“Pentest as a Service Impact Report: 2020” Finds Organizations Are Expanding Pentesting Scope and Frequency


Study finds that top driver for pentesting has shifted from compliance and customer requirements to a desire to make applications and services more secure

Organizations report pentesting for their entire application portfolio, with more frequent testing on critical apps

May 6, 2020 (SAN FRANCISCO) – Cobalt.io, the first Pentest as a Service (PtaaS) platform, today released findings from “Pentest as a Service Impact Report: 2020,” a new study that aims to unravel and understand the specific benefits and challenges of deploying a PtaaS solution in a modern software development environment, as well as compare the SaaS model with traditional, legacy pentest services. Conducted by Dr. Chenxi Wang, founder of Rain Capital, the study reveals that since 2017, there has been a noticeable shift in application security as a top priority. Companies also report expanding the scope and frequency of pentesting, conducting testing for their entire application portfolio instead of only crown jewel or business-critical applications.

Key findings from the study include:

  • Application security is a top business priority. When asked about their company’s motivation for pentesting, organizations cited the desire to make their applications and services more secure as the top driver — a noticeable shift from 2017, when compliance and customer requirements were cited as the top drivers for pentesting.
  • Companies are expanding pentesting scopes and frequency. In 2020, companies report conducting pentesting for their entire application portfolio, with higher frequency testing on business-critical apps; whereas in 2017, companies were more inclined to conduct annual testing only for crown jewel applications.
  • PtaaS enables more agile testing and closer collaboration between security and development teams. In 2017, application security responsibility was viewed to be exclusively managed by infosec. In 2020, organizations said they viewed it as a shared responsibility between infosec and development teams, a model that seeks to harmonize the goals of the two teams by rewarding development teams with completing appsec tasks while rewarding appsec teams for helping engineering release features securely.
  • PtaaS has a lower overhead than traditional, services-based pentesting. Testing that is both location-agnostic and horizontally-scalable removes the geographic location bias involved in traditional pentesting services, which results in overhead in delivery. PtaaS also leads to better communication between security and development, which reduces overhead due to constant back and forth through the platform.

“To be successful in today’s digital economy, modern software companies must evolve quickly without compromising security,” said Caroline Wong, Chief Strategy Officer at Cobalt.io. “Pentest as a Service provides agile and scalable pentesting to identify and resolve security vulnerabilities across application portfolios in accordance with frequent software releases.”

“I am glad to see that many companies are prioritizing application security, which is one of the smartest ways to spend your security investments,” said Dr. Chenxi Wang, founder of Rain Capital. “This study shows how organizations, large and small, implement application security within the backdrop of DevOps and cloud native development. It’s not surprising to see pentesting as a critical element in modern application security initiatives.”

About Pentest as a Service Impact Report: 2020

The study is conducted by Dr. Chenxi Wang, founder of Rain Capital. In-depth interviews were conducted with Cobalt.io customers, which consist primarily of SaaS and Enterprise software providers and represent both publicly-held, global companies with thousands of employees and privately-held, mid-sized companies with hundreds of employees. To see full findings, view the report here.


About Cobalt.io

Cobalt.io‘s Pentest as a Service (PtaaS) platform transforms yesterday’s broken pentest model into a data-driven application security engine. Fueled by a global talent pool of certified pentesters, Cobalt.io’s platform delivers actionable results that empower agile teams to pinpoint, track, and remediate software vulnerabilities. Hundreds of organizations, including the new generation of software companies, now benefit from high-quality pentest findings, faster remediation times, and higher ROI for their pentest budget.

Visit cobalt.io to learn how Cobalt.io is securing apps for companies such as HubSpot, Palo Alto Networks, GoDaddy, Vonage, and Axel Springer, and join us on Twitter and LinkedIn.