Due to the nature of the application, DarkHorse is not optimized for mobile devices. Please view it on a desktop or tablet for the best experience.
Blog
(words. probably too many of them.)Posts:
On Fractional Testing
What if you didn’t need to purchase a pentest to get access to pentesting talent?
It seems like a silly question, but unless you have an in-house bench of security professionals that can perform ad-hoc testing, there’s honestly not really any other mainstream way to quickly get access to a single security professional for a designated amount of time / effort.
This was a theme that kept popping up as I talked to people in Las Vegas during Blackhat last month. I’d tell them about what DarkHorse offered at the time (bug bounty, PTaaS, VDPs), and they’d light up when asking “with this PTaaS thing, could I get access to a pentester or security professional for x hours to do just this one thing for me?” I’d let them know that was technically possible due to the flexibility of the platform, but since PTaaS is expressly designed to streamline the delivery of pentests, there wasn’t any specific functionality for what they were describing.
Later, as I explained the DarkHorse platform to a CISO friend, and he asked questions about its capabilities, it finally clicked that a lot of organizations want pentesting, but don’t necessarily want a pentest. He (and many other security leaders I spoke with) have ideas around where they think there’s risk to the business, but don’t necessarily want to deploy a full-on pentest in all those places. They want something quick, efficient, and precise – a scalpel; not a large and unwieldy chainsaw (however effective as a chainsaw might be, in the right contexts).
To be clear: pentests can be those things – but that’s not how they typically manifest themselves in the current state of things. Easily buying a few hours of time from a consultancy isn’t something that’s currently available due to minimum requirements and / or onerous purchasing processes. More than a few security leaders reflected that they currently have to spend ludicrous amounts of money to have something that even slightly resembles what fractional pentesting can offer.
Part of the benefit around what DarkHorse offers is access to these solutions. However, another significant benefit to organizations is allowing them to re-deploy savings elsewhere. Instead of spending tens or hundreds of thousands of dollars on solving this use case, they can now spend a fraction of that, and then put the rest of the money to work, helping secure their organization in other, equally critical ways. It’s not just about cost savings and providing a better, cheaper, mousetrap. It’s also about what those savings enable organizations to do. This, to me, is extremely exciting.
Another secondary benefit to fractional testing is that it opens up brand new opportunities to a significant part of the security community that has historically been left behind by bug bounties.
I’ll explain…
Rather than simply re-purposing the bug bounty community (as is often done with PTaaS), with fractional pentests the available cohort of participants opens up significantly. There’s no shortage of highly qualified security professionals who have tried out bug bounties – but for one reason or another didn’t continue. Usually, the choice to not continue has to do with the unpredictability around making money via bounties – one could hunt for 8 hours one day and come up with nothing but duplicates, and on another random day come up with a huge payday. The lumpy and uncertain nature of bounties is a problem for many individuals with a need for predictability. Furthermore, with bug bounties, one usually has to cut their teeth on public programs with very little unpicked fruit, even if a valid issue is identified there’s always the risk of it being a duplicate, and even if it’s valid and accepted, there’s no guarantee of payment, or the timeline for that payment, and so on.
For all those highly qualified individuals, fractional pentesting is a new alternative that provides stability on the payment side of things, while also offering opportunities that can be significantly shorter than a full pentest… allowing more of this previously disenfranchised group to partake - creating a larger, more diverse pool of qualified candidates to choose from! Far as I can tell, this is a significant win for everyone involved!
After realizing the above via conversations with security leaders, it became clear to me that fractional testing is (1) something that organizations and security leaders need; and (2) something DarkHorse is uniquely positioned to deliver at scale.
I started modeling what this could look like as a product, and scratched out an initial design: clients can come in, define the hours of effort they want invested, the testing window, methodology, and final artifact (attestation, proof of work, etc). From there, the platform provides ~5 qualified testers who make bids on the work (putting power and agency in the hands of both the organization and tester!). The client selects their chosen bid, the work takes place, and that’s it!
From that point forward, when I presented the idea of fractional pentesting to people I talked to, it was met with near-universal interest… pentesting on their terms – how they want it, when they want it, and where they want it. It just makes intuitive sense.
And so I built it.
As one more simple, yet critical modification, I wanted these fractional engagements to be able to sit on top of (or inside) any other existing engagement, such as a bug bounty. So, with DarkHorse, one can have a bug bounty, and then without needing to have separate program, they can also have a fractional pentest (or twenty) for any areas of focus they want to see tested directly. Further extending the usefulness and applicability of the fractional pentest concept.
Oh yeah. And when setting up your fractional test, one can have a completely customizable methodology that they can track completion of in real-time. Completely customizable. I don’t want to overstate things, but I feel this feature alone is fairly game-changing (but we’ll talk more on checklists / methodologies in a future post).
Note: you may notice that I switch between “fractional testing” and “fractional pentesting”, and that’s because a further extension of this concept (that is viable in the platform as-is), is that one could leverage this feature beyond just pentesting to just purchase consulting or any other type of security expertise. If you just need someone to educate your dev team on why SQLi is bad, and how to avoid it, that is also absolutely an extensible use case for fractional testing - just input those requirements, bids will come in, the work (regardless of the form) takes place, and that's it. There are no edges to just how far this can go; and that’s part of what makes it so exciting!
So, that’s what’s now in the DarkHorse platform: the ability to setup a fully customizable, effort-based, ad-hoc, pentesting engagement within minutes. It’s live and active right now, and you can watch a video that shows just how easy it is at https://darkhorse.sh/fractionalTesting. I can’t really overstate how excited I am to launch this, and really do believe this has the power to be significantly transformative for organizations of all natures and sizes. I can’t wait to see where it goes. Let’s ride.