Interpret the 2023 GigaOm PTaaS Radar Report with HackerOne
Technology research firm GigaOm recently published its Pentesting as a Service (PTaaS) Radar Report, naming HackerOne as a market leader for the second year running. But what does this mean, and how should you use the report to make purchasing decisions on PTaaS solutions? This blog outlines GigaOm’s conclusions about HackerOne and what you can learn from GigaOm about our solutions.
The GigaOm report recognizes and validates the substantial advantages of PTaaS over traditional pentesting, especially for digital-forward organizations. It also provides a technical evaluation of key PTaaS vendor offerings in the market. A select group of ten vendors, including HackerOne, were invited to participate in this evaluation.
HackerOne is positioned as a “Leader” and a “Fast mover,” and GigaOm places the company in the “Platform Play/Maturity” quadrant. GigaOm rates HackerOne’s community-driven pentesting, and the platform’s integrations with SDLC tools as exceptional. To learn more, access the complete GigaOm Penetration Testing as a Service Radar report.
PTaaS: Revolutionizing Security Testing
Penetration testing (or pentesting) is one of the most impactful risk reduction methods for organizations, designed to simulate an external attack and share immediate results. These tests provide deep insights, revealing hidden flaws and enabling security teams to enhance their defenses more effectively while achieving compliance.
For decades, traditional pentesting has been the prominent way to conduct these tests. The legacy approach, however, is known to be reliant on a limited number of experts, creating bottlenecks, limiting the scope, and impacting the quality of the tests. The need for more specialized testers in many legacy services often leads to prolonged scheduling delays, and even after testing, organizations typically face extended waits for comprehensive, actionable vulnerability reports.
Pentest as a Service (PTaaS) has emerged to address the shortcomings of traditional methods and enhance the efficacy of pentesting by incorporating SaaS-like features. GigaOm’s Radar Report states that “PTaaS represents the revolution in the pentesting space that was long overdue.” PTaaS offers immediate access to on-demand talent, actionable findings, and real-time interaction with testers. It ensures systematic collaboration with standardized methodologies and integrates seamlessly with modern applications, APIs, and mobile and cloud systems.
HackerOne Is Positioned to Deliver High-Impact and Efficient Community-driven PTaaS
GigaOm analyst Chris Ray notes, “HackerOne delivers high-quality results through its diverse pentester community and is committed to enhancing business workflows via seamless integrations and automation.” Furthermore, the report acknowledges the benefits organizations will receive from HackerOne's “advanced bidirectional integrations with key SDLC tools like Jira, GitHub, GitLab, AzureDevOps, and AWS.”
Ray assigns one of the highest scores to HackerOne’s ability to utilize a diverse pool of vetted pentesters in testing engagements. The use of a vast, talented, and readily available group of pentesters is the main differentiator between community-driven and traditional PTaaS solutions. The community-driven approach provides direct access to top-tier pentester expertise and ensures the tests are agile and adaptive to emerging threats. HackerOne is one of the two vendors who received an exceptionally high score in the crowdsourcing pentesters category.
Ray comments on HackerOne’s community-driven testing capabilities: “While some PTaaS providers use in-house testers, HackerOne prefers crowdsourcing from its community of 1.5 million ethical hackers. Pentesters for the HackerOne PTaaS are crowdsourced from a community of vetted, background-checked, ethical hackers, which, HackerOne asserts, will ensure a diverse skill set capable of delivering the best pentest findings.”
HackerOne Capabilities by Key Criteria and Evaluation Metrics
GigaOm evaluated PTaaS vendors on seven critical criteria that provide differentiating value to users. HackerOne received Exceptional ratings (the highest score) for the robustness of the SDLC Integrations, the ability to deliver Automated Workflows, Enhanced Communications, and the strength of HackerOne’s community-driven pentesting approach. The capabilities of our HackerOne Pentest Suite across these criteria are as follows.
Key Criteria
- Crowdsourced Pentesting: Our elite pentesters are drawn from our community of over 2 million ethical hackers. All pentesters are vetted and background checked, with a minimum of 3 years of pentesting experience, and the majority having over 5 years. Our community of pentesters brings a diverse set of skills to test cloud platforms, Web, mobile, APIs, and external networks.
- Enhanced Communications: HackerOne “offers near real-time visibility into pentesting activities for clients through its portal” and Slack integration. This reduces remediation times, allowing your developers to quickly get more information about the scope and impact of vulnerabilities, as well as a retesting feature to confirm the effectiveness of remediation. HackerOne Technical Engagement Managers (TEMs) are assigned to each pentesting engagement to help orchestrate the testing process and quality. As the report notes, TEMs “are former pentesters who know the trade well and are focused on optimizing the delivery of each pentest. They work as an expert advocate for the client before and after the engagement period.”
- Integration with SDLC Technologies: Over 26 bi-directional integrations with leading SDLC tools such as JIRA, GitHub, and GitLab. GigaOm identifies the “unique” maturity of our AWS Security Hub integration in the PTaaS space.
- Automated Workflows: Launching, managing, and reviewing your pentests happens on the HackerOne platform. GigaOm identifies our PTaaS solution as “a highly streamlined one” that can ensure the time from launch to results in less than two weeks.
- Streamlined Procurement: The report says that “HackerOne’s onboarding and scoping processes are crafted for efficiency, significantly reducing the need for frequent meetings. By offering a cloning feature for repeated pentests, they avoid redundant tasks, streamlining the workflow” and “ensuring a frictionless and user-centric onboarding experience.”
- Retesting of Findings: GigaOm observes that the “findings can be retested by the client within 60 days,” depending on the tier. HackerOne offers “a free automated service called Hackbot” to help “customers prioritize findings by providing detailed remediation steps.”
- Built-in Vulnerability Scanners: We have made an explicit choice not to include vulnerability scanners. Our customers already have at least one automated vulnerability scanner in their environment. Instead, we focus on vulnerability discovery powered by human intelligence. Our testers use off-the-shelf and proprietary scanners to perform their analysis as a starting point for performing their reconnaissance and assessments.
Conclusion
HackerOne's Pentest Suite is transforming security testing innovation, offering a comprehensive approach that combines community-driven pentesting with a broad range of offensive security services. This suite, encompassing Attack Surface Reconnaissance (ASR), Code Security Audit (CSA), and Challenges, brings targeted testing with continuous bug bounties and Vulnerability Disclosure Programs (VDP) to streamline the vulnerability management process. This holistic approach enhances overall security and ensures fast, effective, and ongoing protection of digital assets.
For an in-depth understanding of HackerOne's leadership in the PTaaS market and the advantages of its community-driven offensive offerings, we invite you to review the full GigaOm Radar report.
The Ultimate Guide to Managing Ethical and Security Risks in AI