Digitization is inevitable for nearly every industry. Over the last few decades, digital service platforms have become the standard in industries starting with bookkeeping and financing, booking and room management, customer relationship management, sales management, finance, etc. Pentesting will digitize as well, it’s only a matter of time. And, one of the critical steps to enabling that digitization is implementing a platform to manage files, automation, customers, and everything else in one, digital place. Pentesting is now stepping into this space, with many asking critical questions about how to start using pentest management platforms to deliver pentest-as-a-service.
Most industries have started out with a mixed approach to either building the platform for that digitization internally or outsourcing and purchasing an existing “Software as a Service ” or “Platform as a Service”. As markets mature, nearly all solutions end up external, with even large-scale organizations choosing to outsource platforms rather than purchase them internally. This is especially notable in relatively modern fields, like digital experience (ABN AMRO and Barclays use Backbase), digital payments (Uber, Booking.com, and KLM use Adyen), and CRM (EasyJet and CITIBank use EQuiniti). Pentesters are now in the same place, asking those same questions, and making those same decisions. And, anyone in the retail space understands that if you want to build a web-shop, you’ll likely implement a pre-built solution like Shopify, which delivers an e-commerce platform to over 1 million customers, including giants like Hasbro, The Economist, Penguin Books, and the BBC.
At the same time, outsourcing to a pre-built solution is hardly a new phenomenon. Investing heavily into products that aren’t core, like digitization, adds costs, while typically producing a lower-end product. No one would even think about developing their own text editor to compete with Microsoft Office. Or their own operating system to compete with Linux, Windows, or OS X because it simply isn’t cost-effective or realistic to do so.
Building Features and Platforms is Expensive
You might be thinking that it’s easy to develop a pentest management platform internally. You have developers, you have an IT team, and you’re uniquely equipped to know exactly what you want and need from a digitization platform. But, building internal platforms is expensive. You can expect to dump thousands of euros into upfront development. That can seem attractive when you consider you won’t be paying another company for licensing, support, or customization.
At the same time, it leaves out a lot of ongoing costs. Bugs, problems, changes in browsers and operating systems, plugin and APi updates, etc., will be incredibly costly and time-consuming. Unless you create an internal team to manage updates and changes full-time, your platform will eventually break, reducing customer experience, and costing your organization money. Either way, full-time maintenance is expensive at any scale.
You also have to consider factors like development time. Implementing a pre-built pentest management platform can take a few weeks. Developing, testing, and bringing your own platform to market will take half a year at best and more realistically, over a year. In the meantime, your organization falls behind as competitors digitize.
Finally, your own solution means your own training. You’ll have to develop training, how-to material, and encourage internal adoption on your own. These can be costly factors, which are almost never considered upfront.
Scalability May be an Issue
As your organization grows, customer base increases, and employees grow, can your platform keep up? The goal of digitization is often to enable offering faster and better service to customers. If you improve the quality of pentests, improve the speed of delivery, and improve reports, chances are, your customer base will grow. Will your solution support that growth?
More importantly, can you build your pentest-as-a-service platform in such a way that you can scale it? The more you scale, the worse small bugs and issues get. Small problems can grow into huge, expensive issues when you scale them, simply because you amplify that problem by however many times you’ve grown.
Your Pentest Management Platform Detracts from Core Services
Two of the most justifiable reasons for building your own pentest management platform include customization and support. It’s critical that a platform meet your hacker’s and customer’s needs. It’s also critical that you be able to use the platform with whatever software and hardware you already have. If your tools don’t integrate, you might as well not have the platform.
But, both of these justifiable reasons can be worked around. Nearly any platform is customizable. Most will also add feature support for new tooling on demand, especially if it guarantees them a client. And, taking the time to focus on developing a platform will likely detract from the very thing your organization wants to do.
What is that? Simplifying processes, automating manual tasks, and delivering a better service and result to the customer.
If your organization is dedicating a significant portion of time and resources to developing something outside the scope of what you do best, you’re moving away from what you do best and towards building software.
At the end of the day, your pentest firm is about hacking not developing. You can implement a team to develop a pentest platform and manage it long-term, but it will always be secondary to what you do best. You’ll never have the resources, demand, or scale to truly focus on your platform, to provide interesting work to the people managing it (and therefore to keep them engaged), or the expertise to produce something truly excellent.
While you can go into building your own platform and make something great, because you know what you need and why, it will always have that caveat. It is not core. You’ll never be able to focus fully on making your pentest management platform truly excellent.
Leveraging a Pentest Management Platform
Pentest automation, cloud reporting, and project management automation are relatively new fields. But, choosing an existing platform is still the best way to improve your services, because you can leverage a pentest platform in the same way you would a hosting service or a scanner, to improve existing services without developing a new tool from the ground up.
Cyver Core is that platform, offering automated reporting, customer integration, pentest norms, and work management. It’s available now and ready to be implemented, with everything ready-to-implement out of the box.
We built Cyver Core as part of a collaboration with pentesters and service providers. It’s built around the needs of the hacker, the pentest firm, and the client, with the intent of improving the pentest experience for everyone involved.
Most importantly, Cyver Core is our core service. Our platform is what we do, it’s what we’ll invest in, and it’s where all of our resources will go. The platform will continue to improve over time as we develop new features, use customer data to refine what we have, and work to make everything better.