EBOOK

Test Period 5d left

The Pentesting Matrix:

Mar 5, 2023 – Mar 20, 2023

Checklist completion: 78/168

Decoding Traditional
! 12 vulnerability reports

and Modern
C OM P LE T E T E ST

Completed

Approaches May 18, 2023

Critical High Medium Low None Total

excom.com – 1 3 2 – 6

api.excom.com 1 1 1 – – 3
payments.excom.com – – – – – 0

Total 1 2 4 2 0 9

Table 1: Severity of findings by asset

EXCOM Critical High Medium Low None Total

Penetration Test Summary Report Cross-Site Scripting (XSS) – 1 3 – – 4

January 13, 2023 – January 27, 2023 S erver-Side Request Forgery (SSRF) – 1 – – – 1
Cross-Site Request Forgery (CSRF) – – – 1 – 1

Information Disclosure – – 1 – – 1
S ecurity Misconfiguration – – – 1 – 1

P v ri ilege Escalation 1 – – – – 1
Total 1 2 4 2 – 9

Table 3: Severity of findings by weakness (CWE)

R eport ID Title Severity (CVSS) W eakness (CWE)

Lead Pentester # 171870 Stored wormable XXS in share widget i h (8.0)

Hg Cross-Site Scripting (XSS)

# 171872 Reflected XXS on profile page Medium (4.3) Cross-Site Scripting (XSS)

Pentesters # 171873 Reflected XXS in search bar Medium (4.3) Cross-Site Scripting (XSS)

# 171875 Reflected XXS in login form (POST) Medium (4.3) Cross-Site Scripting (XSS)

# 198328 CSRF in logout Low (2.1) Cross-Site Request Forgery 


(CSRF)
Prepared By
# 168325 Admin UI elements viewable Low (2.1) S ecurity Misconfiguration

Table 4: Finding relevant to excom.com

Pentest Progress
SC O P E See where you’re at in your pentest

Scoping
1 domain, 1 Android, 1 iOS
Contents

Introduction 03

Pentesting Objectives 04

Pentesting Options 05

Decoding the Characteristics of Modern Pentesting 08

Effectiveness 09

Efficiency 10

Value 11

The Power of Community-driven PTaaS 12

HackerOne Attack Resistance Platform for Best-in Class PTaaS 13

HackerOne’s Trusted Pentester Team 15

PTaaS or Bug Bounty? 16

Ready to Rethink Your Traditional Pentest? 18

Appendix A: Pentesting Evaluation Matrix 19

Appendix B: Unlocking PTaaS Value at Zebra 21

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 2

Introduction

Pentests are essential for software developers and deployers, ensuring

Effectiveness
compliance and verifying the security of new releases. Different pentest
Effectiveness encompasses the method's ability to deliver
methodologies offer different benefits, and many of the more
reliable and precise findings, ensure coverage and
“traditional” methods seem redundant or are cumbersome to manage. 

reporting across all systems in scope, adhere to

Modern pentesting approaches use freelance security researchers and compliance standards, and use diverse tester talent for 


advanced software platforms to streamline the process. However, with a well-rounded view.

many vendors focusing on other core security products and services,

it’s important to make sure that the pentest offering you choose

provides you both the compliance and verification you need and the Efficiency

findings you’d expect from skilled security researchers.

Efficiency speaks to the operational aspects: the ease and

speed of procuring the pentesting service, the real-time

An ideal pentest not only assures security coverage but also uncovers
provision of results and analytics, continuous and clear
critical vulnerabilities, assisting the engineering team in enhancing their
communication throughout the process, and seamless
security practices—without excessively consuming the customer’s time,
software development life cycle (SDLC) integrations.
attention, or money. 

Given the variety of models, vendors, and methodologies available, how

do organizations pinpoint the ideal pentest for their needs? This eBook Value

clarifies the diverse alternatives and guides security professionals in

Value dives into the return on investment (ROI), looking 

making informed choices to make the most of their investment and
at the method's scalability, the tangible and intangible
achieve the best results. We delve deep into the characteristics of
returns from the pentesting activities (ROI metrics), and
various pentesting services and technologies, benchmarking them
its effectiveness in mitigating risks.
against three comparison categories:

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 3

Pentesting Objectives
Organizations need pentesting that supports key business objectives.
These begin with basic regulatory and compliance obligations, but
ultimately encompass a wider range of security, risk reduction, and
business needs. 

