While cybersecurity was once solely the domain of ethical hackers and pentesters, that’s quickly changing. Today, Cybersecurity-as-a-Service solutions deliver on-demand vulnerability scanning to organizations, with simple digital dashboards to assign permissions, set scheduling, and assign assets. Platforms like Detectify will deliver automated scanning for 200+ common vulnerabilities, with unlimited scanning through a simplified platform, for just $50 a month. Of course, these tools don’t offer ASVS level 1+ security, but they do fit into new Agile development methods. Here, developers test security as part of the development process. But, with Gartner expecting adoption of this tooling to increase 2,900% by 2025, users are considerable.
With more organizations taking charge of their own security, Pentesters might feel as though they are falling behind and losing the market. But, while it’s true that vulnerability scanners are growing in popularity, organizations still need pentesting. In fact, Pentesting is growing at 21% + per year, as more organizations move online and become aware of risks. Pentesting provides in-depth insight from a human team, in ways that an automated vulnerability scan never could. Rather than losing customers to automation and vulnerability scanning, Pentesters can improve their own services and user experience by delivering the ease of use and simplicity that attract clients to the vulnerability scanner platform in the first place, using pentest-as-a-service platforms.
An Outdated Delivery Model
Pentesting today is much the same as it was 20 years ago. Sure, you have more reliable scanners and tooling like Nessus, GFI LANGuard, Rapid7, Retina, and Qualys, but those are the same tools that Detectify, Acunetix, and IBM QRadar run under the hood. The customer experience – reporting, deliverables, usability, and communication – hasn’t changed. Most pentesters still communicate by email and phone, share findings in long PDF reports, and leave sorting and sharing those Findings to the client team. The result is complicated, time-consuming, and difficult for the customer.
That’s a stark contrast to automated vulnerability scanners, which frequently automatically upload findings into web-based dashboards, link findings directly to assets, compliance or pentest type, and rank those findings based on priority using scores like CVSS.
Organizations Need Both
Vulnerability scanners offer fast, efficient, and affordable solutions to cybersecurity. Client teams can easily scan equipment, systems, and networks as items change, maintaining total system security without imposing new risks or imposing the high cost of a pentest each time they launch an update. Vulnerability scanners make monthly or even weekly scans sustainable for clients with high risk environments, especially those who frequently add new equipment, tooling, and changes.
At the same time, Pentests remain necessary and valuable. You don’t need a team to scan for missing patches and outdated protocols, but you do need them for a deeper, human assessment of available exploits. Your team can deliver considerable value over vulnerability scanners because you have real people looking for issues. Most organizations are well-aware they still need pentests, with many compliance regulations even requiring manual pentests. You can take those concepts and market them to potential customers and then leverage that into repeat business by offering a better customer experience.
Going Digital with Pentest-as-a-Service
While building Pentest-as-a-Service platforms is expensive and not feasible for most cybersecurity teams, platforms like Cyver increasingly make these solutions accessible, affordable, and readily available. Your organization doesn’t have to build a new platform, it needs a digital experience layer on top of existing services, providing a vector for communication, delivery, and automation.
Cyver links to tooling to directly import findings, automates reporting, and delivers actionable tasks and insights directly to client developer teams. Automation reduces time investment for your own teams, while reducing manual error, and delivering real-time reports in single-finding alerts so that clients can create actionable work tasks from each. Plus, with built-in encrypted communication, Cyver provides a smarter medium for developer teams to connect with and communicate with pentesters, requesting proof of findings, and truly collaborating on remediation.
The future of cybersecurity is in automation, but it still needs a human touch. As clients demand a simpler, more user-friendly delivery process, Pentesters can switch to digital Pentest-as-a-Service (PTaaS) platforms to deliver cloud services and tooling, offering services on top of automated vulnerability scans, rather than competing with them.