SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
DevOps
#
Cybersecurity

Regular rotation of pen test providers: advantages, disadvantages, alternatives

Today
By Outpost24

The number of companies targeted by cybercriminals wanting to steal information and passwords or sabotage business processes has been on the rise for years.  In order to find vulnerabilities and possible loopholes in the IT system before they can be exploited by cybercriminals or foreign secret services, many companies and organisations rely on white hat hackers. 

Pen tests – authorised, simulated cyberattacks in which ethical hackers identify how, and how deeply, attackers can penetrate a system – have long been an essential part of the IT security strategy. Moreover, legal requirements, industry standards and special certifications such as PCI DSS require regular pen tests. Companies can use voluntary penetration tests to prove that they satisfy the regulatory requirements for cybersecurity as well. 

However, penetration testing is not an exact science with a standardised methodology. Different pen test providers have different expertise and focuses and use different methods and tools. Some focus on manual tests, others more on automated ones; some test specific attack vectors (e.g. code injection) extensively, others change their approaches more widely.  Therefore, clients can never be sure that all the vulnerabilities are found. 

This is why many companies consider it best practice to regularly switch pen test providers in the hope that more problems will be detected in the medium term. In this article, we will take a look at the advantages and disadvantages of this practice and possible alternatives.

What is the case for regularly switching pen test providers?

A key assumption behind the practice of rotating pen test providers is that a new team could help to detect vulnerabilities that an earlier tester has missed. The regular rotation of providers is frequently also linked to the expectation that a more comprehensive and objective assessment of IT security will be obtained across the various tests and that this will enable the company to continuously improve its defences against potential cyberattacks. 

Another reason for regularly switching providers may be to compare different pen test providers or to be better able to assess their respective results and capabilities. To achieve the best possible results, however, companies should only give the new pen tester the absolutely necessary information about previous tests and their results – for example pointing out areas that have proven to be particularly vulnerable or providing them with information about methodologies if these are to be subjected to a targeted comparison. This avoids latent bias and guarantees a fresh look at the IT landscape.

There are several reasons for regularly switching pen test providers:

  • Prevention of operational blindness: new testers view the company's IT infrastructure from a fresh perspective and can therefore identify problems that previous testers may have missed.
  • Different approaches: different providers generally use different tools and methods. This means that they can detect particular vulnerabilities that eluded other testers.
  • Benchmarking: comparing the results of different providers enables companies to better assess the providers. A more confident evaluation of the security situation is also possible.
  • Competition: regularly switching providers can lead to healthy competition with every provider endeavouring to impress your company with particularly thorough tests and secure future business.


What are the disadvantages of rotating pen test providers?

As shown above, there are good reasons why switching pen test providers is now considered best practice at many companies. Why do some companies nevertheless decide against this practice? Firstly, because the selection and onboarding of a suitable provider always comes at a cost. On the other hand, providers who have already carried out penetration tests at the company have the necessary knowledge of the IT infrastructure and stakeholders. And last but not least, confidence in the testers plays an important role. That is why experts repeatedly point out that building up a long-term relationship with a trustworthy pen test provider may be more advantageous than regularly switching providers.

Possible disadvantages of regularly switching pen test providers in detail: 

  • Longer, more inefficient initial phase: every new provider needs time and resources to understand a company's infrastructure. This means that the tests may initially not be as effective as those of a provider that already has a sound knowledge of the company's IT structure and security situation.
  • Internal effort: the internal security team must also put time and human resources into onboarding a new provider.
  • Costs: contract negotiations, supplier management and knowledge transfer may result in extra costs and tie up additional resources.
  • Lack of consistency: as every provider brings a new test approach and reporting style, it is more difficult to consistently track progress over an extended period. 
  • Data protection: the company must ensure that each new pen test provider complies with the legal data protection requirements (e.g. GDPR), especially where personal data is concerned.

Depending on the company's security situation, the IT infrastructure and the size of the company, the disadvantages can be considerable and may outweigh the advantages. Therefore, you are advised to carefully consider which pen test strategy is appropriate for your company. 


When should you change your pen test provider?