The most common pentesting objectives include compliance, customer

requirements, mergers and acquisitions, internal governance needs,
and drivers for a secure SDLC.

Compliance
Every industry has compliance
frameworks dictating security
measures. Regulations like
FedRAMP, NIST, and CISA mandate
annual pentests. E-commerce
follows PCI DSS, healthcare abides
by HIPAA, while SaaS vendors use
SOC 2 and ISO certifications. All of
these frameworks incorporate
regular security assessments.
Meeting customer
requirements
Organizations often partner with
entities maintaining high security
standards. Even if auditors don't
request pentests, customers may
due to the interconnected risks of
digital networks. Consequently,
before finalizing deals, businesses
increasingly seek recent security
documentation like SOC 2 or 
 testing program.
6-month-old pentest reports.
Mergers and acquisitions Internal governance Supporting software and
product development
Security assessments have As businesses grow and mature,
Organizations need more frequent
become an integral part of the their internal stakeholders
and thorough pentests that
due diligence process for demand evidence of rigorous
deliver timely information to
organizations acquiring others 
 security practices. Ensuring
support rapid development cycles
or being acquired. Pentests 
 regular pentests not only
and allow collaboration between
are a critical component of 
 demonstrates a proactive 

security and development teams.
these audits, both as a point-
 stance on security but also
Ideally, organizations choose a
in-time practice and as part 
 strengthens trust with the 

combination of external
of a continuous security 
 board and audit committees.
pentesting and internal controls
that supports existing
development workflows (e.g.,
DevOps or CI/ CD pipelines) and
reliably delivers secure code 

to production.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 4

Pentesting Options Traditional Pentesting via Consultancies

There are many ways to assess software security, especially when it's
Traditional consultancy pentesting refers to pentesting services delivered by

nearing production. To help you navigate these options, we've broken professional service providers, primarily leveraging their in-house salaried pentesters

or long-term contractors.
down four key techniques in the upcoming sections. For each, you'll find

This alternative encompasses both expansive consulting firms offering a wide

a straightforward description, followed by our insights. This section
spectrum of pentest services, as well as niche boutiques that focus on specialized
focuses on pentesting, which is tailored for production-ready software,
pentesting domains.

steering clear of early SDLC practices such as code scanners, peer

They generally follow a fixed schedule, spanning from one to two months, often with a

reviews, and traditional QA. preparatory phase of four to six weeks.

Pros: Helps organizations meet Cons: Often follows an "engage,

compliance mandates and execute, and exit" model with

qualify for liability insurance long gaps between

assessments
Ability to provide on-site

testing Limited collaboration

between the pentesters and

Bundling with other services
the customer's teams
such as cyber risk advisory,

offering a comprehensive Findings delivered through

security package static PDF reports, limiting

real-time insights

No dynamic platform—
resulting in delays in

vulnerability disclosure,

extending potential exposure

to threats

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 5

 Traditional Pentesting as a Service (PTaaS) Community-driven Pentesting as a Service (PTaaS)

Traditional PTaaS refers essentially to traditional pentesting with an added user Community-driven PTaaS represents a modern evolution of pentesting, harnessing
interface. the collective expertise of a global community of vetted security researchers.

Unlike traditional, ad-hoc pentesting, it offers continuous, on-demand testing Using a SaaS delivery model, it provides immediate results and fosters enhanced

capabilities. communication, all powered by advanced platform capabilities.

This model primarily leverages in-house salaried pentesters or long-term contractors. This method not only adheres to regulatory mandates but also cultivates a

collaborative relationship between security teams and pentesters, leading to

Many traditional pentesting firms will likely introduce software platforms in the near
comprehensive security assessments.
future, but this is merely a surface-level enhancement.

