Skip to content

What is Penetration Testing as a Service (PTaaS)?

Penetration Testing as a Service (PTaaS), which is more commonly shortened to ‘Pen Test as a Service’ is the delivery of penetration testing services via a cloud-hosted portal with the testing itself normally conducted by a third-party contractor either employed or subcontracted (via a human resource ‘marketplace’) by the vendor's portal.

Cloud graphic

The pen test platform acts as a frontend interface for the customer to procure the pen test services and receive the testing results. For the consultant delivering the pen test, the vendor portal acts as a tool for them to log vulnerabilities and findings.

PTaaS tend to be charged to the client either on an ad-hoc ‘per use’ basis or via a rolling subscription charge.

What is a PTaaS provider?

A PTaaS provider and their associated platform act to serve as both a marketplace to connect customers to pen testers (normally ‘ethical hackers’) and to help shape the scope, duration and reporting output of the resulting pen test assessment.

Is PTaaS provider right for our business?

It depends.

If you simply want to ‘tick a box’ to meet a compliance or supplier assurance obligation, then PTaaS may be a good answer for your needs.

If, however, you are a fast-paced organisation whose attack surface is constantly changing through a continuous software or change release cycle then a continuous offensive security solution providing constant cyberattack is likely a much more suitable solution.

Challenges of PTaaS

  • Pen Testing as a Service is point in time. This means that the moment you receive the report, it is very likely to already be out of date. This is true because every organisational change you make (software release; new hire; new process; new technology update or implementation etc.) changes your resulting attack surface and therefore creates a cyber risk gap. Most organisations change many times PER DAY, and so infrequent or ‘point in time’ testing is ineffective at exposing security risks in a timely manner.
  • Pen Testing as a Service is typically ‘remote only’. It is uncommon for a PTaaS provider to provide onsite pen-testing engagements through their ethical hackers, or to have the means to conduct physical or social engineering attacks.
  • PTaaS is heavily automated which results in low value, noisy reports being produced. Automation-heavy testing that is operated by a Pen Test Engineer involves them running tooling that generates a lot of ‘noise’ through vulnerability detection that frequently fails to be significant and unlikely to lead to an actual breach. Whilst the Pen Tester will augment their automation use with some manual techniques PTaaS engagements are typically broad rather than deep – which fails to match the approach a genuine threat actor would take against a target organisation.

Alternatives to PTaaS

PTaaS develops and attempts to modernise the traditional, legacy penetration testing service. But by design, it cannot go far enough to accurately mimic and expose the risks that a genuine threat actor would seek to exploit. Constant Cyber Attack offerings that provide continuous offensive security whilst closing the cyber risk gap are the answer. Constant Cyber Attack services keep pace with an organisation’s continuous release and change cycles and outpace adversaries who are constantly looking for way to compromise organisations.

Pentesting is dead. Learn more at