks 15 to 20 questions, depending on the engagement type. This defines the engagement scope, and testing can occur with lead times as short as 24 hours. This brief lead time is unheard of in the pen testing space and almost as impressive in the PTaaS space where a week is often the standard measure.
Each BreachLock client has assigned to them a success manager or technical individual who is available to answer questions, provide guidance, and usher the process through all of its stages to completion.
A key aspect of the BreachLock PTaaS solution is its focus on quality control throughout the process. Vulnerabilities are identified using its AI scanning engine, so each one is then reviewed by a pen tester. Using pen tester expertise and a framework designed by BreachLock, each vulnerability is carefully assessed to ensure a comprehensive review of possible impacts and the assignment of an appropriate risk level.
Once findings are created, they can be pushed to SDLC technologies like Jira, Jenkins, and ServiceNow, as well as communication applications like Slack. This data can also be exported to a CSV format for manual processing or importing into other technologies where an integration doesn’t exist.
BreachLock leverages a team of in-house pen testers. Using geolocation filters, clients are able to filter pen tester assignments based on parameters such as geography. This solution does not use a crowdsourced pen testing pool.
Near real-time visibility of pen testing activities is achieved through the solution’s portal. Direct interaction between client and pen tester occurs through this portal as well, enabling streamlined communications.
Strengths: This solution’s strong AI vulnerability scanning and automation accelerates pen testing activities and streamlines delivery of information. BreachLock’s focus on quality creates a scenario with little “noise” in the process. The solution offers good integration capabilities, and its simplified pricing ensures year-round pen testing activities will take place.
Challenges: The solution does not use crowdsourced pen testers and does not offer a catalog of ready-to-go SaaS pen testing services.
Cobalt
Cobalt, the creator of the first PTaaS solution, started in 2013 as a bug bounty platform. As the initial entrant into the PTaaS category, Cobalt is currently the largest PTaas provider with more than 1,200 customers. This puts the company behind only the NCC Group, which doesn’t offer PTaaS, in pen-test volume per year.
Purchasing a pen test engagement from Cobalt requires buying “Cobalt credits,” with one credit being equivalent to eight hours of pen testing services. This allows customers to pre-buy pen-testing hours, then deploy them throughout the year as needed. There are three tiers of service, with the Standard tier including enterprise features like SAML-based SSO and MFA for platform operators, access to the API, and free retesting. For accelerated engagement timelines, customers can choose the Premium tier, which includes 48-hour start times for pen tests. There is also an Enterprise tier that provides even more features, but the pricing requires a meeting to calculate.
Cobalt’s thesis is that the problem facing clients isn’t that pen testing quality is poor, but rather the inefficiencies that exist in the pen testing process as most customers know it. In response, Cobalt focuses on streamlining and reducing friction in the pen testing process, though it does not offer a vulnerability scanner within its solution.
Automation is a strength of the Cobalt platform, and it starts with the client’s onboarding experience. Using what Cobalt calls the “Pentest Wizard,” clients are able to complete onboarding tasks on their schedule, on their own. A two-week pen test engagement is then scheduled to match the service level purchased, with a start time of one to three business days.
Cobalt offers both integration with Slack to streamline client and tester communications, as well as a communicator within the solution itself for the discussion of more sensitive information. Pen tests can produce findings that can take months to address and fix, so Cobalt offers free retesting of findings for up to 12 months for the Premium and Enterprise tiers and up to six months for the Standard tier.
Cobalt leverages crowdsourced pen testers, which it calls the “Cobalt Core.” The Cobalt Core comprises over 400 vetted and background-checked testers, with a competitive acceptance rate of around 5%. It is the size of the pen testing community that enables Cobalt to launch its tests so rapidly.
The solution offers integrations with common SDLC technologies, such as Jira and GitHub, as well as with Slack, DefectDojo, Tugboat Logic, JupiterOne, and even Kenna Security. Of particular interest is the integration with Jira, which is bidirectional. Through this integration, clients are able to work in Jira on remediation tasks. Tasks in Jira are updated, so changes are reflected in the Cobalt platform, reducing duplication of efforts. In addition to native integrations, Cobalt offers a public API with bidirectional functionality for easy sharing of data on assets, pentests, and findings to and from other tools.
Finally, Cobalt’s professional services are worth mentioning. Through its pro services, clients are able to leverage Cobalt staff for code review, device hardening, physical security testing, social engineering engagements, and other valuable services.
Strengths: The Cobalt solution includes simple, automated onboarding and scheduling, as well as numerous mature integrations, access to its API, transparent pricing, streamlined communications, and a catalog of add-on professional services to augment staff skills. The Cobalt PTaaS solution is comprehensive in its approach, yet simple to use.
Challenges: The Cobalt solution does not include a vulnerability scanner, which makes it unsuitable for clients looking to consolidate pen testing and vulnerability scanning with one vendor.
HackerOne
HackerOne’s PTaaS solution is delivered through its SaaS platform, alongside its other security services, like bug bounty, attack surface management (ASM), and its vulnerability disclosure program (VDP). Each of these services is sold separately, and together, they drive clients toward a strategy based on the “attack resistance management” (ARM) strategy created by HackerOne, which focuses on continuous improvements to the attack surface.