Pros: Structured methodology that Cons: May not be as agile or Pros: Seamless access to top-tier Cons: Requires stringent vetting

aligns with certain regulatory adaptive to emerging threats pentester expertise standards to ensure that the

or corporate governance as community-driven models broad scope of the

requirements
Reliance on a fixed team,
Provides a centralized resulting in possible missed
platform for communication, vulnerabilities that diverse
feedback, and reporting perspectives might catch
Offers scalability options, as Scheduling or resource
the platform can constraints due to fixed
accommodate varying staffing
testing demands
Potential integration
challenges with newer
security tools, due to
potential platform rigidity
Rapid launch and efficient
’
community doesn t introduce
management of pentesting
variability in the quality of
activities
findings
Addresses scheduling
Less equipped to provide on-
challenges inherent to
site testing compared to
traditional methods
traditional consultancies
Empowers development
Depending on the specific
teams to accelerate
community-driven PTaaS
workflows via platform
model, may not provide the
integrations
comprehensive bundled
On-demand model promotes solutions that traditional
consistent and cost-efficient consultancies often do, such

pentesting as cyber risk advisory

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 6

 Automated Pentesting

Automated pentesting, including autonomous approaches powered by generative AI (GenAI) algorithms and

advanced machine learning models, uses predefined scripts or tools to systematically scan and assess systems for

vulnerabilities based on recognized signatures or patterns.

This method rapidly identifies “known unknowns” and can be deployed frequently to ensure consistent security checks.

Pros: Provides always-on coverage at a very Cons: Limited acceptance of test results by auditors

competitive price and third-party risk teams

Rapid detection and reporting of “known” Essentially revamped dynamic application

vulnerabilities security testing (DAST) with some GenAI

elements—lacking the depth and intuition of a

Efficient for routine checks and recurrent
thorough human-driven pentest
vulnerabilities

Typically more suited to assets of lesser

business criticality, with high-value digital

assets often requiring human-driven pentests

High false positive rates that lead to

significant hidden validation costs, negating

initial savings—especially for large or complex

attack surfaces

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 7

Decoding the Characteristics of Modern Pentesting
This comparative analysis includes the Traditional 
 Traditional 
 Community-
 Automated 

Categories Characteristics
expertise of in-house subject-matter experts Pentest PTaaS driven PTaaS Pentest

and HackerOne’s vast experience—having Depth & Relevance

managed thousands of public and private

Report Delivery & 

security programs to date. It focuses on the Compliance
Effectiveness
three categories outlined in the introduction:
Talent Diversity
Effectiveness, Efficiency, and Value. 

Coverage & Versatility

These criteria empower decision-makers to
align their choice of pentesting approach with Streamlined Procurement

their overarching business, security, and Real-time Results 


and Analytics
technological objectives. As you interpret the
analysis, remember to prioritize which of the Efficiency Communication

three categories resonate most with your Platform Integrations

organization’s specific objectives and consider Retesting

how your preference might influence the
success of your wider security strategy. Scalability

ROI Focus
Performance/Value Value
Risk Reduction

High Moderate Low Liability Assurance

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 8

Effectiveness Depth & Relevance Report Delivery & Compliance Talent Diversity Coverage & Versatility

Due to scheduling constraints and Structured reports highlight Relies on the individual skills and Comprehensive security assessment

In pentesting, effectiveness measures the varying expertise, pentest outcomes vulnerabilities and recommend fixes. 
expertise of the pentester. 
through established methodologies.

5
can fluctuate. 

impact of the testing process and outcomes, Ensures alignment with regulatory Varying availability of highly The 9-to- employee structure

Traditional 
 Depth and relevance depend on and governance standards. experienced or seasoned pentesters.
results in a slower response to
guaranteeing that the tests yield meaningful,
Pentest whether a highly skilled or less emerging threats.

Limited incentive for pentesters to

actionable, and relevant results. The elements experienced pentester is assigned.
stay continually up-to-date with Limited adaptability to diverse
addressed below underscore the depth, emerging, niche threats and testing scenarios and emerging

technologies.
threats.
precision, and thorough nature of a modern

pentesting alternative, ensuring a structured

Moderate High Moderate Moderate

and methodology-driven assessment of an

organization's security posture. Due to scheduling constraints and Dynamic reports with actionable Relies on the individual skills and Comprehensive security assessment

varying expertise, pentest outcomes insights.

expertise of the pentester. 
through established methodologies.

5
can fluctuate. 

Ensures deep analysis and up-to- Varying availability of highly The 9-to- employee structure

Traditional 
 Depth and relevance depend on date compliance adherence. experienced or seasoned pentesters.
results in a slower response to

PTaa S whether a highly skilled or less emerging threats.

