It’s been two years since we checked in about this, and the penetration testing industry has made a lot of changes in that time. Historically, customers could choose between vulnerability scanning and manual penetration testing. The primary challenge for the prospective customer was determining what a company was actually offering and if they were truly doing the same quality of work as other companies quoting services of similar names.
However, in the last couple of years other service variants have entered the market. Many companies are now offering Penetration Testing as a Service (PTaaS) and now AI penetration testing is gaining traction in the marketplace as well.
What does this mean for companies shopping for a penetration test? It means that, more than ever, you have to be able to sift through the sales talk and fancy service briefs to understand what the offering truly is and how it compares to the other quotes you are reviewing.
Let’s look at each of these offerings what you are likely to see:
Vulnerability Scanning
This is the basic automated scan running across your environment looking for low hanging fruit: out-of-date software, unpatched systems, common vulnerabilities that can be picked up by automated rules, default passwords, etc. While the results often include false positives or vulnerabilities that can’t actually be furthered for a true attack, a vulnerability scan is still a good place to start.
While vulnerability scanners are useful tools, they are not without limits. There are many exposures that they will not detect.
When incorporating vulnerability scanners as part of your security strategy, Raxis recommends performing authenticated scanning and assigning team members to regularly review the scans and correct discovered issues.
For customers who don’t require a penetration test for compliance or who want to add budget-friendly year-round scanning to their annual penetration test, Raxis Protect offers frequent scanning of your environment using best of breed scanning technologies. Raxis Protect is not a penetration test and does not include manual testing, but it does provide access to chat with the Raxis penetration testing team about reported findings so your team can understand and remediate them for a more secure environment.
Penetration Testing
Arguably the gold standard for determining true business risk, penetration testing uses skilled engineers to emulate the attacks of a bad actor. While penetration tests may include a vulnerability scan to discover possible entry points and reportable issues, the penetration tester will spend a majority of the time identifying gaps in the environment and looking for creative ways to exploit those vulnerabilities and to gain further access within the network or application.
The ultimate goal is to pivot to other systems, create chained attacks that escalate privilege, and ultimately gain persistent access to the environment while accessing sensitive information.
This attack simulation provides businesses with an understanding of what real-world attackers could accomplish inside their environments, allowing them to correct issues and shore up defenses. However, it is a point in time assessment that is usually performed annually or quarterly, depending on the company’s needs and budget, changes in the environment, and appetite for accepting risk.
Raxis Strike is our new name for these traditional penetration tests, and we still find many customers requesting these on a regular basis.
Penetration Testing as a Service (PTaaS)
PTaaS has evolved in our industry as a method to address the limitation of penetration testing as a point-in-time assessment. However, there is still no standard definition for PTaaS from one company to another.
Some companies consider PTaaS an “on-demand” service that kicks off a penetration test upon request. Others provide a certain number of penetration tests during a year. Still others dress up an ongoing vulnerability scan – or a grouping of automated scans and exploits – and call it PTaaS.
Finding a middle ground that allows ongoing testing without breaking the bank is the trick.
Raxis Attack is PTaaS designed to be scoped to fit your needs and budget. Attack uses best-in-class scanning for continual scanning complimented with unlimited on-demand penetration testing requests for either individual findings or for the entire environment. And of course, even though you receive results throughout the year, we can still create a PDF report of your current findings to fulfill penetration testing compliance mandates.
We believe PTaaS is about collaboration – so Attack customers also have access to ongoing chat and video conferencing with the same Raxis engineers who perform our traditional penetration tests. We view it as a “fractional penetration testing team” at your service all year long.
Ultimately, you should take a deep dive with each company to truly understand what they are offering and which level of service is the best fit for your organization.
AI Penetration Testing
Like most industries, AI is making its dent in offensive security as well. AI is often hailed as the silver bullet to all security woes. However, in reality, AI is still limited in what it can do and is very likely not the only tool you need.
Some companies claim their AI services can do everything manual testing can do and more. In our experience, these claims are often overstated. We have yet to see an AI solution that can truly think outside the box and manipulate systems the same way a seasoned engineer is able to.
We’ve also seen cases where common tools are scripted to run automatically in an environment using basic known attacks, and that offering is incorrectly branded as an AI-based solution. The concern is that many of those tools, if left unattended, can take down systems and cause other stability concerns.
If you are considering an AI solution, look closely at the solution and make sure it’s truly offering what what you need.
So, What Does this Cost Me?
In the US, vulnerability scans are still the lowest cost of the four methods we discussed above. Often running from a few hundred dollars to a few thousand, depending on the size of your environment and whether the scanning is for regulatory compliance reasons, vulnerability scanning should be an integral part of your security program, but it does not check the penetration test box for compliance, and it doesn’t give you a full picture of your security gaps.
Likewise, penetration testing pricing will differ depending on the size of the organization and the size and depth of your scope. Most reputable US penetration testing companies will start around $5,000 and go up to well into the six figures. Often these tests can be time-boxed to fit your objectives and budget.
PTaaS pricing still varies greatly. Factors such as the scope and frequency of testing, the level of manual testing vs automation, the depth of reporting and remediation guidance, and the inclusion of additional features like continuous monitoring all influence the total cost. As a general rule of thumb, the annual cost of a PTaaS subscription is often roughly the price of two traditional penetration tests, but this is only a rough estimate.
AI Penetration testing tends to be far cheaper than traditional penetration testing and PTaaS primarily because it’s an automated system with little to no human oversight. While it might technically check the box for compliance requirements, Raxis still believes AI testing is best used as a supplemental tool to other forms of adversarial attack simulation. From what we’ve seen, AI testing can start as low as $500 in some instances and increase from there.
In Summary
Whatever method you choose for your organization, to accurately assess pricing and select the best solution for your organization, start by discussing your specific requirements with multiple providers and requesting detailed proposals outlining their approaches, deliverables, and associated costs. This will allow you to compare the offerings and to choose the one that strikes the right balance between coverage, quality, and value for your needs and budget.
