How Layer8 used Cyver Core to deliver pentest-as-a-service with a ready-to-use pentest portal
“We want our clients to be sure we are always there for them, whenever they need a pentest. That we’re always ready to find vulnerabilities on their perimeter before the bad guys do. Cyver helps us a lot with delivering this kind of offering and is, without a doubt, adding value to our customers.” – Miguel Santos, Offensive Security Unit Manager, Layer8
Layer8 is a full-service cybersecurity company. With managed services, technology, governance, risk, and compliance, CSIRT, SOC, and offensive security, Layer8 is a one-stop-shop for cybersecurity. Since the firm’s launch in 2012, it’s also grown to serve over 100 clients in its home country of Portugal and internationally, with a team of 12+ pentesters in the offensive security team.
“We wanted to launch our pentest-as-a-service offering, we didn’t have a pentest platform, and we thought developing it in-house would take too long. “says Miguel, “We went to the market and searched for a solution that could help us speed up delivering to our clients.”
Who Are Layer8?
As a full-service cybersecurity company, Layer8 already delivers software and technology solutions as part of its package to clients. That includes the Vuln8 vulnerability scanner for vulnerability assessment and mitigation, Learning8, a security user awareness platform, FISH8, an anti-phishing solution, and much more.
Layer8 wanted to deliver pentest-as-a-service with continuous pentesting. For that it needed a portal.
- Projects on Cyver Core: 100+
- Plan: Enterprise
- Pentesters:12+
- Location: Portugal
- Started on Cyver Core: 2023
- Rates Cyver Core: 9 out of 10
Choosing a Ready-to-Use Pentest-as-a-Service Portal
With a goal of avoiding building a custom portal, Layer8 needed a pentest portal that aligned with its existing work routines and needs. The pentest team did their research and compared options like Plextrac with Cyver Core.
“We started testing Cyver Core in 2023 and we started using later that year. The platform aligns a lot with our internal methodology. The definitions of pentests, assets, the vulnerabilities being tied to the pentest or an asset, and the platform was really intuitive and easy to use – so we liked it more.”
Delivering Pentest-as-a-Service
Layer8 delivers pentest-as-a-service with continuous pentesting, automated scans, and additional SOC and CSIRT services. The team leverages a mix of scanners, including Cyver’s integrated scanner, plus its own, with an API integration.
“In 2024, we went live with our pentest-as-a-service offering. We started by migrating our clients who were already asking us for continuous pentesting. They are happy with the platform so far and it’s been a very good addition to our portfolio.” adds Miguel, “Last year we already did over 1,000 pentests, which was a very good number. We only have our Annual Audit Plan customers on the portal for now. We moved them to Cyver because it’s very easy for them to see progress over time.”
“This year, we’re pushing to clients that don’t have that plan and who might need just one or two pentests in the year. We’ll also try to deliver those pentests in the platform.”
Layer8 isn’t fully integrated to Cyver Core yet. The company is still moving customers to the platform.
“For now, we still have some clients that don’t like the idea of having their findings in the cloud.” says Miguel, “But we are working towards moving everything into just Cyver. 30-40% of our clients request a pentest through the platform. Some of our clients are more old-school and prefer to send us an email with the planning for the year – but we still migrate that to Cyver Core as well. And, for now, we use open-source reporting tools and Microsoft Office for clients that don’t want their findings in the cloud.”
Delivering SOC and CSIRT
Layer8 also uses Cyver Core to deliver SOC and CSIRT services. Currently, the company delivers SOC-as-a-service to nearly 100 clients through Cyver Core. Their SOC and CSIRT teams are set up on Cyver Core, delivering their own audits, scans, and projects.
Delivering more Value to Clients
“Clients are changing the status of vulnerabilities very often. It’s a completely different approach than without the platform. When clients don’t want the platform, we retest once after they’ve fixed everything. With Cyver Core, we see fixes as they happen and the client can request individual retests, especially for critical vulnerabilities. That helps us deliver a better service.” says Miguel.
“Cyver Core simplifies how we deliver; it adds more value to our clients because they can now manage pentests and finding, and some of them had no way to do that before. Plus, it helps us cross sell other services that we also offer through Cyver.”
