In May 2024, Bugcrowd acquired Informer, an innovation leader in external attack surface management (EASM) and continuous penetration testing. At that time, we also announced the immediate availability of Bugcrowd EASM, a solution for getting a complete, always up-to-date view of your external risk exposure.

Today, we’re excited to announce the first net-new product enabled by the ongoing integration of Bugcrowd EASM with the Bugcrowd Platform: Continuous Attack Surface Penetration Testing

All pen testing, all the time

This new offering is designed for customers with an evolving attack surface that may only do pentesting (i.e., take a snapshot) once or twice a year, leaving “assets in motion” exposed to adversaries during long gaps. Instead, with Continuous Attack Surface Penetration Testing, assets are continuously monitored, and new ones identified, as soon as they are internet accessible. Bugcrowd’s elastic pentester bench will hunt for vulnerabilities on any changes to attack surface as Bugcrowd’s EASM monitoring technology finds them—with everything fully managed by Bugcrowd. 

That also means that instead of relying on intermittent testing to address a backlog of emergent vulnerabilities, they can have assurance that assets are being tested for exploitability via new vulnerabilities much sooner after they appear—versus up to a year later.

Unlike point-in-time penetration testing, Continuous Attack Surface Pen Testing from Bugcrowd provides assurance of testing coverage across digital asset inventory as it changes over time.

We’re excited about the possibilities, and we hope you are too. And when complemented by continuous MBB and/or VDP engagements on our platform, Continuous Attack Surface Pen Testing helps reach a uniquely high level of assurance that compliance goals and risk reduction goals are being met, all the time. 

EASM everywhere

Continuous Attack Surface Pen Testing is evidence for our proposition that although EASM can be used in standalone mode, the ability to do EASM, EASM-enriched pen testing, and EASM-enriched crowdsourced testing on a single platform is what provides overwhelming valueproviding complete, continuous attack surface visibility along with proactive human testing to accelerate compliance, risk reduction, and remediation, as well as the opportunity to consolidate multiple budget items with a single provider.  

To make that vision real, we’re working hard to bring advanced discovery capabilities into the Bugcrowd Platform. Meeting that goal will give Bugcrowd EASM customers the ability to continuously discover, monitor, assess their entire evolving attack surface for riskand then to take action on that risk via penetration testing, crowdsourced testing, and other proactive risk-reduction solutions to come, all in a single SaaS platform and with a unified view of asset and vulnerability data.

For example, as part of our roadmap in the coming months, Bugcrowd EASM customers will have the ability to manually or dynamically update scope on existing bug bounty engagements to account for new and updated assets, and to kick off a new pen test or bug bounty engagement for specific assets directly from their EASM dashboard.

As for hackers, they will be able to earn more rewards per hour of effort when bug bounty scope has been enriched by EASM, and testers of all kinds should have a larger universe of engagements in which to participate. Stay tuned!

Eyes on the prize

Combining detailed asset data acquired through EASM with the massive amount of vulnerability information our platform has processed in the past 12+ years will create new. unique value for customers and hackers alike. As we’ve explained previously, our long-term vision for our platform is to use that data to:

  • Continuously deliver data-driven insights and recommendations in context, giving customers more visibility into risk and security ROI. 
  • Make those insights actionable through proactive, crowd-powered solutions that meet a range of different compliance and risk-reduction needs.
  • Help testers earn more experience and rewards by intelligently scoring, recommending, and matching them to more engagements that reflect their interests and experience. 

Continuous Attack Surface Pen Testing is just the first innovation milestone, with more to come!