Depth & Relevance: C onsiders both the experienced pentester is assigned.

Limited incentive for pentesters to

stay continually up-to-date with Limited adaptability to diverse

significance of vulnerabilities discovered 
 emerging, niche threats and testing scenarios and emerging

technologies. threats.
and the potential impact, emphasizing

quality over q uantity

Moderate High Moderate Moderate

Report Delivery & Compliance: Focuses

on the clarity and actionability of the final Methodology-driven nature and Dynamic reports with actionable Through a rotational approach, each Expansive security coverage,

systematic depth ensure q uality insights.

test uses a diverse set of vetted leveraging diverse expertise for in-
test report while ensuring adherence to
results on a consistent basis. 
global pentesters and in-house depth assessments.

security compliance standards and

Comm unity -

Ensures deep analysis and up-to-
j
technical pro ect managers.
A healthy blend of expert pentester date compliance adherence. Diverse talent adapts swiftly to
regulations
driven PTaa S oversight and platform capabilities. evolving threats and testing

scenarios
Talent Diversity: Reflects the diverse

skills, qualifications, and testing

methodologies of the pentester pool,

emphasizing a mix of certifications, Winner High High High High

training, diverse testing approaches, and

the capability to rotate across tests Continuously scans for known Reporting tends to be generic W hile some human oversight and Heavily relies on advanced

vulnerabilities with a broad scope. 

(worded by GenAI) and lacks human customization are offered, the automated tools for continuous

O
Coverage & Versatility: Demonstrates 
 analysis. 
primary focus is on automation. scanning and vulnerability

Au
ften misses novel or intricate issues

q
identification.

the thoroughness of the pentest across tomated 
 that re uire human intuition. Effectively identifies known

Pentest vulnerabilities by cross-referencing Predominantly platform-centric.

all critical components while highlighting
with vulnerability databases, but
the adaptability of the approach,
struggles to meet certain

incorporating techni q ues like bug compliance types.

bounties or source code reviews

Lw
o Lw
o Lw
o Moderate

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 9

Efficiency
Streamlined 
 Real-time Results 

Communication Platform Integrations Retesting
Procurement and Analytics

Time-intensive and project- Establishing the severity of No collaboration or Real-time platform During initial scoping, it s'
In the context of pentesting, efficiency is not just based, initiating can take vulns can become a communication until the integrations are often challenging to predict

weeks to months due to contentious process.

final debrief. 
nonexistent.
retesting duration.

about meeting objectives—it’s about doing so

'
tester availability.
Traditional 
 Post-kickoff, pentesters go Manual processes lead to Detailed feedback is provided There s usually no specific
through coordinated, easily repeatable
Pentest silent. 
delays in issue resolution. 
solely in the final report.
retesting window.

processes. Together, the components listed

The value is concentrated at Follow-up on status is rare; Lack of dynamic insights
below assess whether the pentesting process, the end, with reports often testers usually do not see delays remediation during the

archived after discussions. previous results. testing phase.

from procurement to results delivery, is

streamlined, ensuring an integrated execution

Low Low Low Low Low

that optimizes both time and resources.

Faster setup and systematic Real-time results and O ffers a structured O ffers a set of predefined The platform facilitates the

approach compared to analytics delivered via the communication flow through integrations with S C
DL tools. 
process.

Streamlined Procurement: Refers to the traditional methods, due to a dashboard.

platform features. 

Might lag in accommodating 
 Tester availability results in

q
combination of human
ease and speed with which pentesting Traditional 
 Platform capabilities and Direct communication with newer technologies, re uiring delays.
expertise and platform
PTaaS expert insights enhance the project manager might manual workarounds.
capabilities.
services can be procured, set up, and
understanding and taking be limited.

initiated, reducing administrative action on findings.

overhead and delays

Real-time Results & Analytics: Focuses

H hig H h ig M oderate M oderate M oderate
on the capability to provide immediate

updates, insights, and results as the

Faster setup and systematic Real-time results and Real-time collaboration Modern platform prioritizes The platform facilitates the
testing progresses—ensuring stakeholders approach compared to analytics delivered via the between technical project integrations with prevalent process.

traditional methods, due to a dashboard.

managers, testers, security, security and IT tools.

are always informed and can make

-

Leveraging a community

S C
combination of human and development teams.

timely decisions Community Platform capabilities and Promotes seamless DL makes it typically faster to

v S
expertise and platform
dri en PTaaS expert insights enhance upported by chat workflows to accelerate validate fixes.

