Approach
Pentesting as a Service (PTaaS)
Agile projects or systems with an elevated risk often require more than a single penetration test. We offer Pentesting as a Service as an effective measure to continuously assess the security posture of your target systems.
More than a snapshot
The security of applications and infrastructural components is not a one time goal, but rather a continuous process. This is why penetration tests should be employed in a continuous context. Especially agile projects and systems with a high innovational degree can develop vulnerabilities with every new function and release.
Continuous Testing
Your systems are not assessed once, but continously evaluated and monitored.
No Overhead
The contractual overhead of classical pentests occurs only once for pentest programmes.
Fast Reaction Time
The time necessary to identify a vulnerability is measurably reduced.
Cost Effectiveness
The costs per pentest decrease notably, as less time needs to be alotted for test preparation.
Evaluation of Measures
Not only new vulnerabilities are identified, but implemented measures are verified.
Integration
We can report findings directly to your database and integrate them, so maintenance efforts can be reduced.
Preparation
In the pentest programme all tests are prepared thoroughly. Focus points can be set by you.
Assessment
We conduct pentests as agreed time- or action-based. They follow our established quality standards.
Re-Test
Generally a retest of all findings is conducted automatically with every cycle. We thus document the implementation of measures and their effectivity continuously.
Reporting
All results are reported in a coordinated format. Generally, a reported is omitted after the intial pentest has been conducted and new results are presented as a list.
Pentesting as a Process
Regular and highly flexible
With a pentest programme or pentesting as a service you do not need to go without flexibility. The advantage lies in the integration of pentests into the process. A pentest can be initiated regularly or action-based e.g., with a new release.
One of the most important factors with regular testing is a constant testing intensity. This is why we conduct every penetration test manually. Automated tooling is only used as an aid. Additionally we rotate the employees used in pentest programmes to guarantee an objective assessment from multiple viewpoints.
About a third of registered CVE vulnerabilities was registered in the last three years. In summary 52.168 entries.
The mitigation of a vulnerability should always be accompanied by a retest to verify and confirm the implemented measures.
According to a report by Positive Technologies (Feb 2020), over 80% of vulnerabilities stem from misconfigurations.
Frequent Questions regarding Pentesting as a Service
For which companies is PTaaS suited?
Pentesting as a Service or the classical Pentest Programme make sense for companies that have an elevated risk profile and use agile infrastructure or applications. If you expect regular attacks to your systems, a regular security assessment is also recommended.
Can a Pentest Programme be understood as some contingent?
The configuration of a Pentest Programme is very flexible. It can contain clearly defined pentests or serve as a test contingent. If you know that you need a certain amount of penetration tests per year, a Pentest Programme is reasonable.
Is a Pentesting Programme not associated with high costs?
On the contrary. The costs per pentest are notably lower than ordering every pentest individually. This comes down to the fact that overhead is reduced e.g., contractual agreements only need to be signed once. Furthermore expenses for coordination and reporting can be reduced.
Does it make sense to test the same system over and over again?
In a complex infrastructure a Pentest Programme can of course be applied to multiple systems. Oftentimes internal policies mandate that all components of an application need to be tested once a year. Together we then compile a yearly schedule and vary the scope of our assessments to cover all components.
Furthermore, new vulnerabilities might arise in constant systems from system updates. At the same time, new vulnerabilities are discovered every day and with every penetration test more vulnerabilities are evaluated.