Pentest-as-a-Service means delivering recurring pentesting, with findings-as-tickets, and ongoing support. Pentester involvement in any stage of the pentest following the report is a relatively new thing. However, as pentesters are increasingly supplemented by scanners and automatic software, the value of the pentest is less and less in a list of vulnerabilities and more in human insight, consultancy, and expertise.
Delivering pentest-as-a-service, complete with ongoing testing and remediation assistance highlights that value, allowing you to deliver a better pentest, to function as a cybersecurity consultant as part of the client’s team, and to create recurring and ongoing business with the same clients.
Pentest-as-a-Service Means Better Security
The 2019 Absolute 2019 Endpoint Security Trends report shows that just 22% of vulnerabilities found in reports are ever resolved. That makes sense with traditional pentesting, where you create a big PDF report and share it with a single point of contact. That person, who might be a compliance officer, CTO, or manager must take that report and break it down into actionable tasks, usable by IT staff fixing configuration issues as well as developers. That process can take months, if it happens at all.
Pentest-as-a-Service switches the focus of pentesting away from the report and towards security. When you use a pentest management platform like Cyver, you deliver pentest vulnerabilities as tickets. When you upload vulnerabilities to the platform, they’re available to the client’s team, so they can immediately begin remediation. That doesn’t affect traditional reporting. You can still generate a complete report using our pentest report automation to meet the needs of finance, compliance, etc. But, you also deliver findings-as-tickets.
- Delivered in real time, to the relevant people
- Deliver clear, relevant data to stakeholders
- Enable real-time communication with the client
Cyver’s finding status system also means it’s easy to track the relevance and status of the vulnerability. This combines with metrics in the platform to ensure the client can see Time-to-Fix, severity of vulnerabilities, and their general threat profile. But, it also means developers and IT staff can mark vulnerabilities as fixed or can request a retest.
Offering a retest is a service you’ll have to offer at your own discretion. Many pentesters increasingly bill for them as part of the original pentest. Others offer secondary retest packages. The idea is that you offer clients the option, so they can choose to do so following remediation.
Then, the ideal process looks like this:
- Client receives a vulnerability notification
- The ticket is assigned to a relevant person
- That person logs in, reads the proof of finding and replication data and looks it up
- They ask some questions in chat through the platform
- The responsible party resolves the issue and requests a retest of the vulnerability
- The pentester retests the vulnerability and marks it as resolved
This results in significantly better security for the client, because it means remediation is part of their process. Plus, Cyver’s standard pentest workflow allows you to schedule in the next pentest as part of the first, so the client ensures their environment stays secure.
The Human Element of Pentesting
Delivering pentest-as-a-service and the remediation support that comes with it isn’t necessary to pentesting. It doesn’t change how you work, only how you deliver work and how you engage with the client. As an add-on to your pentest services, it’s a great way to increase client loyalty, to improve client satisfaction, and to achieve more with pentesting.
At the same time, the pentest environment is changing. Organizations like Gartner say that pentesters are becoming less relevant, but that’s not necessarily true. No one is competing with BAS tools like Netsparker and Detectify, because they can’t compete with human intuition and innovation. But, they do deliver digital results, findings-as-tickets, and a simple, modern experience. Those tools do create pressure on you to offer a similar, modern experience. As the market continues to shift, pentesters can stand out by highlighting the human element of pentesting, while delivering the service and remediation support enabled by pentest management platforms.
Pentest-as-a-Service is growing quickly. Cyver offers an out-of-the-box solution to deliver Pentest-as-a-Service to your clients. And, with a 30-day free trial of the full platform , it’s easy to get started.