PTaaS - A Better Penetration Testing Delivery Model?
Simple contact: 3 fields, one form, that's it.

Email (Company domain please):

no gmail, yandex, yahoo, etc.
Enter code:
Yes, I am a human.

Penetration Testing as a Service

penetration testing price quote Home - What - Why Pen Test - Why High Bit - Types - Reports - PTaaS - How Much?

Penetration Testing as a Service (PTaaS). A continual delivery model.

This page describes an alternative delivery model for penetration testing, known as "Penetration Testing as a Service", or by the acronym PTaaS.

The PTaaS acronym is a fairly recent development in a penetration testing context, and has come into common use only in the last couple of years. It really is something of a mis-nomer, because penetration testing has always been a service. The difference between PTaaS and the traditional penetration testing model is in how that service is delivered. In this article, we'll explain the difference between PTaaS as a conceptual delivery model, in comparison with the traditional penetration testing delivery model.

When done responsibly, there is little difference in testing methodology and no difference in quality, but Penetration Testing as a Service (PTaaS) will typically employ a different billing, scheduling and delivery model than traditional penetration testing, and these differences make PTaaS an attractive approach for some clients. PTaaS can be attractive to clients who perform or intend to perform penetration testing on a regular basis. It can be even more attractive to clients who produce B2B solutions and who are often asked by their own prospective clients, often at unpredictable times, to provide evidence of penetration testing. Sometimes the fastest way to understand a concept is to examine the pros and cons, and that is the approach we will use here.

Here are some of the advantages of Penetration Testing as a Service:

There are also disadvantages with the Penetration Testing as a Service model. Nothing is perfect for everyone, and PTaaS is no exception. Here are some of the factors that make PTaaS less desirable than a traditional delivery model for some clients:

Things to be wary of with PTaaS offerings

Finally, and this is neither an advantage nor a disadvantage, but a caution: Penetration Testing as a Service as a model lends itself well to deception. There are two deceptions in particular that are made much easier under a PTaaS model:

Before contract signing, be especially wary of:

After contract signing, assuming you have an easy cancellation clause (which you should have), be wary if:

If you find yourself in an uncomfortable relationship, that's what the cancellation clause is for.

Penetration Testing as a Service (PTaaS) Summary.

The PTaaS delivery model is focused on nearly continual change monitoring, testing and rapid reporting and communication. It sacrifices polished, detailed reporting in favor of rapid remediation and ongoing testing. It reduces administrative overhead, can shorten remediation cycles and catch flaws earlier in the release cycle. It can have strong sales advantages for B2B clients, flattens budgeting and can simplify budget approval. It is not cheaper when done correctly, because the same manual effort is required from the same highly qualified testers, but it may increase ROI for the same spend, depending on your needs. For many of our clients, this is a delivery model better suited to their needs than a traditional model.

The approach can also cause problems if you need detailed reporting, can impact sensitive data handling and retention, may be complicated by third party approval factors, may require changes to applications and is not compatible with all penetration testing philosophies. For some clients, the traditional model is still the best.

If you do decide that Penetration Testing as a Service is the right approach for you, you still need to be careful that you are actually getting what you think you are getting, and should insist on a contract that allows you to bail out easily. In our case, for example, our PTaaS contracts allow you to cancel at any time, and we insist that we start out with a baseline traditional engagement so that you get to know us and our penetration testers, and we get to know you and your systems. For us, this is a relationship and not just a service.

If you are interested in the PTaaS delivery model, please ask us about it. This has been only a brief treatment of the subject and we will be happy to further explore the options with you.

Ask us for a free, quick, no hassle quote using the contact form above.