Even if you decide against regularly rotating providers, you should always subject the results of your pen test provider to a critical review. After all, there may be situations in which it is advisable to change a long-standing pen test provider: you should consider changing your provider in particular if the last couple of tests have found no new vulnerabilities. In light of the dynamism of IT systems and the large number of cyberattacks, including on small and medium-sized companies, it is likely that your pen test provider is suffering from operational blindness or is not testing thoroughly enough. The same applies if the test results are hardly distinguishable from the results of an automated vulnerability test (VA test). 

Admittedly, in such a case, you will once again be confronted with challenges that you really wanted to avoid: you must find a trustworthy provider and make time and resources available for the onboarding process, and there is an increased risk of system failures if important features of your infrastructure are not adequately addressed during this process.


The alternative: Penetration Testing as a Service (PTaaS)

PTaaS offers the advantages of a regular rotation of pen test providers and avoids many of the disadvantages associated with this. In this model, pen tests are carried out and administered by a single provider, a large provider that has a large pool of testers who contribute a variety of abilities and perspectives to the testing process.

Other advantages of PTaaS:

  • Standardised approach to the testing: a standardised testing approach makes it easier to analyse and compare the results.
  • Scalability and flexibility: the scope, frequency and methodology (e.g. manual/automated, testing areas, parameters) of the tests can be adapted at any time to suit the current needs.
  • Cost efficiency: no costs are incurred as a result of onboarding new providers, contract negotiations, etc. 
  • Immediate findings: PTaaS with a platform based communication approach allows pentesters and developers to interact immediately as soon as the first findings come in. This speeds up remediation and retesting significantly – No more waiting for 30 page pdf reports!


PTaaS: more than a snapshot

Traditional penetration tests always provide a snapshot. They map out vulnerabilities and gaps in the security of the IT infrastructure at a particular point of time. However, the network, systems and applications are not static, but evolve – with increasing momentum at many companies. 

Penetration Testing as a Service offers advantages in this respect too, as it follows an approach of continuous monitoring. PTaaS combines manual tests with automated scans to search continuously for threats and vulnerabilities and then analyse these in depth. This makes it possible to identify and remove potential loopholes at any time, before attackers can exploit them. You can learn more about this in Outpost24s' blog article "Can traditional pen testing keep up with modern AppSec? Ask the pen tester".


OutPost24 PTaaS for web apps

Outpost 24's PTaaS solution combines the depth and precision of manual precision tests with vulnerability scans to provide web applications with comprehensive protection – even when changes are made to the applications or new methods of attack are discovered. To avoid false positives, all the results are examined by experts. 

Further advantages include: 

  • Manual testing by human analysts: a large team of testers has a variety of abilities and experience and ensures that your applications can be assessed from various perspectives.
  • Consistency and depth of the knowledge: consistent testing methods and reporting standards give you a deeper understanding of your applications' security situation.
  • Alignment with Agile and DevOps: SWAT fits seamlessly into Agile and DevOps environments and supports a continuous integration and provision.
  • Real-time insights and rapid response: real-time insights enable you to take immediate action when vulnerabilities are identified.
  • Scalability and flexibility: SWAT can be flexibly scaled to meet your requirements.
  • Cost-effective in the long term: by dispensing with the regular rotation of providers and the associated costs, the PTaaS solution provided by Outpost24 may be more cost-effective in the long run.

By combining the depth and precision of manual pen testing with continuous vulnerability scanning, Outpost24 helps business secure web applications at scale. For more information reach out to one of Outpost24s experts.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UAE cyberattack exposes new Sosano malware by Proofpoint
Cyber threats from VPNs lead ransomware incidents in 2025
OpenText unveils AI cybersecurity solution to combat threats
Nasuni & CrowdStrike partner for enhanced threat detection
Cyber firm Immersive appoints new Chief Executive Officer
Top stories
Mandiant uncovers UNC3886 cyber-attack on Juniper routers
DigiCert digital trust solutions now on AWS Marketplace
Evolving DDoS tactics: Cyber experts analyse the X incident
SUSE integrates with Microsoft for enhanced cloud security
Extreme Networks appoints Anisha Vaswani as new CICO