Penetration testing has been a well-established function in the cybersecurity world for decades, but some argue that the market needs a new approach to penetration testing to get the most value out of the activity.
“Penetration testing has been around since the 1960s and hasn’t changed much since, but that’s about to change,” Cytix CEO Ben Armstrong said in a talk at Infosecurity Europe 2023. Told.
His startup offers Penetration Testing as a Service (PTaaS), which he hopes can disrupt the market.
Over the past five years, Pentesting has moved to a compliance-based annual checkbox rather than being integrated into an organization’s vulnerability management strategy, Armstrong continued.
After researching several CISOs, Armstrong and his co-founder Thomas Ballin, who worked at various companies at the time, found two main reasons.
- Human nature makes it difficult to sell penetration testing as a product and incorporate it into every digital product that needs to be operated.
- CISOs say penetration testers don’t understand their business
To solve these bottlenecks, Armstrong believes PTaaS needs to move away from the consulting model that dominates the market and embrace a service-delivery model instead. “We don’t offer one-week pentesters, we offer a group of pentesters for a year,” says Armstrong. put it.
To accomplish this mission, Armstrong and Balin quit their jobs in 2022 to found Cytix.
The Manchester-based startup’s model is built around six pentester clusters working with a limited number of clients. Each client is assigned a cluster with an annual fee depending on the number of assets the client wishes to cover. Clusters can also specialize in a particular industry or technology. “This process is very similar to how an external security operations center (SOC) works,” Armstrong said. Information security.
With the explosion of supply chain attacks, the penetration testing service delivery business model will be very important in the future. Partners, investors and regulators will increasingly require companies to submit periodic or ongoing reports for months ahead. ”
Cytix has been named one of the 14 finalists for the UK’s Most Innovative Cyber SMEs for 2023. Winners will be announced at Infosecurity Europe on June 21, 2023.