S
capabilities.
Communication: Ensures proactive and understanding and taking capabilities and lack remediation.

action on findings. integration.

real-time communication with the

technical project manager overseeing

the test and the testers throughout the

Winner H h ig H h ig H h
ig H h
ig H h ig
process

Platform Integrations: Highlights the Very rapid and continuous Provides real-time While some human Can be integrated with Automation allows swift re-

ability of the pentesting solution to

setup. vulnerability alerts and oversight and customization existing S C DL tools. 
evaluation of vulnerabilities. 

analytics. are offered, the primary

seamlessly integrate with S C
DL Ensures automated The process typically lacks



focus is on automation.
Automated 
 workflows from detection human insights.
technologies, ensuring a unified find-to-
Pentest to action.

fix workflow

Retesting: Refers to the process of

reassessing previously identified

vulnerabilities for effective remediation H h ig H h ig M oderate H h

ig M oderate

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 10

Value Scalability ROI Focus Risk Reduction Liability Assurance

Involves thorough, in-depth Long-term costs are higher because Meets compliance mandates In-house insured pentesters.

Security leaders are challenged to showcase evaluations. 

of manual efforts and limitations in through a structured approach. 

Contracts often cap liability to the

repeating pentests or integrating
the value of pentesting against its cost. In Its scalability is challenged by less May not address proactive security contract's value, with higher
results.

Traditional 
 frequent continuous checks, or needs. 

coverage being exceptional.
evaluating the following, keep in mind that
Pentest periodic checks. Reports lack the standardized
Incentive to find innovative bugs is
the impact of each pentesting method varies metrics seen in platform-driven
often overshadowed by delivering
systems.
based on its application, the caliber of satisfactory reports in less time.

expertise involved, and the precise goals

underpinning the test objectives.

Moderate Low Moderate Moderate

Activated on demand, providing Provides a balanced cost-to-value Primarily aligns with compliance and In-house insured pentesters.

scalable options tailored to an ratio through efficiency gained by regulatory mandates. 

Scalability: Indicates the adaptability of organization's depth requirements. 

use of a platform.

A more limited scope for proactive

Contracts often cap liability to the

contract's value, with higher

the testing process to different scales, Traditional 
 Scalability challenges due to a Platform delivers detailed metrics, security needs. coverage being exceptional.

PTaaS limited bench of talent. trend analytics, and benchmarks,

whether expanding for larger systems or
simplifying ROI tracking.
being precise for specific areas

ROI Focus: Measures the return on

investment (ROI) derived from the
Moderate High Moderate Moderate
pentesting process, highlighting the

tangible and intangible benefits against

Activated on demand, providing Provides a balanced cost-to-value Adeptly addresses both compliance Limited liability assurance. 

the incurred costs scalable options tailored to an ratio through predictable SaaS mandates and proactive security
Pentesters are background checked,
organization's depth requirements. 
pricing and continuous insights. 
needs. 

Risk Reduction: Discerns whether the identity-verified, and hand-selected

solution is geared toward meeting

Community-
 Ensures flexibility and timely security Platform delivers detailed metrics, Diverse expertise and platform but are not employees of the

driven PTaaS assessments. trend analytics, and benchmarks, capabilities for holistic risk reduction. company.

compliance and regulatory mandates, simplifying ROI tracking.

addressing proactive security needs, or

both

Liability Assurance: Addresses the

Winner High High High Moderate

potential legal and financial implications

of security breaches and how the Easy to set up, scale, and automate Heavily automated, these platforms Limitations in meeting compliance Does not offer liability coverage for

periodic and continuous checks. shine in offering real-time metrics, mandates. 

any direct, indirect, or consequential
pentesting solution provides a safety net
KPIs, and benchmarks. 
damage.
against such contingencies May not comprehensively address all

Auto mated 
 False positives from automated proactive security needs, due to

Pentest systems demand manual reviews, reliance on predefined scripts.

diminishing ROI by consuming extra

time and resources.

