Companies Moving to HackerOne Challenge from Traditional Pen Testing See 115% ROI, Improved Customer Satisfaction, Better Security, Says New Forrester Report

May 14 2019

“If you break it down as bounty payouts compared to the quality of vulnerabilities found and time saved, HackerOne is a much better ROI compared to traditional pen testers.”

HackerOne customers of every stripe have told us for years that hacker-powered security not only saves them money, but that it also makes them more secure.

Organizations are increasingly turning to HackerOne Challenge, our hacker-powered pen testing alternative, to address compliance requirements and harden applications.

Our new HackerOne Compliance Challenge offering, which supports PCI DSS and SOC2 requirements, gave us a great opportunity to engage Forrester Consulting to conduct a head-to-head comparison.

Forrester interviewed four HackerOne Challenge customers that had all previously used traditional pen testing firms.

The results provide strong support of the hacker-powered security model.

Based on interviews and analysis, Forrester used their Total Economic Impact approach to create a composite company blended from the HackerOne customers they interviewed. This composite is a US-based SaaS company with global operations that holds PII and cardholder information. It completes two HackerOne Compliance Challenges per year; one test for the production environment that is required by its Qualified Security Assessor (QSA), and the other on the development environment. 


Forrester Research found that the composite company:

  • Saves more than $500,000 over three years with HackerOne Challenge, compared to a traditional pen testing firm. 

    One interviewee notes “For every $1 we spend on HackerOne Compliance Challenges, we would have spent $5 on other pen testing and auditors.”

    Savings came both from replacing pen test costs with HackerOne Challenge and from a reduction in internal security and engineering effort when working with HackerOne.
    • “Previously we had scanners-as-a-service doing static and dynamic code scanning. It found some bugs but was 10x to 15x more expensive per bug found and didn’t find everything.”
    • “We have seen a reduction in internal effort for developers. There is less rework, and they write better code. This is FTE savings that can be used for other activities.”
  • Increases their customer’s satisfaction and retention

    In the words of one interviewee “When a PCI audit is delayed, companies don’t want to work with you. That can cost you business. Before starting the [HackerOne] Challenges, that happened and lost us new business. It hasn’t happened since.” 

  • Greatly improves security, reducing the likelihood of a security breach

    “We found 138 vulnerabilities in our first Challenge. They were found much faster and of higher complexity than what we had gotten from past providers” noted another interviewee.

Security is foundational to trust today. In partnership with the 400,000+ strong HackerOne community, we are proud to play a leading role in securing the internet. This new Forrester report, complete with cost comparison spreadsheets and dozens of verbatim quotes, provides the independent data and framework to evaluate the financial impact of  HackerOne Challenge to your organization.

Download your copy of the Forrester Research report today. 

Related Posts