In the latest Hype Cycle for Security Operations, Gartner lists Pentesting as a Service (PtaaS) as an emerging technology that helps businesses strategically mitigate risk and run effective security programs. Gartner also names Cobalt as a representative PtaaS vendor, and touches on a topic we at Cobalt are well acquainted with: the line between bug bounty and PtaaS, which can, at times, seem fuzzy.
To quote Gartner, there is “confusion between PTaaS and bug bounty programs, as many bug bounty vendors also now offer PTaaS.”
So what is the difference? (For now, let’s ignore the glaring topic of how to capitalize the acronym, which Cobalt and Gartner must agree to disagree on.)
PtaaS itself is a seismic improvement in security testing. PtaaS builds on – and modernizes – the old-school consultancy model in several significant ways. Cobalt Chief Strategy Officer Caroline Wong wrote a whole book on what PtaaS is and how it can unlock more value than traditional methods, aptly called The PtaaS Book. In it, she summarizes the key components of PtaaS with the following diagram:
Column A: PtaaS |
Column B: Not PtaaS |
Manual testing by humans |
Automated testing by machines |
Cloud based |
On prem |
Remote delivery |
Onsite delivery |
Standardized pentesting; scalable |
Hourly prices or customer project bides |
Technology improves collaboration between pentesters, developers, and security teams |
Little to no technology for workflows or collaboration |
Tests can start in 48 hours or less |
Tests start in one week or more |
Real-time consumable results and reporting |
Static results and reporting, e.g. PDF |
Analytics and consolidated insights from pentest data over time |
No analytics, or analytics only with data from a single pentest |
Integrations automate data transfers between tables |
Manual data transfers to other software tools |
This table differentiates PtaaS from other pentesting methods, not just bug bounty, so now let’s look at bug bounty specifically. Bug bounty is an open-ended program in which any security professional or hacker can search for vulnerabilities in an application or asset. The customer pays testers based on the perceived ‘quality’ of each finding, i.e., the level of risk it poses.
Let’s double click on a few of the points from Column A to emphasize their importance in the “PtaaS vs. Bug Bounty” distinction:
- Technology integrations are pivotal because they enable scale. The use of a SaaS product throughout the test offers a better way to do … just about everything. That includes managing data across workflows via technology integrations that empower teams with tools to automate repetitive tasks, analyze vulnerabilities holistically, and (get out your security bingo cards, folks!) truly shift left. Because no developer appreciates getting a PDF thrown at them.
- Human testers acting collaboratively. These individuals are, in the case of Cobalt, highly vetted and extremely specialized members of the Cobalt Core, a closed community with a high bar for entry and a very limited acceptance rate. Core members work on teams, and they communicate and collaborate throughout the pentest with each other as well as client stakeholders to ensure a successful client engagement. This differs from the competitive aspect that fuels bug bounty programs.
While not without its merits, bug bounty offers sparse coverage because it’s only focused on vulnerabilities that are incentivized, i.e. high criticality. Researchers often vary in quality. Moreover, the spirit of bug bounty is competition, whereas PtaaS engenders collaboration and teamwork in order to best serve the customer during the engagement.
Some vendors offer both: bug bounty and PtaaS. More often, what we see at Cobalt are technology companies jumping on the PtaaS bandwagon, hoping to capitalize on its rising popularity. In their attempts to grab market share, they label a solution as “PtaaS” when it isn’t that at all.
Since Cobalt’s inception in 2013, we’ve seen an explosion in the level of discourse around PtaaS, both from infosec teams as well as from their developer colleagues. Now, analysts and press are following suit and adding their voices to the mix.
There’s a growing desire from all sides to hear real-world success stories from security leaders who have harnessed the power of PtaaS and put it to work for their business. Regardless of size or maturity level, every company stands to gain from this modern approach to pentesting.
The recent groundswell has spurred Cobalt to launch a 6-city roadshow series this fall, PtaaS Exchange, which will unite infosec practitioners and developers, offer a forum for collaboration and knowledge exchange, and answer the question, “What can PtaaS do for me?” We hope you’ll join us for some conversation, learning, and maybe even a couple of cocktails.