High Moderate Moderate Low

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 11

 HackerOne Pentest Effectiveness

The Power of Community- of HackerOne Pentest customers value HackerOne pentesters’ ability

72% to detect hard-to-spot vulnerabilities and discover unknowns within

their attack surface.

driven PTaaS
18%
of HackerOne Pentest findings are high or critical severity—

which is nearly double the industry standard.

When evaluating based on Effectiveness, Efficiency, and Value,

community-driven PTaaS emerges as a standout solution. It's a flexible

approach tailored to meet an organization's unique requirements, and HackerOne Pentest Efficiency
is competitively priced. Community-driven PTaaS is the premier choice

for comprehensive testing combined with in-depth analysis, all while 4
 New customers can initiate a new pentest in 4 business days.

days
ensuring a swift setup and completion of the assessment.

HackerOne Pentest combines the convenience of a centralized platform 4.4 
 HackerOne Pentest customers receive their first vulnerability report
within 4.4 days on average.
days
with the expertise of our pentester community to excel in all three

evaluation areas. HackerOne’s model is superior based on two

86%
of HackerOne Pentest customers receive their first vulnerability report
in less than one week.
fundamental differences: the HackerOne Attack Resistance platform

and the vetted and trusted pentester team.

HackerOne Pentest Value

“Through 120 dedicated hours with 3 testers from HackerOne 8,500+ vulnerabilities have been found via HackerOne Pentest in three years.

Pentest, we deepened our understanding of our attack surface 


and addressed 1 critical and 5 high-risk findings. This collaboration

61%
of HackerOne Pentest customers identify more vulnerabilities with
HackerOne than with traditional pentest vendors.
enabled us to secure our network and web applications more

effectively.”

HackerOne Pentest supports many compliance frameworks, so organizations can

Toan Ha achieve compliance for multiple frameworks through one streamlined platform.

Application Security Engineer

Katalon Inc.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 12

 Test Period 5d left
Mar 5, 2023 – Mar 20, 2023

Checklist completion: 78/168

HackerOne Attack
! 12 vulnerability reports

COMPLETE

Resistance Platform for

TEST
Completed

Best-in-Class PTaaS
May 18, 2023

Critical High Medium Low None Total

HackerOne's Attack Resistance Platform delivers consistent results excom.com – 1 3 2 – 6

api.excom.com 1 1 1 – – 3

payments.excom.com

Total
–

1
–

2
–

4
–

2
–

0
0

9
Pentest Progress
Table 1: Severity of findings by asset

See where you’re at in your pentest

and analytics through a seamless SaaS-based solution, EXCOM Critical High Medium Low None Total

Penetration Test Summary Report Cross-Site Scripting (XSS) – 1 3 – – 4

January 13, 2023 – January 27, 2023

Server-Side Request Forgery (SSRF) – 1 – – – 1

Cross-Site Request Forgery (CSRF) – – – 1 – 1

streamlining pentest initiation and execution. With dedicated Scoping

Information Disclosure – – 1 – – 1

Security Misconfiguration – – – 1 – 1

Privilege Escalation 1 – – – – 1

Total 1 2 4 2 – 9

Table 3: Severity of findings by weakness (CWE) 1 domain, 1 Android, 1 iOS

support from experienced technical engagement managers Report ID Title Severity (CVSS) Weakness (CWE)

Lead Pentester #171870 Stored wormable XXS in share widget High (8.0) Cross-Site Scripting (XSS)

#171872 Reflected XXS on profile page Medium (4.3) Cross-Site Scripting (XSS)

Pentesters #171873 Reflected XXS in search bar Medium (4.3) Cross-Site Scripting (XSS)

(TEMs) and solution architects, our platform ensures compliance

#171875 Reflected XXS in login form (POST) Medium (4.3) Cross-Site Scripting (XSS)

#198328 CSRF in logout Low (2.1) Cross-Site Request Forgery 


(CSRF)

SCOPE
Prepared By

#168325 Admin UI elements viewable Low (2.1) Security Misconfiguration

Table 4: Finding relevant to excom.com

and coverage. 

