Crowdsourced Pen-testing vs. Pen-test as a Service (PtaaS)

Cybersecurity has never been more relevant. Between 2019 and 2020, the reported number of successful data breaches nearly doubled. With the onset of COVID-19 last year, the number of cyberattacks reported to the FBI’s Cyber Division rose exponentially, by roughly 400%, to 3,000-4,000 cybersecurity complaints per day. Despite this staggering increase in cybersecurity attacks and successful data breaches, the cybersecurity industry’s workforce still shows significant gaps. Industry studies show that the global workforce is underfilled by roughly 3 million workers and will need to grow by 41% in the U.S. and nearly 90% globally in 5-10 years to address future cybersecurity threats.

The gap in the cybersecurity workforce highlights a gap in the amount of penetration testing (or “pen-testing”) needed to properly assess current and potential future threats. What is the cybersecurity industry doing to address these concerns? To do so, cybersecurity professionals and companies must increase both the quality and quantity of their pen-testing services. But this solution unfortunately highlights a new problem in the use of crowdsourced pen-testing vs. pen-testing as a service.

Crowdsourced Pen-Testing

As children, one of the common instructions we were all given was “do not get into a car with a stranger.”

Nowadays, however, platforms such as Lyft and Uber serve as a crowdsourced alternative to taxi and ride-share services. Similar to how these platforms transformed the way users interact with transportation alternatives, many cybersecurity companies offer crowdsourced pen-test (CPT) services to corporations, agencies, and other organizations to help them defend against malicious cyber attacks.

Although it is an innovative practice, crowdsourcing is not without its share of concerns and pitfalls. For example, a large non-profit organization that partners with third-party vendors to handle sensitive and personal information for clients could be at risk from a cyber-attack. To ensure crowdsourced freelancers are adhering to best practices to keep clients’ data private and secure, organizations is a huge challenge. With this model, control over the tools, methods, and practices used in CPT is extremely limited. How do you know the CPT being conducted by freelance pen-testers will protect the data in your organization and its supply chain?

The short answer is: you don’t, and due to the multi-billion-dollar gap in supply vs. demand of the cybersecurity workforce, that problem is expected to grow worse over the next five years. Because of this workforce gap, organizations may not have the option of hiring pen-testers outside of the CPT or freelance model. This puts companies in a Catch-22 situation:  you want to ensure your vendors are adhering to best practices and remaining compliant but are putting your data at further risk by hiring freelance pen-testers. The communication between the crowdsourced freelancer and your CPT platform can be secured. However, the tool set used by these pen testers is so fragmented that to control and exposure of the sensitive data is an inherent problem in this model.

Having said that,CPT is not all bad, however. When testing a new app, platform, or software that is still in production and not yet commercialized, the CPT model can easily and quickly check for ways that software might be breached in a proactive manner similar to bug bounty programs.

Pen-Testing As A Service

Companies that offer Pen-Testing As A Service (PtaaS) rather than CPT reap more immediate benefits. While the CPT model can cause frustrations due to a lack of trust in the freelance model, the tools or methods used in testing breaches of their data, potential data breaches due to gaps in their vendor supply chain, or even control over data itself, companies that offer PtaaS mitigate or outright eliminate these concerns by operating as a unified platform rather than a marketplace.

For example, BreachLock Inc. utilizes a combination of passionate, ethical, and certified pen-testers as well as artificial intelligence (AI) technology as a force multiplier to deliver PtaaS. As BreachLock develops its own toolset and framework for conducting these Pen Tests, this ring fencesour client’s testing metadata to stay within BreachLock platform itself. This prevents both us and our clients from losing control of their data and the methods used in testing its security, while allowing for increased testing at-scale through the combination of verified in-house cybersecurity professionals backed by AI, working in tandem to create algorithms that assess, identify, and test potential weaknesses in less time. In this way we amplify the scalability of our in-house certified programmer hackers and avoid the pitfall of a completely human dependent penetration testing approach. The collective intelligence of our training data continues to grow with each pen test we conduct. This fuels the supervised learning of our AI algorithms that frees up our highly valued human hackers to focus on the more complex vulnerabilities.

The current issues surrounding the cybersecurity industry are not a result or reflection of low investment. Rather, they are symptomatic of the fact that institutions that house sensitive data in their systems do not conduct enough pen-testing of their data in order to safely and proactively identify and assess cybersecurity threats in the event of a malicious attack. Although this problem is itself symptomatic of both the current gap within the cybersecurity industry’s workforce and the projected growth of that gap over the next decade, the creation of and continued investment in a marketplace-style model can diminish the impact PtaaS offers, as institutions choose from a growing number of freelance pen-testers, rather than certified professionals in their field.

Seemant Sehgal is the Founder & CEO of BreachLock Inc. – the world’s first AI-powered full stack and SaaS-enabled Penetration Testing as a Service. Since 2019 BreachLock has quickly emerged as a market disrupter in the traditionally human dependent Penetration Testing market.