#InfosecurityEurope: Does Pentesting Need a New Service Model?

Written by

Pentesting had been a firm feature in the world of cybersecurity for decades but some argue that the market needs a new approach to pentesting in order to gain the most value from the activities.

"Pentesting has been around since the 1960s and hasn't changed much since then. But that's about to change," said Ben Armstrong, CEO of Cytix, during an a talk at Infosecurity Europe 2023.

His startup offers a pentesting-as-a-service (PTaaS) that he hopes can disrupt the market.

Over the past five years, pentesting has shifted towards being a compliance-based annual checkbox instead of being integrated into organizations’ vulnerability management strategy, Armstrong continued.

After surveying multiple CISOs, Armstrong and his co-founder Thomas Ballin, then working with different companies, found two main reasons:

  • By its human nature, it isn’t easy to market pentesting as a product and plug it into all the digital products it must interact with
  • CISOs said pentesters don’t understand their businesses

Armstrong believes that, to resolve these bottlenecks, PTaaS should move away from the consultancy model, which dominates the market and adopt a service delivery model instead – “providing a group of pentesters for a year instead of a pentester for a week,” as Armstrong put it.

To this mission, Armstrong and Ballin left their job in 2022 and founded Cytix.

The Manchester-based startup’s model is built around six-pentester clusters working with a limited number of clients. Each client is allocated a cluster for an annual fee, depending on the number of assets the client wants to cover, and clusters can be specialized in specific industries or technologies. “This process is very similar to how an external security operation center (SOC) works,” Armstrong told Infosecurity.

In the wake of the explosion of supply chain attacks, the service delivery business model of pentesting will be critical in the future: “With the complexities of modern organizations’ supply chains, it will become almost useless to have a pentesting report once a year. Partners, investors and regulators will increasingly ask companies to provide regular or continuous reports spanning a few months back.”

Cytix is among the 14 finalists of the UK’s Most Innovative Cyber SMEs in 2023. The winner will be announced at Infosecurity Europe on June 21, 2023.

What’s hot on Infosecurity Magazine?