An organization's security posture is constantly changing in line with the evolving threat landscape, relevant vulnerabilities, and ultimately the degree of business risk. Using the annual assessment approach, however, it is clear that any potential security incident will happen between such assessments, potentially increasing vulnerability detection and remediation time to 12 months. This is precisely why more and more businesses opt out of a traditional Penetration Test that is very much a point-in-time assessment, in favor of Penetration Testing-as-a-Service (PTaaS).
“Knowing yourself is the beginning of all wisdom.” – Aristotle
PTaaS advocates a continuous cycle of testing and remediation. It suggests that a business' security posture is always changing, thus in order to combat this moving target there must be an ongoing program of testing, remediation and management. The PTaaS methodology understands that there is a need to test and check the entire stack and is often tiered and flexible between monthly or quarterly assessments of everything from physical infrastructure to network, software, and business functions.
From the operating system to social engineering, PTaaS is all about establishing a regime of both automatic and manual testing and monitoring so that even the smallest aspects of an organization's ecosystem are protected.
The advantages are clear: decreased vendor onboarding time, continuous view of the security posture, rapid execution due to deep specialized knowledge, and of course trust.