“We’ve seen a lot of improvement in the traditional pentesting process, and we have more communication and improved transparency in the process. We can share pentest reports and findings more easily – all of that has made a difference”.
When Hacksclusive launched, the firm wanted to do something different from standard pentesting. Its founders were pentesters with 10+ years of experience in the industry and they wanted to deliver a value-added service with a pentest delivery model that extended beyond a PDF report. They wanted to deliver Pentest-as-a-Service, with recurring pentesting, findings-as-tickets in the cloud, and transparent processes, and Cyver Core was chosen to make that happen.
We interviewed Martijn Baalman, co-founder of Hacksclusive, about his experience with Cyver Core.
The Pentest Firm
Hacksclusive is a cybersecurity startup that fully launched in January of 2023. The company employs a team of 5 pentesters and 4 trainees, who do ethical hacking for 25+ clients.
- Clients: 25+
- Ethical Hackers: 5+
- Projects on Cyver Core: 100+
- Location: Groningen, Netherlands
- Rates Cyver Core: 8.5 out of 10
Choosing Cyver Core
Hacksclusive joined Cyver Core early on as part of our early development phase. The firm was one of Cyver Core’s first customers.
“I’ve been hacking all of my life, and pentesting for about 10 years, and there’s always been this thing where pentesting processes are a black box. The customer requests a quote, pays, and 6 weeks later, the assessment happens, and they receive the pentest report. Everything in-between was unclear. Part of the idea of Hackslusive was to change that. We wanted to either build or use a platform to change that”
“We compared a few options, but Cyver really was the logical choice. The competitors had a higher price point, which is significant for a startup. And, Erik, our co-founder, already knew Luis, Cyver Core’s co-founder. “
A New Way to Deliver Pentesting
All of Hacksclusive’s clients use the pentest-as-a-service model. That means every client is onboarded to the platform, where they receive insight into the pentest, can collaborate directly with the pentester, and receive findings as tickets rather than just the PDF report.
“We have clients that actively engage with us under every finding. We can offer them extra tips and recommendations and directly talk to the devs doing the work. That was never possible before, because they just had a PDF distributed by a team lead, and it was up to the dev to figure the process out. It’s one of the biggest improvements to the whole process.”
Hacksclusive built its business model around delivering pentest-as-a-service, which means all of its processes are incorporated in the platform.
Using the Platform
Hacksclusive uses all of the available features in Cyver Core. This includes report templates and report generation, the client portal, findings as tickets, the findings library, workflows, team management, and client management.
“We’ve been quite happy with it for the 80-90%, that’s quite good. Of course, it’s not perfect. Cyver focusing on SOC2 compliance meant some backlog items weren’t completed when we expected them. And we are quite dependent. If something doesn’t work, I have to contact the team. If it’s a weekend or in the evening, I might have to wait. We’re a startup pentest firm, so quite often we work around the clock, with clients in different time zones, so there is a disadvantage to working with a small support team. But for 90%, everything has been good”.
“However, overall, we’ve seen great improvements to customer collaboration and the transparency of the pentest process.”
While Hacksclusive delivers findings as tickets in the platform, it’s also using the pentest report generation feature. That’s for general clients looking for a pentest for security reasons and compliance customers needing a report tailored to their custom compliance framework.
“Time to report is still significant. We spend 4-8 hours on each one depending on the customer. But, without Cyver, reporting was a long, dragging process of Word document versions, work environments, and having 3-4 systems in place to share the pentest – and all of that took a lot of time. Now, we generate the pentest report in the portal, edit it there, and deliver it to the client.”
Hacksclusive also uses the API to connect custom tooling and its hacking tools.
Hacksclusive uses Cyver for client management, with compliance and pentest-as-a-service clients.
“We’ve been using Cyver Core to onboard all of our clients. However, we also have a lot of compliance clients with DigiD, and we don’t onboard the specific clients we test for that. Instead, we onboard their audit provider – which forwards relevant details to the client. Everyone else is onboarded to the portal – and clients use it quite extensively.”
Getting started with the portal normally means a 20–30-minute onboarding session and kickoff to introduce them to the platform.
“Our clients are new to having a platform instead of email. But they’re reacting to new findings being added, to reports, and updating the status of findings tickets. The notifications work quite well – of course, sometimes there are a lot of notifications, but you can fine-tune that, and overall, clients are quite happy with it.”
“I think the portal saves us time over email – but it’s more time investment at the start. Of course, most of our clients are in IT, so using a web app is not rocket science for them”.
“The portal is also more secure, clients like that everything is in one place, and their report isn’t distributed via a third-party application. Cyver Core also has extensive security features, and we use all of them. “