While some PTaaS providers use in-house testers, HackerOne prefers crowdsourcing from its community of 1.5 million ethical hackers. Pen testers for the HackerOne PTaaS are crowdsourced from a community of vetted, background-checked, ethical hackers, which, HackerOne asserts, will ensure a diverse skill set capable of delivering the best pen test findings.
Vulnerability scanning is a commodity service for most organizations, and for this reason, some PTaaS solutions don’t offer this capability. HackerOne is one of those vendors, opting instead to focus on its strengths—bug bounties, vulnerability disclosure, and pen testing.
The solution offers mature, bidirectional integrations with SDLC tools like Jira, GitHub, GitLab, AzureDevOps, and AWS. The integration with AWS Security Hub is a standout feature through which HackerOne demonstrates clear maturity with AWS technologies. For organizations that run primarily or exclusively on AWS, this feature will be of great value.
Automation is a key component of this solution, enabling streamlined pen test deployments that reduce both the time to launch and the time to receive the results. In a typical pen test engagement, these times are often measured in weeks or months. With PTaaS solutions, especially a highly automated one like HackerOne’s, the time from launch to results is less than two weeks (not including the testing period).
While the onboarding and scoping processes are nearly meeting-free, that’s not the case quite yet. HackerOne expects to be able to deliver meeting-free onboardings in the near future but could not set a date.
Another common pain point for clients is a lack of visibility and communication during the pen testing engagement. HackerOne offers near real-time visibility into pen testing activities for clients through its portal. The solution also offers simple direct access to the pen testers as well as an assigned technical engagement manager. Technical Engagement Managers (TEMs) are former pen testers who know the trade well and are focused on optimizing the delivery of each pen test. They work essentially as an expert advocate for the client during the engagement period.
Findings can be retested by the client within 60 days; retesting after 60 days incurs an additional cost. A free automated service called Hackbot helps customers prioritize findings by providing detailed remediation steps.
Strengths: HackerOne offers high quality results because of its diverse pentester community, aims to improve using business workflows via integrations, delivers results rapidly, and is driven by automation. The maturity of its integration with AWS is unique, and its real-time visibility and direct communication methods will please most clients.
Challenges: The solution does not include vulnerability scanning capabilities, and while it covers the most common pen test engagement types, such as web, app, mobile, and cloud, clients who need other engagement types (like social engineering) will have to look elsewhere.
Software Secured
Software Secured takes a unique approach to the PTaaS market and focuses on the delivery of pen tests through elegant automations, while also acknowledging that pen testing is only a portion of the enterprise’s security workload. In recognition of that limitation, Software Secured also offers to either work with in-house development staff or augment in-house staff to remedy any risk discovered through its pen testing.
The Software Secured solution uses a regimented sales and onboarding process that results in most clients being able to go from searching for a vendor to being onboarded in just two 30-minute meetings. Though this approach contrasts with some vendors who are attempting to automate the entire process, it’s not a detriment. Software Secured recognized early on that many customers might need help during this phase, so the human element has been an intentional part of its design.
The end-to-end penetration testing process for most clients is one that is both automated from a scheduling standpoint and rapid from a results delivery perspective. Once a client is onboarded into the Software Secured portal, a pen test is scheduled and executed every 90 days. In this way, changes in a client’s attack surface are detected more quickly, reducing the total time an unknown risk can linger. An additional benefit to this approach is the time savings experienced by the client. Given that the pen tests are scheduled automatically and executed (as long as the checklist sent two weeks in advance is returned), all of the time spent finding a pen testing vendor, vetting them, and onboarding and scheduling the engagement is eliminated.
Like some other products in this space, the solution doesn’t include vulnerability scanning. It is the position of these vendors that vulnerability scanning is a process that should be owned and executed by an internal stakeholder. In addition, integrations are not yet available for other technologies, like issue tracking or ticketing platforms, though the ability to export to CSV should be generally available in Q4 of 2022 and a webhook available in Q1 of 2023. The webhook will enable integration with numerous platforms and will be a welcome addition to the solution.
This solution offers direct enhanced communication between the client and the pen tester through a private Slack channel, and it offers unlimited retesting, in contrast to at least one other vendor that charges an additional fee for a similar service.
Software Secured does not use crowdsourcing for its penetration testers and relies instead on a set of full time, in-house testers that are based in Canada; asserting that it is able to better monitor the breadth and depth of skills compared to crowdsourced solutions. For example, the in-house pen testers can be measured in terms of the type and quantity of bugs they find, how quickly they find the bugs, and so forth. From these data points, strengths and weaknesses can be identified, which determines what type of engagements the testers are assigned to, as well as what type of training they’ll have to complete. All of its in-house pen testers can use 20% of their weekly hours to train and refine their skill sets.
As mentioned earlier, Software Secured focuses not only on pen testing but also on remediation. The pricing, which starts around $10,000, includes consulting hours, which are often used by clients for remediation work, security design reviews, bug bounties, and general staff augmentation activities.
