The author is a member of AT&T Cybersecurity Consulting Center of Excellence. This is part of a blog series from that elite group.
Definition:
Let us start by defining Penetration Testing as a Service (also known as PTaaS) because there are several different definitions and variations being used throughout the industry. Some of the similarities include:
- Continuous or more frequent penetration tests to create a find – fix – verify loop that provides a closer to real-time awareness of your environment to account for drift and verification of your remediation efforts to ensure its effectiveness
- Leveraging cloud-based platforms, automation, and AI to speed up this entire cycle
This is where AT&T starts to differentiate itself from competitors. This next part we believe to be critical:
- Augmenting automation and AI with manual testing and analysis by knowledgeable human experts
There is a misconception about Penetration Testing as a Service, that it devalues the quality of testing. This is rooted in a distrust of platforms being marketed as fully autonomous, that use “trigger words” like AI, and leave human expertise out of the loop.
Don’t believe the marketing hype, fully autonomous penetration testing is not ready for prime time and it likely will never be. These systems need to be trained by humans who have a deep understanding of the tactics, techniques, and procedures used to perform attacks manually and know how to identify errors and gaps in the system and its testing coverage.
A perfect analogy is the current state of autonomous vehicles, where the most successful and reputable brands require the driver’s hands to be on the wheel during the vehicle’s operation. Here at AT&T, rest assured a penetration tester is in control, ready to step in and take control as needed to perform a thorough penetration test.
Now let us discuss a few of the benefits to this approach.
Benefits:
The flexibility of multiple tiers of service and price points: Automated, manual, and hybrid solutions exist today. Annual “one-and-done” penetration tests have limited value and the industry has already moved on to more frequent testing. We also have options for quarterly, monthly, or on-demand testing. Once you are onboarded and have scheduled and completed your first penetration test with us, we can even perform one-click verification of individual findings after remediation.
Return on investment: Penetration Testing engagements are priced based on Level of Effort (LOE) measured in hours. If some of this precious time is spent manually orchestrating and configuring infrastructure to perform attacks, there is less time remaining for testing, analysis, and report writing.
Speed of testing: New threats are discovered and weaponized by attackers so quickly that waiting for development cycles to integrate detection and proof of concept exploits into a product/platform is a losing battle. By augmenting these tools with a penetration tester, we can bridge that gap and notify you of the highest risk findings as soon as the testing has completed.
There is no need for you to wait until the full report is delivered before you start your remediation efforts. This leaves a smaller window of exposure.
Which frequency of testing is right for me?
That depends on your risk profile and budget but testing more than once a year is a great start, and we will demonstrate to you the value of more frequent testing. Are you ready? To learn more, check out AT&T Cybersecurity's penetration testing services.