Event
Join cybersecurity experts from Slack, Riot Games, EY and more at our upcoming roadshow. 

PtaaS vs. Bug Bounty: Unpacking Gartner’s Hype Cycle for Security Operations 2022

In the latest Hype Cycle for Security Operations, Gartner lists Pentesting as a Service (PtaaS) as an emerging technology that helps businesses strategically mitigate risk and run effective security programs. Gartner also names Cobalt as a representative PtaaS vendor, and touches on a topic we at Cobalt are well acquainted with: the line between bug bounty and PtaaS, which can, at times, seem fuzzy. 

To quote Gartner, there is “confusion between PTaaS and bug bounty programs, as many bug bounty vendors also now offer PTaaS.” 

So what is the difference? (For now, let’s ignore the glaring topic of how to capitalize the acronym, which Cobalt and Gartner must agree to disagree on.)

PtaaS itself is a seismic improvement in security testing. PtaaS builds on – and modernizes – the old-school consultancy model in several significant ways. Cobalt Chief Strategy Officer Caroline Wong wrote a whole book on what PtaaS is and how it can unlock more value than traditional methods, aptly called The PtaaS Book. In it, she summarizes the key components of PtaaS with the following diagram: 

Column A: PtaaS

Column B: Not PtaaS

Manual testing by humans

Automated testing by machines 

Cloud based

On prem

Remote delivery

Onsite delivery 

Standardized pentesting; scalable

Hourly prices or customer project bides

Technology improves collaboration between pentesters, developers, and security teams

Little to no technology for workflows or collaboration

Tests can start in 48 hours or less

Tests start in one week or more

Real-time consumable results and reporting

Static results and reporting, e.g. PDF

Analytics and consolidated insights from pentest data over time

No analytics, or analytics only with data from a single pentest 

Integrations automate data transfers between tables

Manual data transfers to other software tools 

This table differentiates PtaaS from other pentesting methods, not just bug bounty, so now let’s look at bug bounty specifically. Bug bounty is an open-ended program in which any security professional or hacker can search for vulnerabilities in an application or asset. The customer pays testers based on the perceived ‘quality’ of each finding, i.e., the level of risk it poses. 

Let’s double click on a few of the points from Column A to emphasize their importance in the “PtaaS vs. Bug Bounty” distinction: 

  • Technology integrations are pivotal because they enable scale. The use of a SaaS product throughout the test offers a better way to do … just about everything. That includes managing data across workflows via technology integrations that empower teams with tools to automate repetitive tasks, analyze vulnerabilities holistically, and (get out your security bingo cards, folks!) truly shift left. Because no developer appreciates getting a PDF thrown at them. 

  • Human testers acting collaboratively. These individuals are, in the case of Cobalt, highly vetted and extremely specialized members of the Cobalt Core, a closed community with a high bar for entry and a very limited acceptance rate. Core members work on teams, and they communicate and collaborate throughout the pentest with each other as well as client stakeholders to ensure a successful client engagement. This differs from the competitive aspect that fuels bug bounty programs. 

While not without its merits, bug bounty offers sparse coverage because it’s only focused on vulnerabilities that are incentivized, i.e. high criticality. Researchers often vary in quality. Moreover, the spirit of bug bounty is competition, whereas PtaaS engenders collaboration and teamwork in order to best serve the customer during the engagement. 

Some vendors offer both: bug bounty and PtaaS. More often, what we see at Cobalt are technology companies jumping on the PtaaS bandwagon, hoping to capitalize on its rising popularity. In their attempts to grab market share, they label a solution as “PtaaS” when it isn’t that at all. 

Since Cobalt’s inception in 2013, we’ve seen an explosion in the level of discourse around PtaaS, both from infosec teams as well as from their developer colleagues. Now, analysts and press are following suit and adding their voices to the mix. 

There’s a growing desire from all sides to hear real-world success stories from security leaders who have harnessed the power of PtaaS and put it to work for their business. Regardless of size or maturity level, every company stands to gain from this modern approach to pentesting

The recent groundswell has spurred Cobalt to launch a 6-city roadshow series this fall, PtaaS Exchange, which will unite infosec practitioners and developers, offer a forum for collaboration and knowledge exchange, and answer the question, “What can PtaaS do for me?” We hope you’ll join us for some conversation, learning, and maybe even a couple of cocktails.

Back to Blog
About Lauren Taylor
Lauren Taylor is the Director of Product Marketing at Cobalt. She has 12+ years of experience in the technology space and 5+ years of experience in cybersecurity. Her team is focused on providing the creative and analytical horsepower to successfully take new products and services to market. Some of her areas of expertise include pricing and packaging, customer research, and overall company strategy to help propel Cobalt’s PtaaS offering forward. Prior to joining Cobalt, Lauren was the Head of Marketing for the Security Orchestration and Automation portfolio at Rapid7. More By Lauren Taylor