Pen testing sure ain’t what it used to be. Or rather, what it was meant to be all along. Human-driven attack simulation was once considered the best way to approximate real risk for a given system. But the realities of a model relying on full-time resources in a resource-constrained market contribute to ever-widening gaps in efficacy not easily filled by technology or skill alone. And while lengthy scheduling delays and disappointing results can frustrate users, these aren’t traits of pen tests themselves, but rather symptoms of a more systemic issue in how they are resourced and deployed.

In 2018 Bugcrowd brought the power of the Crowd to penetration testing, to provide a new way of connecting and enabling talent to satisfy compliance objectives without sacrificing speed, coverage, cost, or ease of use. Next Gen Pen Test provides incentivized, continuous pen testing, in a pay-for-results model that helped many organizations achieve greater risk reduction in a shorter period of time. 

Today, Bugcrowd is excited to announce the next solution to join our growing Pen Test portfolio: Classic Pen Test.

Classic Pen Test provides on-demand access to the value of the Crowd, through a more predictable project-based pricing schedule that eliminates variable incentivization. While gamification has proven to increase quality and severity of findings, many organizations are restricted by budgetary or operational architectures which prevent continuous coverage, and require capped-cost investments. Classic Pen Test enables more organizations to benefit from the value of the crowd, without straying from the parameters that make sense for their business as a whole.

Like Next Gen Pen Test, Classic Pen Test is offered through the Bugcrowd platform, which means it comes out-of-the-box with several features designed to make compliance-based testing quick, easy, and most importantly, effective. 

The Bugcrowd Classic Pen Test Difference:

  • Set up in <72hrs on average: Crowdsourced, pay-per-engagement models create unlimited opportunity for trusted and talented pen testers from around the world. Avoid lengthy scheduling delays waiting for the right resources with thousands of pen testers available immediately.
  • 360 evaluation plus CrowdMatch: Pen testers are continually evaluated by skill, trust, experience, performance, and much more. CrowdMatch leverages these data points to help locate the right resource for every project, without delay. 
  • Real-time vulnerability view: View vulnerabilities in-platform as soon as they are discovered, rather than all at once at the end of the engagement.
  • SDLC integrations: Seamlessly connect Classic Pen Test to your developer workflows through integrations with GitHub, ServiceNow, and more.
  • Remediation advice: Help dev fix quickly with prescriptive instructions by vulnerability type, automatically appended to every valid vulnerability based on Bugcrowd’s objective classification system, the Vulnerability Rating Taxonomy (VRT).
  • 24/7 access to in-platform reporting: Monitor vulnerability status and program activity directly in-platform.
  • Fully managed: Bugcrowd handles pen tester matching, activation, and remuneration, as well as vulnerability triage and prioritization.
  • QSA-assessed compliance report: Contribute towards alignment with compliance standards like PCI-DSS, NIST 800-53 rev4, ISO 27001, and more.

How It Works:

Bugcrowd Classic Pen Test helps organizations meet security testing and compliance requirements for targets like public web, mobile, network, and IoT, without compromising on results. As with many pen testing companies in-market today, Classic Pen Test can be purchased in “blocks” of work depending on the scope, skills, and methodology required to test a target in full. Blocks can be purchased per project, or in bulk wherein a “draw down” method is used to calculate effort required per engagement.

After scoping, the project is resourced using CrowdMatch technology to identify the right set of pen testers with the right set of skills and experience to fit program needs. Selected testers then follow our BugHunter methodology (unless otherwise specified by the customer), which blends OWASP Top 10, PCI, NIST, and Hi Trust standards, with industry best practices. The time between program initiation to launch is often as short as 72 hours, though additional report expedition can be purchased as needed. 

If pen testers uncover vulnerabilities during their assessment, they are submitted through the Bugcrowd platform where they become immediately available for customers to view and action upon as they see fit. Our team of in-house security operations engineers also validate and prioritize all incoming submissions on a rolling basis before pushing through SDLC integrations like JIRA and GitHub. While awaiting final report, customers can also view program progress and activity 24/7 via always-on platform dashboards.

Building a more flexible future:

Pen tests remain a mainstay for many security programs. They are well understood, easily consumed, and readily accepted as an objective measure of security by auditors, customers, and investors alike. Bugcrowd Classic Pen Test bridges the gaps caused by the traditional deployment models to deliver the compliance-driven testing organizations need, with the flexibility, visibility, and results they deserve. For more information on Bugcrowd’s Pen Test portfolio, check out our website, or get started today!

Also, be sure to join us on Thursday May 7, at 11 a.m. PT for a product introduction webinar to learn more about Bugcrowd’s entire Pen Test portfolio. Register here.