The platform's versatility is enhanced by extensive SDLC and 


GenAI integrations, as well as custom workflows, to identify

vulnerabilities promptly and address them smartly. Customers can

effortlessly transition between pentesting, bug bounty, vulnerability

disclosure, and code review, fulfilling continuous, proactive security

testing needs. 

New customers can start a pentest within 4 business days, with

returning customers enjoying a faster, tailored process. Initial “HackerOne’s pentest capability has helped us identify ways to

reports are typically ready in under a week, and final reports follow strengthen our products by uncovering inconsistencies we may

within 3-5 business days, highlighting HackerOne's commitment to not have been alerted to previously.”

fast and effective security enhancement.

Dallan Wagner
The expansive network of security experts ensures swift
Senior Product Security Engineer
responsiveness to new technologies and emerging threats, such as

GenAI model vulnerabilities and novel security challenges.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 13

Streamlined Pentesting Process
PENTEST KICKOFF Testing and 

Scoping Setup AND STAFFING Real-Time Results Reporting Remediation Repeat

CUSTOMER LED

Create and save Upon approval , S elect re est to

“ qu Re ain pdated
m u Shortl after testing
y Use the final report to Easil integrate test findings
y

scoping drafts. quic l start pentest

k y la nch in the
u ” thro gho t the testing
u u concl des o ll e
u , y u' b address identified into o r contin o s
y u u u

set p on ac er ne
u H k O , platfor . m phase. notified. v lnera ilities.
u b sec rit testing progra s.
u y m

Colla orate sea lessl

b m y
addressing e k y

with o r tea
y u m
questions. Expect consistent Yo can then
u Locate the relevant Utili e the cloning feat re
z u 


m e ers.
mb Slac pdates fro
k u m sec rel do nload
u y w tic et in o r
k y u to d plicate pentests
u ;

Tailor o r pentest
y u testers regardless of
, yo r co prehensive
u m H ac er ne in ox and
k O b m ini i e an al entries.
m z m u

w or flo s sing
k w u v lnera ilit detection.
u b y report via the initiate a retest
platfor integrations
m , H ac er ne platfor .
k O m thro gh the action ar.
u b
Exa ine res lts on o r
m u y u

triggers and AP s.
, I
dash oards to strategicall
b y

plan o r next pentest.

y u

hackerone led

W e eval ate o r
u y u W ith prepped assets A technical An detected
y Y o r dedicated T M offers a de rief call post testing.
u E b - T Ms assist c sto ers
E u m

assets to acc ratel u y and set pentester engage ent anager

m m v lnera ilities ill e
u b w b in opti i ing and
m z

deter ine the

m re ards ost tests
w , m (T M arranges a
E ) pro ptl displa ed in
m y y
Disc ss findings and potential re ediation steps
u m
i proving long ter
m - m

needed pentest si e. z can egin ithin

b w kic off call to anage
k m yo r ac er ne
u H k O
d ring the call.
u
pentesting progra s. m

da s.y credentials and testing platfor in ox. m b

Receive a ote qu
environ ent set p.
m u

tailored to o r y u

specific pentest The ost alified

m qu

re ire ents.
qu m pentest tea is staffed
m

and a to aticall
u m y

sched led for a rapid

u

start.
48 hours to 7 business days 30-MINUTE CALL 2 weeks testing Final report in 3–5 business days after testing Ongoing

UP TO 3 DAYS STAFFING Slack updates every 3–5 days 30–90 days for retesting

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 14

 What Sets HackerOne’s Pentesters Apart

HackerOne’s Trusted
8500+ 11 valid
Pentester Team vulnerabilities uncovered by the vulnerabilities are reported


pentesters in the last 3 years. on average, per pentest.

HackerOne pentesters are an elite subset of the ethical hacking community—

hand-selected and professionally vetted by HackerOne. As part of the vetting

process, we evaluate the pentesters’ professional experience and performance

+50% 74%
on existing HackerOne security testing programs, and take their certifications
of our pentests unveil at least 1 possess 5+ years of

into account, including OSCP, OSCE, OSWE, and CREST.

vulnerability within first 3 days. industry expertise.

HackerOne’s community offers boundless capacity—skilled security researchers

are available at all times and introduce a dynamic rotation of skill sets with each
+70%
test. Owing to this structure, the HackerOne platform delivers insights of
of our customers value pentesters’
consistently superior quality compared to other pentesting methods and vendors.
abilities in finding elusive vulnerabilities.

