2022, Annual Penetration Testing Intelligence Report. Read Now

Frequently Asked Questions

Find and fix your next Cyber Breach before it happens.

Schedule a Discovery Call

1. We are familiar with Penetration Testing (PenTest), what is PTaaS ? and How it is different from PenTesting?

PTaaS is an innovative, fast, and comprehensive way of conducting Penetration Testing at scale. Traditional Penetration Testing engagements take longer to get executed resulting in longer project cycles and being billed by the hour. PTaaS delivers the value by leveraging the combination of AI, Automation and Human PenTesters to produce real-time results in a fast and scalable manner and delivered via an easy to use SaaS platform that integrates with your JIRA, SLACK, Trello, etc.

  1. AI and Automation take care of the tasks such as performing vulnerability scanning, gathering screenshots for evidence of the existence of the vulnerability exploit, Report Generation, running exploits on common vulnerabilities in order to save time and cost during the project execution.

  2. Human PenTesters (also known as ‘Ethical Hackers’) up the game by using human ingenuity, business context, insights from Dark Web and Surface Web and knowledge gathered over years of PenTest to identify and exploit new vulnerabilities, which when exploited can be a high risk to a business.

Shield

Traditional Penetration Testing

Shield

PTaaS (Penetration Testing as a Service)

Technique

Human led Pen Testers

A.I., Automation and Human Pen Testers (also known as Ethical Hackers)

Delivery Model

Consultants on-site.

Reports in manual formats such as PDFs, Spreadsheets, etc.

Ethical Hackers delivering results remotely.

Real Time Reports available via SaaS portal accessible to the users.

Pricing

Hour or efforts based/ Custom and unpredictable pricing

Outcome/ Goal based. Credit based predictable pricing

Project Cycle

Longer Project Cycle due to:

- Longer onboarding time

- Manual PenTesting

- Report Making

Shorter Project Cycle because of:

- Quicker onboarding within 6 hours

- Combination of Human led and Automated PenTesting

- Real Time results and report creation

Nature of testing

On-demand and Point-in-Time

On-Demand and Continuous Penetration Testing to cater to fast and growing digital businesses

Collaboration

Limited collaboration across the teams as the results are delivered in flat files.

Technology integration and workflow across the PTaaS, DevOps and Ticket Management tools.

Real Time collaboration with the business as well as the application and Infrastructure teams.

Off-hours Testing

Commonly charged at a premium

No additional cost.

Rescheduling of tests

Commonly billed separately

Included in the initial scope and engagement

Use Cases

Third Party Assurance, Compliance Testing, Security Operations

Third Party Assurance, Compliance and Regulatory Requirements, Scaling Internal PenTesting teams, Mergers and Acquisition Due Diligence, Security Posture Management

2. How is PTaaS different from Bug Bounty models?

The objectives of PTaaS and Bug Bounty programs are different.

PTaaS offers more comprehensive coverage of known vulnerabilities and weakness across asset types whereas Bug Bounty programs are used to augment Penetration Testing exercises to get another set of eyes from a community of hackers to discover new and unknown vulnerabilities.

Although, PTaaS and Bug Bounty have significant overlap, they aren’t supposed to replace each other.

Organizations looking to perform Security Posture Management, Meet Compliance and Regulatory requirements, Third Party Assessment, Vendor Assessments should consider PTaaS over Bug Bounty Programs.

Shield

Bug Bounty

Shield

PTaaS

Scope

Generally limited to a few applications

Comprehensive and wider scope of Applications, Network, and Infrastructure

Pricing

Based on discovered and accepted vulnerability. The cost depends on the severity of the vulnerability discovered.

Outcome/ Goal based. Credit based predictable pricing. Significantly lower priced as compared to Bug Bounty Programs.

Project Cycle

Typically, lifecycle of the application.

Annual and continuous

Objective

To find and discover new vulnerabilities by leveraging a community of hackers from varied skill set and experience.

Compliance and Regulatory Requirements,

Third Party Security Assessment,

Vendor Assessment,

Mergers and Acquisition Due Diligence,

Security Operations,

Security Posture Management,

DevSecOps

3. How can PTaaS help me achieve my compliance requirements such as ISO 27001, PCI DSS, SOC II, HIPAA etc.? Is the report generated by PTaaS also accepted by the auditors?

Yes, the Penetration Testing reports created by the PTaaS platforms are accepted by auditors to meet the compliance and regulatory requirements and obligation.

BreachLock is also accredited by CREST and employ CREST, OSCP, OSCE certified PenTesters (ethical hackers).

BreachLock DAST and Penetration Testing methodology is aligned with WASC Threat Classification v2.0 and OASP Top 10. This ensures that your application meet compliance requirements for PCI DSS, HIPAA, SOC2, GDPR or any other industry standard or regulation.

4. What assets can BreachLock PTaaS test?

BreachLock PTaaS unified platform covers the entire technology stack of an organization. The assets range from Web and Internal Applications, Network, Infrastructure, Cloud, API, etc. As an organization, you will no longer have to engage with multiple vendors to meet your security testing requirements.

5. What is the common use case of PTaaS?

Application Owners/ CIO/ CTO/ CISO
  1. Security Validation/ Third Party Assessment: Application owners are required to submit third party assessment report on their security controls and postures to their customers or business owners as part of their contractual obligation or to perform an internal assessment.

  2. Compliance and Regulatory Requirements: They are also required to get Penetration Testing done to meet Compliance requirements such as ISO 27001, SOC2, HIPAA, GDPR, etc.

  3. DevOps: BreachLock PTaaS platform can also seamlessly integrate into organizations’ DevOps tooling like JIRA, Jenkins etc. and offers effortless security without disrupting the DevOps pipelines.


Security Operations/ CISO:
  1. Scaling PenTesting teams: Security Operations team are always understaffed with a lot on their plate always, BreachLock supports them by augmenting their internal capabilities to perform PenTesting of their Network, Infrastructure, Applications, etc.

  2. Vulnerability Validation: BreachLock also helps in validating the Vulnerability Assessment results with a zero false positive guarantee.


Business Leaders:
  1. Mergers and Acquisition Due Diligence: Growing businesses are always establishing new partnerships and undergoing mergers and acquisition, the PTaaS service will help the organization in understanding and evaluating the cyber risk of the acquired/merged entity.