If you’re looking for a pentest, pentest-as-a-service is a delivery model that shifts the focus towards ongoing, scheduled pentests that deliver vulnerability findings as tickets so you can fix them with a minimum of overhead and breaking down reports.
It means your pentest delivery switches away from PDF reports and into an online portal, where you get vulnerability findings as tickets, findings management tooling, and the ability to request and schedule pentests and retests. It’s a key part of PentestHero’s pentest offerings, because we believe pentest-as-a-service makes it easier to focus on remediating vulnerability findings so you can improve your cybersecurity.
Of course, we also offer pentest reports and everything else you need to support compliance, C-suite, and internal cybersecurity management. However, our primary pentest delivery is via pentest-as-a-service.
However, that shift means significant changes for how pentests are organized, managed, and remediated inside your teams.
You’ll Be Onboarded to Our Portal
PentestHero will onboard you to our portal. That means you’ll have to select key stakeholders who will be responsible for the results of the pentest. That should be:
- People actually doing fixes. E.g., product owners, devs, IT experts, compliance officers. You can create teams per asset or module, so only relevant people receive notifications when we upload findings
- Compliance managers
- Anyone who needs oversight of security and costs
From there, teams can add assets and other data to their dashboards. Asset data, including passwords, is stored in an encrypted file, meaning you won’t have to use email or two-factor sharing.
You’ll See Notifications of New Findings
Once the pentest starts, relevant people will receive notifications of vulnerability findings. For example, if you’ve linked teams based on which part of your app they work on, those teams will see findings linked to those assets. They can then immediately export those tickets to their own tooling to incorporate into sprints.
Every finding ticket features a description of the finding, assets it’s linked to, evidence of the finding, and, if we have it, recommendations to fix it.
You Can Talk To Your Pentester(s)
If stakeholders have questions about a finding, they can leave comments on the page to directly talk to the pentester who found it. That simplifies communication and allows your pentester to offer better insight and better advice. Plus, with all communication about a finding located on the ticket, everything is in one place so you can easily reference back to images, links, and replication data without searching for it.
You Can Request Retests
Once you’ve looked at a finding, you can mark it as remediated or accepted. Once remediated, you can request a retest to make sure you’ve fixed the issue. If you do so within the first 30 days of the pentest, PentestHero will do that retest for free.
That’s good for ensuring your fixes work. However, it’s even better for compliance and audit reasons. Once we retest, you’ll be able to regenerate the pentest report, showing a proven fix to a finding.
You Can See Insights and Data
Logging into your PentestHero portal, you’ll see insights and metrics around your pentest(s). This includes metrics on time to fix with findings ranked by severity, you can also see findings by criticality, by asset, by pentest, and even open findings. That makes it easier to share data to managers because you can show simple overviews with important details highlighted. It also makes prioritization easier, because the portal automatically ranks your findings based on assessed risks.
You Can Schedule Your Own Pentests
PentestHero uses a credit system. This means you buy pentest credits in advance. Then, stakeholders can simply schedule their own pentests to align with compliance, feature updates, app updates, etc.
If you’d like to learn more about how PentestHero uses pentest-as-a-service, schedule a demo to get started.