Skip to main content

What is Penetration Testing as a Service or PTaaS?

Penetration Testing as a Service is defined differently by a lot of different organizations. Paying attention to memes would suggest that PTaaS is nothing more than a glorified scanner, and that just couldn't be farther from the truth at least for our team at Xcape it was the pathway for us to provide our clients a more consistent easily reproducible work product. As a boutique information security firm making a name for ourselves as the company you call when all the other so called "experts" fail you. We needed a way to scale ourselves, watching the industry evolve from the sidelines missing out on work that we're overly qualified for, while other organizations grow loosing the quality of their work products because hackers aren't reproducible. 

The first step for us was the hardware, building a hardware platform that makes it impossible for us not to get connected and configured made it so that we could work with any clients technical ability to deploy our solution in any environment,  then we had to become an MVNO to provide ourselves connectivity that's totally out of band. The cell nerd in me took it a step further so that I can isolate devices within the LTE network so they only have access to each other. So our teams connection to our cellular network isn't just novel connectivity our devices we use internally are connected to the private proportion of our LTE network. 

In building PTaaS we knew the goal was always to automate as much of the tedious workflow as possible. So much so that instead of pentesters being network engineers, and technical support staff on engagements, with the workflow and software we've developed, this tool means that our pen testers spend more time actually pen testing, developing malware, and discovering attack chains that lead to compromised systems, the goal of any pen test. 

So what is pen testing as a service you ask? We started with automating most of the first half of our asset discovery workflow. I can't tell you how many pen test we've been on where the target list we're given ends up being just a portion of the end points they have. So our initial scan takes into account that some clients might not be aware of all of their infrastructure so our XBMAS engine does the work of doing OSINT on the client with the targeting information provided, and goes and digs up assets that are related to the organization.

Great now we know about all the assets belonging to your organization and we can start using industry leading tools that are always being updated with fingerprinted vulnerabilities, and new tactics developed internally by our team to scan your internal and external infrastructure for known vulnerabilities building an attack profile of all the exploitable systems within your internal network, external perimeter, and cloud infrastructure. 

Now we've got this automated attack profile based on the results of a bunch of scans of your internal, external and cloud infrastructure. So with the help of our cloud infrastructure and our NetNinja, our system will launch automated attacks against your infrastructure, providing screenshots and code execution of working exploit code that works to gain access to your systems.

So at this phase the automation has done its job and our pentesters have shells waiting for them to dig on. That means on the majority of all our pen test, our testers are spending 100% of their time exploiting systems, working to build attack kill chains, developing malware and custom payloads. We spend more of our time working out ways to exploit your infrastructure over the longer term of our ongoing engagement. 

So instead of a two week smash and grab that results in a large report with a lot of findings, you can instead work with our team to identify vulnerabilities as they're discovered, with access to our pen testers and MSP staff for escalating the remediation of vulnerabilities your team might not have the ability to address. 

Anyone trying to sell you PTaaS without automated exploitation is just lying to you because that's what we call vulnerability scanning and management, which just isn't the same as pen testing.

What we define as Penetration Testing as a Service will set the bar for what the expectation should be when you talk to a firm about PTaaS. If you ain't getting hacked it's not a pen test. 

Click here to learn more about PTaaS by Xcape, Inc. 


Popular posts from this blog

Why you should pick Xcape, Inc., for backup internet.

In today's hyper-connected world, internet downtime can be catastrophic for businesses and individuals. That's why having a reliable backup internet service is crucial. This blog post will pit our cellular backup service and router ( NetMaxX ) against another provider to show why our backup internet service is superior. Our customer recently complained to their primary internet service provider about their internet downtimes on an install. They sent a technician to install a failover router and service from their primary provider. Unfortunately, not only was the technician they sent unable to install and configure the failover router properly. But they continued going down until we installed our NetMaxX , utilizing our network. First and foremost, our backup internet service offers automatic failover. If the primary internet connection fails, our service automatically switches over to the backup cellular connection, ensuring minimal disruption to your internet access. Not that

Please allow me to reintroduce myself...

CellPhoneDude  Or the founder, owner, and CEO of Xcape, Inc. I started this company in 2006 as an MSP helping to build and maintain infrastructures for a number of entertainment industry professionals, small and medium sized businesses, CEO's and their families, and other high net worth individuals. Making a name for myself and my one man band that was Xcape.  For years I struggled with learning how to start and operate a business successfully. I started to build a team of other hackers, pen testers and other information security professionals. The first of which I had the pleasure of being introduced to me as one of the brightest people in infosec and he's been my partner and our CTO/CISO for the last 13 years. That's when we first pivoted to infosec taking on DFIR, pentesting, and assessment work. We constantly push each other to grow and be better. So running a company with this man, building and innovating has been a dream come true.  The second an app sec engineer who