More and more buyers are discovering the immense value that crowdsourcing brings to penetration testing, for several reasons. For example:
- Complicated attack surfaces often require skill sets and experience that smaller pentest benches, whether internal or externally sourced, don’t have. When approached in an engineered, fine-grained way, crowdsourcing gives you the ability to curate precisely the right pentest team for your needs.
- Some customers have adopted the practice of rotating pentest providers in order to diversify their view of the attack surface. With authentic support for crowdsourcing, pentesters can be rotated on demand without switching providers.
- Although it’s not required, crowdsourcing unlocks a scaled pay-for-impact incentive model in which 10, 50, or even 100s of testers are inspecting a target simultaneously, with each attempting to maximize their earning potential by finding the most critical issues–a powerful risk reduction strategy with a long track record of success in bug bounty. For some buyers, particularly ones open to continuous testing, that leads to risk reduction that goes far beyond traditional methods. (Furthermore, it creates a very attractive ROI case for the CFO.)
That’s great news! Now, the penetration testing industry is also discovering crowdsourcing–but unlike customers, not always for all the right reasons.
Enter Crowd Washing
We’ve seen this movie before: In the recent past, legacy IT vendors struggling to win the mindshare battle with cloud-native upstarts adopted the word “cloud” to re-brand their status-quo offerings. That strategy gave rise to the term cloud washing, defined by TechTarget as “the purposeful and sometimes deceptive attempt by a vendor to rebrand an old product or service by associating the buzzword ‘cloud’ with it.” Now, we’re seeing some pen testing vendors adopt that same playbook, using a crowd washing strategy to make their offerings sound more modern and impactful than they really are.
Here are some crowd washing warning signs to look for:
- When the provider claims a “community” of 100s or 1000s pentesters on their bench. Generally, only a small pool of those testers will be available for any given engagement, so “first tester up” is usually the main driver for assignment–nothing more fine-grained than that. For buyers looking for a specific skill set, that approach won’t deliver what they need.
- Absence of pay-for-impact incentives. There are always good reasons for selecting one incentive model over another. Providers that focus on the fixed-price, pay-for-effort model exclusively, however, are preventing customers from taking full advantage of crowdsourcing scale for maximum risk reduction.
- When dashboards are “platforms.” Some PTaaS providers use the words “platform” and “dashboard” interchangeably. A pen test dashboard gives you access to analytics and results, but it does nothing to help you take advantage of crowdsourcing at scale–that requires an engineered software and services platform that abstracts away all the operational details of crowdsourcing. And, a true platform has to be able to deliver on that for multiple security goals, not just pen testing!
Crowdsourced PTaaS Requires a Platform
Now that you know what to look for, make sure you only buy crowdsourced pentesting from providers with a credible track record!
Bugcrowd invented crowdsourced pen testing when we introduced our original offering, Next Generation Pen Tests, in 2018. Today, our Security Knowledge Platform delivers PTaaS for everything a customer might need for testing web and mobile apps, networks, APIs, cloud infra, IoT devices, and even crypto and web3, whether for a time-boxed duration or continuously. And the proprietary CrowdMatch ML technology in our platform can curate precisely the right trusted pen test team to support those tests on demand, and then buyers can pay them for their time at a fixed rate or based on the number and criticality of the issues they find.
Platform services like CrowdMatch, best-in-class triage, reporting and analytics rooted in a rich Security Knowledge Graph, and integration with DevSec workflows are what power our crowdsourced PTaaS, managed bug bounties, VDPs, attack surface management, and perhaps most important, our ability to innovate in response to emerging needs. Furthermore, our approach lets researchers align with a platform that offers clear, explicit rewards for solving challenging problems that match their skills and interests–and that leads to long-term success for them, and for customers.