Recently, Bugcrowd introduced the latest solution in our expanding Pen Test portfolio. Bugcrowd Classic Pen Test was designed to help organizations quickly launch methodology-driven pen testing through a cost-predictable, pay-for-effort model. Six weeks in, we wanted to share the most frequently asked questions to help you determine which solution in our portfolio is right for you.

What common challenges does Classic Pen Test help address?

Traditional pen testing has served an important purpose for a number of years, but a utilization-based model of resourcing salaried pen testers has led to lengthy scheduling delays and a mismatch of skills per engagement. Additionally, lack of connection to the software development life cycle has created an unnecessary division of work between security and development teams, delaying vulnerability remediation, and stalling compliance initiatives, sales cycles, and product launches. To combat these deficiencies, Classic Pen Test leverages a crowdsourced, pay-per-test model to allow for unlimited growth in available resources. An added layer of advanced matching technology helps rapidly deploy talent fit for every unique testing scenario while real-time vuln view, fully managed triage, and SDLC integrations further reduce time to value.

What’s the difference between Bugcrowd Classic and Next Gen Pen Test?

Both Classic and Next Gen Pen Test are offered through the Bugcrowd platform, which means they both provide real-time vulnerability results view, 24/7 reporting, fully managed triage and remediation advice, and developer tool integration to help fix findings quickly. Additionally, both draw from the largest network of pentesting professionals, matched to every unique program by  skill, experience, and a host of other factors as determined by our CrowdMatch technology. And, both provide standardized QSA-assessed compliance reporting at the end of the engagement.

Here is where they differ:

Next Gen Pen Test offers a choice between continuous or on-demand incentivized methodology-based testing with premium SLAs, retesting, and coverage analysis included. Pentesters are rewarded for valid findings, which has been shown to increase volume and severity of vulnerabilities uncovered.

Classic Pen Test provides a more prescriptive pricing option, through a flat, pay-per-test model, without the variability of an added incentivization pool. Classic Pen Test also offers many of the benefits of Next Gen Pen Test as add-on components priced individually according to engagement. This includes options for additional targets, executive reporting, rush reporting, retesting, and even pentester filtering by skill, geography, experience, and more. 

Which solution is right for your organization?

Bugcrowd’s Pen Test solutions were specifically designed to meet a variety of unique, and complementary use cases.

  • If your goal is simply to reduce risk, meet compliance objectives, and launch the program quickly, either solution would be a great fit.
  • If you’re hoping for more vulnerabilities during the testing period, the incentivization model unique to Next Gen Pen Test has been proven to increase the number and severity of findings.
  • If you need Premium SLAs for vulnerability triage, or log-based coverage analysis, Next Gen Pen Test is the right solution for you.
  • If you’re constrained by budgetary or procurement cycles, and need predictable pricing that does not fluctuate per finding, Classic Pen Test may be a better fit.

How does Bugcrowd charge for Classic pen tests?

Classic Pen Test engagements are priced based on the scope of the targets under consideration. Our expert security engineers will guide you through a comprehensive scoping exercise to calculate effort required as a full time equivalent (FTE). For those accustomed to traditional pen test pricing schedules, this effort-based model is the equivalent of “days” required to test (more on that in the next question!).

Effort is a function of engagement complexity, which changes based on parameters like number of roles in the application, payment functionality, etc. As Classic Pen Test does not include a pay-for-results component (bounty pool), pricing includes pentester payment for the scope defined, which is fixed per project.

How long until I receive a report?

As Classic Pen Test is offered through the Bugcrowd platform, vulnerabilities are viewable as soon as they are uncovered. At the conclusion of the testing period, results are aggregated and a final compliance report is delivered (typically what your auditor wants to see). The timeline of this report is dependent on customer requirements and whether expedited testing has been requested.

Unlike a traditional pen test, Bugcrowd Pen Tests benefit from a larger network of fully remote pay-per-project testers, who are empowered to test according to the times that best suit their schedule. This allows us to attract the widest variety of talent for every engagement and enables us to use availability and time commitment as factors in the final assignment. For example, if your program is scoped at 3 days, testing might occur over the course of 2 days (12 hours each day), or spread out over the course of a week (5 hours each day), depending on pentester availability. This helps us further reduce time to final report. No Pen Test program proceeds without clearly defined reporting expectations and projected timelines.

Pen tests remain a mainstay for many security programs. They are well understood, easily consumed, and readily accepted as an objective measure of security by auditors, customers, and investors alike. Bugcrowd Classic Pen Test bridges the gaps caused by the traditional deployment models to deliver the compliance-driven testing organizations need, with the flexibility, visibility, and results they deserve. For more information on Bugcrowd’s Pen Test portfolio, check out our website, or get started today!