Pentesting has changed a lot over the last 20 years but today, delivery remains much the same as it was then. Most pentesters increasingly rely on digital tooling and automation to run pentests – which can save hours of time in pinpointing and deciding everything from attack vectors to finding low-hanging fruit with automated scanners. Yet, pentests reports, the deliverable from all your hard work, hasn’t changed. You still import findings to (likely) a Word pentest report template, customize the template, and generate a report PDF for the client. They receive that via email and may receive additional feedback or comments over the phone or via email.
That process is quickly changing, as digital delivery options like pentest-as-a-service are starting to take over. The primary focus here is often not just about features like repeatable pentests performed on a schedule, but rather about the shift to digital pentest management and digital delivery. At Cyver Core, we believe that digital delivery – with findings as tickets, digital vulnerability management, and real-time notifications like chat for pentesters and stakeholders – is the future of pentesting.
Changing How We Work
Digital transformations, or the migration to cloud and digital tooling, has taken over. Today, businesses have spent almost $2.4 trillion on digital transformations. Nearly all new businesses are digital native. And, with 70% of all companies having started a digital transformation, one thing is clear. Digital is the future of work. While only 21% of companies think they’ve completed their digital transformation, over 60% use cloud and work management tooling. That’s even higher in software development, where digital saturation is closer to 100% due to the nature of the job.
As people become more and more accustomed to working with digital, non-digital reports like PDFs start to feel more and more out of place. While those reports still have their place and value in helping organizations meet compliance and to pass audits – they become less and less useful for the people actually resolving issues. That results in high time-to-fix rates, low remediation rates, and poor communication between the pentester and stakeholders. For example, if a middle-man, like management or a single compliance officer, is breaking down the full report and distributing work, it takes longer, becomes top-down work rather than Agile, and creates disruption. That eventually results in environments where pentests are seen as slowing down work, preventing ship-dates or rollout, and as obstacles. There’s no collaboration, because the pentester is working in a different environment, in different tooling, and in a different fashion.
Clients are getting digital delivery and vulnerability management from scanners, from their cloud apps, and even from plugins and widgets in their CMS. Most clouds include full digital scanners, intended to find vulnerabilities like settings and configuration errors – those errors are delivered in the form of a ticket, which can be distributed directly to the stakeholders responsible for fixes. The same holds true with scanners like Netsparker and Rapid7, which duplicate the results of some scanners pentesters use. It’s also good that clients use those tools. It helps them to find and remediate easy-to-find issues, so they stay more secure between pentests. Then, pentesting can function as a layer on top, to further harden environments, by finding issues that require human insight.
Eventually, the shift towards digital tooling and cybersecurity scanners means one thing. Clients want and need work to be managed and submitted digitally. For pentesters, that means shifting to pentest management platforms, which allow for digital work management, tooling, and automation. And, most importantly, they allow for digital pentest delivery, with findings-as-tickets, interactive metrics, and interactive findings – where stakeholders can ask questions, see data, and work to remediate.
How much that is needed will vary considerably depending on what the pentest is for. E.g., if you’re performing a pentest for compliance only, the digital delivery adds less value. However, digital work management and delivery can help clients to remediate findings and request retests on those findings, so they can move through the audit more quickly. So, you can offer significant value to clients who don’t even realize they need digital delivery.
Eventually, most work is shifting to digital. Moving pentest management and delivery to a secure cloud portal can help you to offer a USP to clients now. But in 5 or even 10 years, it will likely be necessary to retain your clients, as the industry shifts towards the cloud. We firmly believe client demand is driving pentest delivery to digital and cloud, and we are here to help.
If you want to know more, contact us for a demo to see how Cyver fits into your business model.