Bugcrowd is rolling out an MSP service that the cybersecurity vendor says will address the growing backlog of compliance-related penetration tests (pentests) in a world awash in software and a well-publicized talent gap.
Pentests are used by organizations to test the security of their systems and networks and play a central role in ensuring compliance with an expanding list of security standards and regulations. Crowdsourced pentesting is the industry’s best option, according to Jacques Lopez, vice president of global channel and alliances at the San Francisco-based company that specializes in crowdsourced cybersecurity.
“There is so much software today, and even more getting shipped,” Lopez told MSSP Alert. “While the profession leans heavily on automated testing, the need for expert-guided analysis follows that massive expansion. There just isn't enough in-house talent to possibly cover the testing, let alone available to satisfy regulatory and compliance required third-party penetration testing and validation.”
Specialized third-party pen-testing teams are loaded with work, which creates a continual backlog for focused teams to work through, he said. The channel also is affected by the problem, suffering long wait times to keep pen-testers busy or when demand peaks at different times of the year.
“The power of crowd-sourced delivery teams is the industry's best option for short-notice, expert review, coming from globally sourced and specialized experts unleashing their ingenuity on security reviews and penetration testing,” Lopez said.
More Cyberattacks Fueling Market Growth
The demand for pen-testing capabilities can be seen in the expected growth of the global market, which is expected to grow from $1.7 billion last year to $3.9 billion by 2029.
“Penetration testing has become crucial for organisational security,” UK cybersecurity services provider Cyphere wrote, noting that AI has become both a target of pentesting and a tool used for it. “With the rising sophistication of cyber attacks, businesses must proactively identify and address vulnerabilities before malicious actors can exploit them.”
Lopez said that the growing backlog and continuing struggle to find talent is a problem for companies of all sizes, from enterprises to SMBs. Any organization that ships software feels the constraints of available skilled experts to run pentests.
“This impacts not only the companies providing software and services, but the lack of bench time – non-billable utilization of these teams – hinders research, development, and innovation of their tooling and process enhancing their delivery,” he said. “The challenge of aligning the right people with the right skills at the right time impacts partners of all sizes who service either SMB customers, enterprise customers, or both.”
Crowdsourced Expertise Delivered
The new service for MSPs and MSSPs delivers the pentesting expertise of ethical hackers that they can then provide to their clients, according to Bugcrowd. The services include testing for networks, APIs, the web, mobile applications, and cloud configurations, and the program is managed by Bugcrowd, which ensures a consistent methodology.
The program also enables partners to launch pentests in as few as three business days to provide enterprises and SMBs the rapid response time needed for many compliance needs, and the speed also gives MSPs a faster time revenue.
Expanding Focus on MSPs
The new pentesting service also represents an expansion of Bugcrowd’s efforts to grow its support of MSPs, MSSPs, and their clients, which also touch on vulnerability disclosure, attack surface management, red teaming, and bug bounties.
“This is precisely where Bugcrowd's partnership relationships are so complementary,” Lopez said. “Our crowd has specialized expertise in hardware, API, mobile, web, binary applications, and more available worldwide. The global crowd can shorten customer wait times to start those engagements, locate specialized niche experts, and take on projects they may not be able to staff in-house.”
Tradition pentests tend to be point-in-time assessments, he said. Bugcrowd’s pentest service is enhanced by the ongoing analysis of its managed bug bounties and backstopped by vulnerability disclosure program, creating reports on issues that would otherwise be ignored by typical pentests.
“This is Bugcrowd's foray into servicing the MSP market at the most common inflection point – routine compliance-based pentesting for the most common situations,” Lopez said. “MSPs have the capability and support of Bugcrowd when customers have more complicated requests. These more bespoke Bugcrowd offerings include more robust pentesting, red teaming, bug bounty, or vulnerability disclosure programs.
Bugcrowd said the new MSP pentest service is available now to a limited number of partners, with pricing based on a flat-rate model, though there are options depending on the scope of the pentesting needed.
