Frequently asked questions

Penetration Testing as a Service (PTaaS) is a model for delivering penetration testing services to organizations on a subscription basis. In this model, the client is in the driver's seat and can request pen tests through their platform.

To get started, we'll require some essential information from you. First, please provide basic scoping details, including the number of applications, URLs, and API endpoints that need to be covered during the test. Once we've finalized the scope and you've signed the necessary contracts, we'll need you to supply testing documentation such as API files, credentials, mobile binaries, and other relevant materials. This will enable our team to commence the testing process promptly.

Vulnerability scanning is an automated process of detecting and assessing the vulnerabilities in a system by referencing a vulnerability database. Penetration testing (pentest) is a manual process to detect vulnerabilities a scan cannot find, such as business logic errors. Manual penetration testing also dramatically reduces the likelihood of false positives returned on the report. Vulnerability scans are generally included as a step in the PenTest process.

If we were to find something that could be exploited to severely impact the organization, we will reach out as soon as possible before the report is released to inform the relevant parties.

We can fulfill the penetration test requirements for most compliance needs, including vendor assessments, PCI, HIPAA, SOC 2 etc.

We recommend focusing on and fixing higher-severity findings first. Still, a thorough pentest discovers all potential issues; not all of these can or need to be fixed. What to do with low or medium-level risk findings is specific to how you do business and is often a decision only you and your organization can make. Organizations should have criteria they use to evaluate all vulnerabilities to decide what risks should be remediated. Any vulnerabilities deemed not risky enough to require remediation. Your organization should monitor these items to ensure the risk level does not become elevated due to changes over time.

Third parties often request a copy of the pen test report, but sharing the full detailed report is not recommended due to potential sensitive information or active vulnerabilities. Instead, we advise providing a 'Letter of Attestation' as proof of pen testing activities. If requested, we can provide the Letter of Attestation. Ultimately, the level of detail shared with clients is a business decision, considering that each business-to-business relationship is unique.

Our highly trained testers endeavor to identify as many issues as possible within the allocated time frame during the pentest. However, given the nature of pentests, it is not guaranteed to uncover all vulnerabilities. Thus, we advise against relying solely on the pentest results. Instead, we recommend implementing additional security measures throughout the SDLC lifecycle to ensure the comprehensive security of your application.

Traditional pen testing is typically a one-time event that is conducted on a periodic basis (such as annually). PTaaS, on the other hand, is all done through our VulnVoyager platform. You can submit for a test, chat with your pen tester, and receive all your tests online. You're in the driver's seat.

Penetration Testing as a Service (PTaaS) is a model for delivering penetration testing services to organizations on a subscription basis. In this model, the client is in the driver's seat and can request pen tests through their platform.