The report provides a technical evaluation of key PTaaS vendor offerings in the market. A select group of seven vendors were invited to participate in this evaluation. HackerOne is positioned as a ‘Leader’ in the report and plotted most closely to the ‘Platform Play’ segment in the key figure (see below) of the report. GigaOm rates HackerOne’s crowdsourced community of pentesters, and the platform’s integrations with SDLC tools, as exceptional. We invite you to access the full GigaOm Penetration Testing as a Service Radar report.
PTaaS is a Revolution in Penetration Testing
Penetration testing is one of the most useful risk reduction methods available to organizations because it’s designed to simulate an external attack. However, traditional pentesting is performed by firms that often lack the modern efficiencies, platform, and expertise that organizations need to make pentests actionable. It’s common to find traditional providers that directly employ or retain a limited number of pentesters, without the varied expertise your organization needs to test its entire infrastructure or software architecture. This is especially true for modern applications, APIs, mobile, and cloud systems.
Penetration testing as a Service (PTaaS) has emerged in the last few years to address the shortcomings of traditional pentesting. GigaOm’s Radar Report states that “PTaaS represents the revolution in the pentesting space that was long overdue.” Similar to other SaaS models, PTaaS incorporates a cloud platform that often ties together other cybersecurity solutions, automated workflows, and a large pool of testers that are assigned to your organization as appropriate per engagement.
HackerOne is Positioned to Deliver Impactful and Efficient PTaaS
GigaOm analyst Chris Ray notes, “HackerOne offers high-quality results because of its diverse pentester community, and its aim to improve security operations using business workflows via integrations, the rapid delivery of results, and automation. The maturity of HackerOne’s integration with AWS is unique, and its real-time visibility and direct communication methods will please most clients.”
Furthermore, the report acknowledges the benefits organizations will receive from HackerOne’s “mature, bi-directional integrations with SDLC tools like Jira, GitHub, GitLab, AzureDevOps, and AWS.” The report also calls out the integration with AWS Security Hub as a “standout feature through which HackerOne demonstrates clear maturity with AWS technologies and will be of great value for organizations that run primarily or exclusively on AWS.”
HackerOne Capabilities by Key Criteria and Evaluation Metrics
GigaOm evaluated PTaaS vendors on six key criteria that provide differentiating value to users. HackerOne received Exceptional ratings (highest score) for the robustness of the SDLC integrations and the strength of HackerOne’s crowdsourced community of pentesters. The capabilities of our HackerOne Pentest offering across these criteria are as follows:
Key Criteria
- Crowdsourced Pentesting: Our elite group of pentesters are drawn from our community of over 1.5 million ethical hackers. All pentesters are vetted and background checked, with a minimum of 3 years of pentesting experience, and the majority having over 5 years. Our community of pentesters bring a diverse set of skills to test cloud platforms, Web, mobile, APIs, and external networks.
- Integration with SDLC Technologies: Over twenty bi-directional integrations with leading SDLC tools such as JIRA, GitHub, and GitLab. GigaOm identifies the “unique” maturity of our AWS Security Hub integration in the PTaaS space.
- Agile Pentesting Methods: Our PTaaS solution is designed to reduce the logistical overhead and lag that is typical in traditional pentesting engagements. Onboarding and scoping processes are self-service, allowing development teams to quickly set up new engagements. By leveraging our large community of testers, HackerOne is able to quickly identify and match the pentesters with the right skill sets to test given assets and technology types.
- Enhanced Communications: HackerOne offers a direct line of communication to testers through in-platform communications and Slack integration. This reduces remediation times, allowing your developers to easily get more information about the scope and impact of vulnerabilities, as well as a retesting feature to confirm the effectiveness of remediation. HackerOne Technical Engagement Managers are assigned to each pentesting engagement to help orchestrate and manage the testing process.
- Automated Workflows: Launching, managing, and reviewing your pentests happens on the HackerOne platform. GigaOm identifies our solution as “highly automated.” The platform allows customers to set up tests and track progress across the complete testing lifecycle from scoping through remediation and retesting.
- Built-in Vulnerability Scanners: We have made an explicit choice not to include vulnerability scanners. Many organizations already use best-in-class vulnerability scanners. We instead choose to focus on our core competency of creating efficiencies for testing that relies on the expertise and ingenuity of human testers.
Evaluation Metrics
The GigaOm Radar report also outlines five evaluation metrics to help organizations understand the positive impact a PTaaS vendor can provide. The capabilities of our HackerOne Pentest offering across these metrics are as follows:
- Risk Reduction: HackerOne’s PTaaS service is one component of our Attack Resistance Management platform that combines PTaaS with continuous testing and attack surface management. Our pentesters find meaningful vulnerabilities that only experienced, human-led testing can uncover. Nearly one-fifth of the vulnerabilities found in our pentests are of “high” or “critical” severity. Compare this to traditional pentester findings that often have no high or critical findings.
- Solution Ecosystem: Our penetration testing service provides vulnerability findings and reports available directly in your development team’s existing SDLC workflows and tooling. We primarily sell directly to our customers today but are working on expanding our sales channels.
- Flexibility: Flexible pricing and packaging allow organizations to scope for multiple tests throughout the year and then adjust as needed when plans or priorities change, with the ability to add more hours of testing throughout the subscription period. The platform tracks total hours and usage. Customers can also clone tests and add custom names to tests. We offer a variety of testing sizes, methodologies, and black box and gray box pentesting approaches.
- Feature Set: Our productized Scoping Form and Self-Setup give enterprises the control to scope, set preferences, and request to launch pentests according to their dates and deadlines. The Pentest Table provides enterprises a birds-eye view of all their pentests in various stages in a single place and the next actions needed to move them forward. In-product methodologies (Web, iOS, Android, AWS, APIs, etc.) keep pentesters focused on coverage and provide asset-specific assurances to support audits and compliance needs better.
- Speed: HackerOne’s PTaaS service is focused on delivering pentests efficiently and quickly, allowing your organization to leverage pentests as a regular part of your SDLC and build resistance to attacks. We can launch a test in as little as seven days, with most customers launching in ten days on average.
Conclusion
Beyond the technical advantages, HackerOne’s Attack Resistance Management platform provides strategic advantages by combining PTaaS capabilities with continuous testing, and attack surface management delivered by a SaaS platform and leveraging the strength of the HackerOne community of ethical hackers.
To learn more about the Pentesting as a Service market, read the full GigaOm Radar report
