GigaOm Radar for Penetration Testing as a Service (PTaaS)v2.02

1. Summary

Penetration testing, a cornerstone of cybersecurity, has for many years been the go-to technique for security professionals looking to uncover vulnerabilities in their systems and applications. It helps organizations achieve better practical security outcomes and be compliant with ever-evolving regulatory mandates. The in-depth insights provided by penetration testing are invaluable. They shine a light on hidden flaws and vulnerabilities, empowering security teams to reinforce their defense mechanisms more effectively.

Yet, traditional penetration testing, referred to here as legacy pen testing, presents its own set of challenges. Typically, such tests hinge on the proficiency of a handful of experts, usually one or two testers (often referred to as “pen testers”). This dependence can sometimes act as a bottleneck, potentially narrowing the scope of the test beyond what was intended or impacting its overall quality. Given the limited availability of specialized pen testers within many legacy service providers, arranging for such tests often requires a prolonged wait—sometimes weeks or even months. Additionally, after the completion of the test, organizations might still find themselves waiting for an extended period before they receive a comprehensive report detailing all identified vulnerabilities.

In contrast, penetration testing as a service (PTaaS) amplifies the effectiveness of traditional penetration testing and introduces functionalities reminiscent of modern SaaS platforms. This includes a user-friendly interface that allows clients to seamlessly access consolidated findings, potentially as they’re uncovered, and facilitates real-time interactions with the pen testers. PTaaS also offers a more systematic collaboration with standardized testing methodologies and robust integrations with a range of other contemporary technologies.

Even though penetration testing methodologies have been refined over many years, PTaaS is still in its nascent stages. Given its newness, we can expect the definition and the services encompassed by PTaaS to undergo significant evolution in the next few years. For example, there’s the potential for the integration of newer services, such as attack surface management (ASM) and continuous vulnerability management (CVM). These services naturally align with the overarching goals of PTaaS.

This is our second year evaluating the PTaaS space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report highlights key PTaaS vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report, “Key Criteria for Evaluating PTaaS Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Real-time monitoring
• Ubiquitous access to penetration testing services
• Rapid elasticity of penetration testing services
• Remote delivery of penetration tests
• Customizable dashboard, reports, and alerts