Now that Cole has talked about what a penetration test is and the types of tests and Brad has discussed choosing the right penetration testing company for your organization, it’s my turn to step in with the last post in this series to discuss Penetration Testing as a Service or PTaaS.
What is PTaaS?
Penetration Testing as a Service may sound fairly clear, but it’s taken the cybersecurity industry time to decide what it means. Initially, many offerings of this continuous service were priced far lower than a traditional penetration test of the same scope – a red flag if I’ve ever seen one! As time has passed a number of flavors of PTaaS have appeared, and it can be hard to tell them apart.
At Raxis, we looked to Gartner for guidance and developed our PTaaS, Raxis Attack, as a continuous service based on true manual human penetration testing performed by the same team of pentesters who do our traditional penetration tests. While Raxis Attack costs more than our traditional penetration test of the same scope, I’ve had several customers tell me personally that it’s a great value and preferable to budgeting for several penetration tests a year.
How Does Raxis Attack Stay in Budget and Still Provide Quality Results?
The secret that we’ve found is running continual scans that alert your team and the Raxis team to environment changes while allowing your team to request on-demand manual human penetration tests of the whole or parts of your in-scope assets as needed. In cases of critical zero-day vulnerabilities that may affect your environment, the Raxis team may also reach out and recommend that you request an on-demand manual penetration test.
Customers can request unlimited on-demand tests throughout the year and view their results in the Raxis One portal, which clearly shows which results are automated and which are manual (along with screenshots and everything you would expect to find in a traditional penetration test reported finding). Need a retest? Request a manual test of that finding or that asset, and the results will show in your portal.
Even better, you’re not just left with a report after testing. Customers can chat with the pentesting team through Raxis One as well to discuss their findings. With all of that information and knowledge at their fingertips, Raxis Attack customers are able to remediate potential findings year-round. If they need a PDF report for compliance, they can request that in Raxis One as well. I’ve seen customers who used to request reports for meetings come to prefer using the Raxis One portal in meetings so that they can show the information more clearly.
If I piqued your interest, take a look at my recent post that dives into Raxis Attack.
Is PTaaS or a Traditional Test Right for My Organization?
Choosing between PTaaS and traditional pentesting depends on your organization’s security needs, budget, and operational style.
If you’re looking for flexibility, real-time visibility, and ongoing collaboration, PTaaS will be a strong fit for your organization. It offers a subscription-based, cost-effective model with dynamic reporting and the ability to scale or repeat tests as your environment evolves. PTaaS is especially valuable for organizations that want frequent assessments, rapid remediation, and a lighter management burden.
On the other hand, if your requirements include onsite testing or bundled consulting services, traditional pentesting may be preferable, as it provides comprehensive, project-based assessments.
The type of penetration test is also a consideration. Raxis offers external network, internal network, web application, and API PTaaS currently. Depending on the type of test you’re looking for, PTaaS may not be an option at the moment. Keep checking back, though! As PTaaS evolves, Raxis and other cutting-edge companies are likely to expand their offerings.
Ultimately, you’ll want to weigh your organization’s need for speed, depth, collaboration, and budget predictability. PTaaS excels in dynamic, fast-paced environments, while traditional pentesting remains a solid choice for one-off or highly customized engagements.
What Should I look for when Choosing a PTaaS Company?
I’ll start by referring you back to Brad Herring’s second post in this series because choosing the right penetration testing company overlaps with this question when it comes to looking for the best expertise, reputations, methodology, scalability and the other topics Brad discussed.
When looking at PTaaS specifically, Bonnie Smyre’s recent post Understanding PTaaS is a great place to look as well. PTaaS is still a fairly new product, and the market continues to grow as organizations realize the benefits that come with a continuous view into their security. Once you find a strong partner, you can expect them to continue to grow their offerings and to provide enhancements.
I’d also advise you to look at PTaaS differently than a traditional test. Instead of focusing on reports, login to your PTaaS interface, such as Raxis One, consistently. Your role will change with PTaaS as well. You get to be an active participant in continually discovering security gaps and remediating them quickly. With that in mind, you’ll want to see a demo of the PTaaS tool each vendor you consider provides to be sure it works well for you.
Thanks for Reading
I appreciate you taking the time to read this series and hope you’ll be back for more cybersecurity updates in our blog, such as our Security Recommendations posts!