Strengths: Software Secured is a strong solution for any organization, especially the small to midsize company that wants pen testing and remediation help all in one bill. The automated scheduling of pen tests spreads out the workload through the year.
Challenges: The solution does not leverage crowdsourced pen testers. It also does not offer built-in vulnerability scanning, or any integrations with other technologies right now. The webhook expected in early 2023 will enable such integrations.
Synack
Synack, billed as the premier security testing platform, focuses on penetration testing but offers vulnerability scanning capabilities and soon will be integrating ASM features into its testing suite.
A key area where PTaaS departs from legacy pen testing methods is in the user experience with onboarding and scheduling. Synack, like other vendors in this space, is investing heavily in the automation of these activities. This automation is partly responsible for Synack’s ability to schedule pen tests quickly and deliver results in a matter of days.
The PTaaS space is a great example of how crowdsourcing talent can be employed, and Synack takes full advantage of this capability. Synack recognized that in order to consistently deliver high-quality pen test engagements, it would have to develop a process that would provide continuous monitoring of a predefined pool of talent. This pool of talent is referred to as the Synack Red Team (SRT) and the company uses a process it calls “Genome” to carefully match the SRT to the client engagement.
It’s worth noting that Synack has developed a catalog of over 100 “missions” that clients can purchase using credits. Missions can be thought of as a testing engagement with a very specific purpose. Credits are purchased ahead of time and cost $110 each. Some missions hunt for the existence of an item of Common Visibilities and Exposure (CVE) (often a recently released zero-day) and cost one to three credits, while other missions assign a member of the SRT to take a comprehensive look at an organization’s attack surface and document the ways vulnerabilities could be leveraged to compromise an organization’s systems or data. This feature should be thought of as a staff augmentation capability, which can deliver incredible value in the face of the current labor and skills shortages.
Vulnerability scanning is a hot button topic for many PTaaS solutions because of the legacy challenges created by unscrupulous “penetration testing” firms that would often sell vulnerability scan results as penetration tests. While some PTaaS solutions don’t offer a vulnerability scanning capability that can be used by its clients, Synack does. Its “smart scan” can be used as the discovery mechanism for its pen test engagements, or it can be started by a client clicking a button. In either case, vulnerabilities found during the scanning are processed in the same way as if they were discovered via pen testing. Therefore, its vulnerability scanner solution delivers very high-quality results, with little noise and fewer false positives.
Automation is present throughout the product, impacting nearly every aspect of the solution and the service delivery. Clients access the solution through a portal referred to as “Launchpoint,” from which they can provision new tests, review findings from existing tests, and initiate retesting of findings. All of these features are powered by automations, although they are not customizable by the client.
Synack’s integration capabilities are on par for the space, with integrations available for popular platforms such as Jira, ServiceNow, Splunk, and others. These integrations are mature and often bidirectional, enabling simplified operations through automatic updates in both directions. The Synack API can also be leveraged for bespoke development and custom integrations.
Strengths: Synack’s strong focus on practical improvements to the pen testing process shows through with thoughtful capabilities like simplified onboarding and scheduling, staff augmentation through missions, simple retesting, integrated vulnerability scanning, and strong integration capabilities.
Challenges: The Synack solution’s built-in vulnerability scanner is not a one to one replacement for a full-fledged vulnerability scanner.
6. Analyst’s Take
For decades penetration testing was viewed as either that onerous task organizations had to complete on schedule to adhere to some regulatory or compliance framework, or as a resource that would provide an attacker’s view of the organization’s technology. Both camps drove demand for penetration testing and because of it, an explosion of both large pen test providers and specialized boutique providers emerged to deliver these much-needed services. However, this was a mere distraction, a failed evolutionary branch of the pen testing space that slowed progress for years.
PTaaS represents the revolution in the pen testing space that was long overdue. Vendors in this space are here because they themselves feel the pain resulting from legacy pen testing processes filled with delays, manual steps, and lack of transparency. Although PTaaS is only a few years old, the vendors in this space have decades of experience with pen testing and its pain points, and so the solutions feel much more mature than you might expect. For many organizations, selecting a solution that focuses on streamlined onboarding and scheduling would be a good first step.
Keep in mind that while selecting a vendor should never be done with reckless abandon, making a poor selection in this space won’t be a problem you deal with forever. Like pen tests providers, PTaaS solutions can and should be rotated from time to time to ensure that a fresh set of eyes reviews an organization’s attack surface. There is also an opportunity to begin (or formalize) a bug bounty program if a vendor that offers both PTaaS and bug bounties is selected. This approach can add a year-round element that complements a focused, short-term penetration test.
Finally, organizations should consider not only the quality of the pen test results, but also the capacity of their own in-house staff to resolve the findings as quickly as possible. If lack of in-house staff and skill shortages create a situation in which trouble spots can be found but not fixed, consider selecting a vendor that offers staff augmentation services like device hardening, code review, and development support.
7. About Chris Ray
Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing & tech. More recently he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2022 "GigaOm Radar for Penetration Testing as a Service" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.
