Everything is just theory until tested. In cybersecurity, the outcome of a failed theory is real-world problems like hijacked or stolen data, damaged brand trust, and tangible financial costs.
This is where offensive security comes into play. In the hands of highly qualified experts, offensive security puts road miles on your cybersecurity program and tools to ensure durability against cyber attackers. Penetration testing, red team exercises, and vulnerability assessments are methods used to find security gaps and exploitable vulnerabilities so they can be remediated for more vigorous overall cyber defense.
While penetration testing and red teaming are often used synonymously, there are nuances to consider before choosing one over the other.
How penetration testing differs from red teaming
The primary difference between a traditional pen test and red teaming is the goal and approach to the engagement. Penetration testing identifies and exploits vulnerabilities in the network, with the goal of obtaining privileged access to a protected, security-sensitive environment or system, such as achieving Domain Administrator privileged access or gaining access to cardholder data. This approach isn’t intended to be stealthy or to evade detection. On a penetration test, testing uses human ingenuity to dig into the nooks and crannies of an environment to uncover areas that could lead to success for an attacker. The penetration tester uses the discovery path to craft remediations to reduce risk.
Red teaming uses real-world tactics observed by specific malicious adversaries and facilitating a covert approach. The objective is to test the target company’s ability to detect and prevent the tools, tactics, and techniques of a known threat actor group.
Penetration testing varieties
At Converge, penetration testing is an umbrella for all offensive testing. Red and purple teaming joins network, application, social engineering, cloud, ransomware, supply chain, and other types of testing conducted by our highly certified penetration testers. Each area includes additional branch-off or ancillary testing that aligns with those specific areas.
Traditionally, penetration tests are single, annual engagements. As a point-in-time look at security, organizations often use it to show their compliance with industry or regulatory requirements. Some organizations are discovering that more than a single snapshot is needed as their digital footprints expand, development cycles become agile, and compliance requirements get more stringent. Penetration Testing as a Service (PTaaS) evolved to meet the need for more frequent testing.
What is PTaaS?
PTaaS is defined as continuous or ongoing testing that leverages automation.
Generally, the mechanics of how providers test differ little between single engagement testing and PTaaS. For example, if a provider uses crowdsourced testing, their single engagements and PTaaS are crowdsourced, and so on. At Converge, our penetration testing delivery model is consistently people-powered by US-based testers employed by Converge who use manual techniques assisted by advanced security tools and automation.
Along with frequency, PTaaS offers flexibility and lower costs than multiple single engagements. The easiest way to understand PTaaS is to think of it as a subscription for penetration testing. Like any subscription, it has identified length of time, cost, and inclusions.
Continuous testing also provides for a more viable, effective defense posture against the always-changing and ever-dynamic threat landscape. PTaaS offers regular testing at scheduled intervals, ensuring your defenses are evaluated against evolving threats and newly discovered vulnerabilities. Standalone tests might miss critical gaps that emerge between assessments.
Amplifying the human factor
Why does Converge rely so heavily on human testing? In our experience, that approach finds critical, jaw-dropping threats. Automated testing doesn’t. Instead, automated testing is likely to produce a false sense of security and waste valuable team efforts fixing things that don’t matter.
Human ingenuity drives each of our penetration testing and PTaaS engagements. Better than 90% of our testing efforts are manual, with an approximate 10% assist by automation.
Vulnerabilities aren’t equally exploitable or popular with attackers, but automation-alone testing doesn’t understand those distinctions. These facts make it intriguing that many firms do the inverse of Converge, using automation alone for nearly everything tested.
How Converge PTaaS works
By pre-purchasing a block of Converge PTaaS hours, you can test what and when you want within the length of your subscription using a sizeable menu of available testing components.
If you haven’t used all your hours by the end of your subscription term, you can roll them into a new term. On the other hand, if you need more testing than your bucket of hours provides, you can refill it without resubscribing for a new term.
| Converge Single Engagement | Converge PTaaS | |
| Methodology | 100% Human-Led: 90% Manual Testing + 10% Technology & Automation Assisted | 100% Human-Led: 90% Manual Testing + 10% Technology & Automation Assisted |
| Frequency | Point in Time | As Needed |
| Scope | Defined | Flexible |
| Changes | Change Request | Built In |
| Budgeting | New SOW | Same SOW |
| Collaboration | Access to Testers & Project Management | Access to Testers & Project Management |
| Reporting | Online Portal; Near Real Time | Online Portal; Near Real Time |
| Scheduling | In Queue | Prioritized |
| Pricing | Set Price | Discounted |
When to choose PTaaS
PTaaS isn’t the answer for every organization every time. However, if any of the checked items in the PTaaS column apply to your organization, it could indicate that it’s a fit.
| Converge Single Engagement | Converge PTaaS | |
| Needs Over $55k | X | |
| Limited Scope | X | X |
| Compliance Checkbox | X | |
| Minimal Environment | X | |
| Dynamic Environments | X | |
| Rapid Development Cycles | X | |
| Shifting/Diverse Scope | X | |
| Multiple Perspectives | X |
Weighing your penetration testing options
If your organization is large and complex, develops custom applications, requires multiple tests in a single year, or benefits from several types of offensive security testing, PTaaS is likely the right choice. This testing method provides valuable insights into your evolving security, saves your organization money, and provides greater flexibility to meet your company objectives.
You can learn more about Converge PTaaS here or you can schedule a discovery call to explore the best penetration testing option for your specific needs.
