Fractional Pentesting

For nearly any role where you need senior or expert-level expertise, but don’t have enough work or budget to employ a full time person in that role, a fractional option exists.

But what about for pentesting?

What if you need rapid access to pentest talent and expertise, but don’t want or need a full penetration test?

Say, for instance, your organization just built a new feature, and you want to make sure it’s secure before it goes live. However, that one feature is the only thing that changed - you don’t have the resources available to test it internally, but also don’t need a full pentest. Sure, you could throw a scanner at it, but even with advances in AI and machine learning, there’s no replacement for human eyes and ingenuity when it comes to thorough and effective testing.

In today’s market, you’d largely be out of luck.

If you’re purchasing from a consultancy, there’s no easy way to quickly get just four hours of a tester’s time and attention. There are a few reasons for this:

1. Consultancies operate with an internal bench of pentesters - where it’s imperative that every hour of every day for every tester on the bench be billable. Any time that’s not billable, is effectively a liability for the organization. Sure, they can allocate them to QA or other activities, but a pentester inside a consultancy is most valuable when they’re… making money.
2. For this reason, the bench at a consultancy is going to be booked out weeks to months in advance, making it very hard to get rapid access to testers. And there’s no guarantee that the next available tester will be the best fit for your specific need.
3. For this reason, the bench at a consultancy is going to be booked out weeks to months in advance, making it very hard to get rapid access to testers. And there’s no guarantee that the next available tester will be the best fit for your specific need.
4. Additionally, it’s rare to be able to book just a part of a tester’s day or week. Booking only four hours of a tester’s day leaves a gap in the rest of their day that they’re unlikely to have filled up, resulting in more un-billable hours. The same goes for something that disrupts a full week of testing, etc.

In our scenario outlined above, most pentest vendors would likely offer one of the following options - both of which would require days-to-weeks of negotiation and calls to get the engagement set up, let alone completed:

1. A full pentest.
2. Multiple days of testing effort.

It’s simply neither profitable nor efficient for them to offer you just the four hours of testing. Of course, the logic they’d provide would sound solid - they’d probably say something to the effect of “you don’t know what else this may have broken downstream” - which is a completely valid perspective and something to consider. And if you don’t have exact visibility into the code that’s being pushed, there’s always a probability that adding this feature may also add a bug elsewhere. So as with any scope, it’s essential that you understand the full breadth of what needs to be tested, and why.

That said, even if you insist that you know that only this one thing needs to be tested, you’re still unlikely to get rapid, short-term access to a pentester.

Long story short: the current pentest provider market isn’t really set up to solve for more agile development and pentesting needs.

Enter fractional pentesting.

Fractional pentesting is where you can get exactly the pentesting talent you need, when you need it, to the degree you need it. At a price point that won’t blow your budget in the process.

No more waiting weeks-to-months to get a feature tested. You can get it tested rapidly, efficiently, and affordably.

How?

The process is remarkably simple:

1. You define your requirements (need X to test Y for Z with ABC as an artifact) via the onboarding flow - without ever having to talk to a sales rep.
2. You can either specify how much time you want to see the tester test for, or a recommendation can be made around how long it’d generally take to perform that testing.
3. The job goes out to 3-5 qualified testers, who then place bids on the work, along with any useful / relevant information (availability, hourly price, background, etc).
4. These testers are vetted members of the security testing community that commonly work pentest jobs as their 9-5, and then moonlight with fractional tests.
5. The work takes place quickly, affordably, and efficiently. You can track the progress in the platform, and see results in real-time.
6. The client (you) then chooses the bid you want to accept.
7. Any relevant artifacts are delivered, and the job is done within a matter of days. All without having to talk to anyone along the way.

What used to be unavailable, is now available.

What used to be slow and cumbersome, is now quick and easy.

What used to cost a lot, now costs a whole lot less.

All of this also means that you’re able to more efficiently and quickly secure your organization.

Fractional testing puts you in control of what you need, when you need it, at a price that isn’t extortionate.

And that’s the whole goal and point of DarkHorse anyways - to provide accessible and affordable cybersecurity to organizations of all sizes, budgets, and needs.

So, the next time you need someone to test for anywhere from two hours to ten days, you now know that there’s a better option out there.

*As a quick note, it’s essential that we also call out that fractional pentest is not a replacement for pentesting as a whole. You do still need quarterly pentests and security assessments - but for features and small pushes in-between, fractional pentesting is an invaluable tool that can save you time, money, and frustration.