The traditional pentest is delivered as a one-off service, where the pentester comes in to assess risks in your environment, delivers a report with those vulnerabilities listed, and then you likely never hear from them again. Chances are, the next time you need a pentest, you might even choose a different pentester to see how differently those ethical hackers compare – and if they find different types of vulnerabilities.
This practice works well for compliance reasons, because you often only need the report. If everything is good and your pentest report shows passing compliance for the audit, you don’t have to do anything else. But, chances of that happening are rare. And, even for a compliance audit, you want to show that you’ve taken steps to actually remediate those issues. There, having a pentester as a cybersecurity partner and consultant – to collaborate on not just finding vulnerabilities but offering advice on solving them – can go a long way towards helping you harden your environment and ensure security.
Pentest-as-a-Service for Ongoing Cybersecurity
Pentest-as-a-Service is about recurring pentests, either scheduled or on-demand, with the same pentest team. Here, you add your assets and details of what you need to pentest into the pentest platform and then, when you want a new pentest, you simply request it through the portal. That can be on a scheduled basis, with pentests aligned quarterly, according to compliance needs, or based on planned development updates. It can also be on a credit basis, where you purchase X number of pentesting hours, and then allow project leads and compliance officers to schedule pentests as they are needed. For example, after a major update is pushed, in alignment with a new compliance requirement, etc.
Pentest-as-a-Service is:
- Designed around continuous pentesting, with multiple pentests scheduled as part of the plan
- With more frequent touchpoints, the cost per assessment is lowered – because data such as scope, access information, assets, etc., are all saved
- Data including vulnerabilities are shared in a pentest portal which directly facilitates communication between the pentester and your team
This can mean that your pentest team assesses your assets and delivers vulnerabilities directly in the platform, without a pentest report. For example, you can have a pentest schedule for quarterly pentests, and have vulnerabilities delivered in a portal – where your devs, IT specialists, and compliance officers can see and act on vulnerabilities – and then only pay for the report once a year when you need it for compliance.
Direct Communication with Pentester
Here, the biggest benefit of pentest-as-a-service is direct communication with the pentester. Rather than having your compliance officer or team lead directly break a pentest report, which they don’t understand, down into smaller tasks for teams – you receive individual vulnerabilities as ticket items, linked to the assets they affect. With Cyver, those vulnerabilities can be exported into the work management platforms you already use, like Jira.
That already saves you a lot of wasted man-hours on delegating work from the report. With Cyver, individual vulnerabilities are pushed to the platform, the people you add to the platform are notified, and they can immediately start work.
In addition, they can immediately start to ask questions. If uploaded remediation data and replication data isn’t enough, devs can talk to the pentester who found the issue, discuss the vulnerability and how to remediate it, and even ask for help on solving it. That option to have pentest consultancy on demand means you’ll always have insight into vulnerabilities and you can always ask for help.
In addition, Cyver offers retesting for free for up to 30 days after finalizing the pentest. When you mark a vulnerability as remediated, you can request a retest to verify that it’s been resolved. That can ensure your environment is actually more secure. It also helps you show auditors that you’ve taken steps to remediating any vulnerabilities found on initial assessment.
Tracking Vulnerabilities in the Cyver Dashboard
Another benefit of pentest-as-a-service is that you get ongoing insight into vulnerabilities. If you continue pentesting with the same pentester, your data from your previous pentests stays in the system. This means you can track changes in vulnerabilities from test to test, more easily spot recurring vulnerabilities, and see how your environment changes over time. That also makes it easier to see when a vulnerability was introduced – because you’ll have traceable information on whether a vulnerability was present in the system during the previous cycle of the pentest.
With Cyver Core, that also means getting:
- Time-to-Fix metrics and dashboards
- Remediation prioritization based on CVSS data
- Alerts when high-risk vulnerabilities aren’t remediated on time
- The option to accept vulnerabilities as part of your system if you know they’re there, so they don’t keep coming up
- Insight into how the same vulnerabilities reoccur across your assets
Essentially, you get ongoing pentests with ongoing results uploaded to a single dashboard, where you can track remediation, changes over time, and how your security profile looks over time.
Pentest-as-a-Service allows you to develop closer relationships with your pentesters, so they function as cybersecurity consultants, deliver pentest results as work items, and work to help you remediate them. That’s completely different from the old norm of receiving a report and the pentest is done. However, it does give you more tools for actually hardening your environment, ensuring you have the expertise available to recommend fixes, replication data, and insight to allow you to remediate quickly.
If you’d like to learn more, contact us for a demo of the Cyver pentest-as-a-service platform or to discuss your pentesting needs.