Cyver is made up of pentesters and ethical hackers with decades of combined professional pentesting experience. For most of our careers, some of which span 20+ years, that pentesting has been fully manual – with reports delivered via an old-fashioned PDF and discussions often handled over the phone or in person. In fact, we didn’t start offering pentest-as-a-service until 2020 – when we rebranded as Cyver.
Today, our web portal, digital pentest report delivery, findings-as-tickets, and digital pentest management are part of who we are. They help us to deliver better service and better pentest reports. But, why did we start using Pentest-as-a-Service? And, how does it impact how we pentest?
We Need to Get Remediation Rates Up to Lower Cybersecurity Risks
Cybersecurity risks are constantly on the rise, with businesses experiencing higher rates of breaches and data leaks than ever before. Yet, many organizations simply don’t remediate found vulnerabilities. In fact, many studies suggest remediation rates hover between 38-54% across all vulnerability types – without taking into account that not all vulnerabilities have active exploits.
How do we improve remediation rates? We work to ensure that developers, compliance officers, and IT specialists have information on findings. If we deliver our vulnerability findings as tickets, through our cloud platform, those experts immediately see when there’s a new vulnerability. They can make the calls on how to prioritize fixes, how to work them into their sprint, and what to do about it. Most importantly, if you link actual stakeholders like product and module owners into the platform, the people who need the updates the most see them first. Of course, you still get the full pentest report, but you get findings as tickets first.
Remediation Isn’t Enough, Time-to-Fix Matters Too
Low remediation rates tie into low time-to-fix rates. Both reflect different aspects of the same problem. For example, the study suggesting that vulnerability remediation hovers between 38-54% suggests that it also takes an average of 246 days to resolve vulnerabilities. Other organizations have much better track records – with some averaging just 14 days on high severity vulnerabilities. We want to see that kind of responsiveness and security across all our clients. That’s how you stay safe. And, ensuring stakeholders see vulnerability findings first is the best way to achieve that.
Stakeholders Need Better Control of How and When They Pentest
While your developers, product owners, module owners, compliance officers, and IT experts are responsible for engineering fixes – they often have little control over when pentests happen. That should, eventually, change. After all, good pentesting means aligning pentests with app updates, new development, and with critical releases.
We achieve that by literally shifting pentesting into their hands, using pentest credits. Key decision-makers in finance can budget for cybersecurity upfront, decide how many pentests to run per year, and then allow stakeholders to schedule those pentests based on development and compliance needs. That means those stakeholders shift from resenting pentests as disruptive to their workflows, preventing deployment, and forcing extra work to part of that workflow and collaborating on building a secure product.
Making Repeat Pentests Scalable
Most organizations spend significant amounts of time on manual and repeatable work and overhead. This includes items like looking for a pentest, communicating the scope of the assessment, sharing assets and login data, and ensuring everything is set up for success. With pentest-as-a-service, you retain all that data between pentests. Rather than rebuilding everything each time you request a new pentest, you request a pentest following the same format as the last one and tweak it where necessary to reflect changes to your assets.
That saves potentially hours of time every single pentest – freeing your team up for more value-added work, like remediating vulnerabilities.
Better Pentest Delivery Means a More Successful Pentest
Pentesting is crucial to discovering and remediating vulnerabilities in digital apps, networks, and infrastructure. But, if those vulnerability findings aren’t delivered in a user-friendly, modern, and digital way – they lose value. That’s important, as nearly all organizations have shifted to digital work. We’re accustomed to using tickets, Kanban boards, and secure, digital tooling to manage every aspect of work. Pentests should be no different.
If you’d like to learn more or you’d like to see what we do with our pentest-as-a-service platform, contact us for a free demo.