Breaking Down the Benefits of Hacker-Powered Pentests
To produce their recent report “The Total Economic Impact Of HackerOne Challenge: Improved Security And Compliance”, Forrester Consulting interviewed customers that switched to HackerOne Challenge, our hacker-powered pentest solution, from traditional pentesting providers.
Forrester found that HackerOne Compliance improves security, which in turn reduces customer churn. This second blog in our series breaks down that finding.
Customers told Forrester that with their previous pentesting provider, an audit was often merely a “check-the-box” activity. In many cases, the goal of the audit-related penetration testing was just to mark it as completed. Not too surprisingly, these pentests provided little value in actually improving security or increasing customers’ confidence.
As one interviewee put it, “We are in a highly regulated industry—PCI, GDPR, SOX, and so on. I was paying for quarterly compliance pentests. They were ‘checking the box.’ I always wanted them to find something. After two years, they still didn’t find anything. We are good, but not that good.”
In contrast, the power of the largest ethical hacker community on the internet ensures that HackerOne customers benefit from a world of expertise and perspectives.
As one government program manager interviewed by Forrester put it, “The pentests used to be limited by the skill level of the assigned team. Sometimes they get very settled in how they approached a problem. When you bring in the crowd with HackerOne, you have different perspectives and better results.”
Another interviewee supports this, saying, “The biggest benefit is the nature of the hackers. They are skilled and motivated. They will actually find things. I don’t know why the previous pentesters did not.”
In contrast to “check-the-box” pentests, with HackerOne customers actually improve security.
“We found 138 vulnerabilities in our first Challenge. They were found much faster and of higher complexity than what we had gotten from past providers.”
Faster Audits, Happy Customers
When the independent analysts at Forrester spoke to companies like yours that switched to HackerOne Compliance, they heard again and again that compliance and audits improved.
In the words of one customer, “In a traditional model, we would get the report and then send questions back to the tester. Responses would be delayed and slow, and the information coming back wasn’t concrete. HackerOne provided information [in] near real time, which was fantastic. By getting better information about complex, multistage vulnerabilities, we could fix related vulnerabilities, too.”
Auditors accept the HackerOne Challenge Security Assessment Reports for SOC2 Type 2, PCI DSS, and HITRUST certification.
“We do the Challenge and then bring the auditors in. We use compliance to make the platform more secure.”
Interviewees’ customers reward better compliance and more meaningful audits with more new business and stronger loyalty.
“Our audits are now a point of trust with prospects. HackerOne wound up being a revenue-generating opportunity.”
“When a PCI audit is delayed, companies don’t want to work with you. That can cost you business. Before starting the Challenges, that happened and lost us new business. It hasn’t happened since.”
Download Forrester’s “The Total Economic Impact Of HackerOne Challenge: Improved Security And Compliance” for free and learn how you can comply with regulations faster and with less effort -- all while improving security.