HackerOne's pentesters are meticulously chosen from the ethical hacking

community. Only those displaying exceptional skill, outstanding productivity, 
 Pentesting and Industry Experience
and impeccable conduct move forward to levels qualified for participation in

HackerOne's PTaaS programs. This elite group comprises less than 10% of 


those registered on the platform, representing the pinnacle of global security 3 years

testing expertise. 8.3%

3-5 years

19% Over 10 years

Meet Some of Our Top Pentesters 50.4%

5-10 years
Leandro
Miguel Regala
Trev

22.3%
(none_of_the_above) (fisher) (SoWhatSec)

Leonel
Joel
Rodrigo

(delisyd) (niemand_sec) (rororodrigo)

*Source: Analysis of statistics captured from the HackerOne platform.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 15

PTaaS or Bug Bounty?
Do community-driven pentests and bug bounties serve the same
What Is a Bug Bounty Program?
purpose or complement each other? While both approaches engage
Bug bounty programs incentivize ethical hackers via bug
security researcher communities, their outcomes are distinct. A
bounties: monetary rewards for successfully discovering and
holistic security assessment involves a blend of both.

reporting vulnerabilities or bugs to the application's developer.

Bug bounty programs yield superior results over time due to a These programs allow organizations to access the ethical

stochastic model, making them an optimal choice for organizations hacking and security researcher community to continuously

striving for comprehensive, ongoing testing that encompasses a improve their systems' security posture. Bounties complement

diverse set of security researchers. The long-term value of this existing security controls and pentesting by exposing

approach is evident in the lower average cost per discovered vulnerabilities that automated scanners might miss and

vulnerability, as well as leading global companies’ commitment 
 incentivizing security researchers to emulate potential bad-

(like Google, Microsoft, and Facebook) to long-running bug 
 actor exploits. 

bounty programs.

Together, bounties and pentesting strike a balance between

In contrast, pentests deliver immediate results through a select continuous, proactive vulnerability discovery and in-depth,

group of security researchers. These experts, compensated for their time-bound testing.

skill sets and backgrounds, meticulously follow specific checklists to

ensure comprehensive testing. Organizations that need immediate HACKER LOCATES


VULNERABILITY
results for compliance or commitments to stakeholders tend to

gravitate toward pentests. Events like the release of a new product or

a recent acquisition also catalyze the demand for such tests.

For comprehensive security testing of production applications,

organizations should implement an wide-ranging bug bounty

program and supplement it with targeted pentests where testing

assurance is required.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 16

The Shared Benefits of Bug Bug Bounty PTaaS

Bounties and PTaaS with

HackerOne
Comprehensive, 
 Targeted, often-immediate need to
Purpose
Whether you start with a pentest or implement ongoing testing to ensure ensure compliance and proactive

a bug bounty from HackerOne simultaneously proactive security security

for a more holistic coverage, certain benefits

remain consistent across both program types.

Both draw from a vast pool of ethical hackers,

Approach Stochastic model, Methodology-driven,
ensuring the best experts for the task. Some
continuous time-bound

researchers exclusively focus on bug bounties,

carefully vetted researchers focus on pentests,

and the best researchers often engage in

both. Both methods utilize HackerOne's Attack Results Superior over time Predictable and

Resistance Platform (delivered as SaaS) , immediate

guaranteeing real-time results and advanced

analytics. The vulnerabilities identified through

both methods integrate seamlessly into your

Incentives Paid for results, highly competitive Paid for effort, no competition
workflow and other systems.

among security researchers among pentesters

For customers interested in a time-restricted

bug bounty program, we offer a product

called HackerOne Challenge, similar to a bug

Duration Ongoing, 
 Point in time, often repeated
bounty but limited to a duration of 2–6 weeks.
continuous at regular intervals

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 17

Ready to Rethink Your
Traditional Pentest?
HackerOne Pentest transcends routine compliance checks,
delivering in-depth insights, efficiency, and actionable results
tailored to your business and security needs. Tell us about
your pentesting requirements, and one of our experts will SOC II Pentest (March 2023)

contact you.
Mar 5, 2023 – Mar 20, 2023

Due Mar 20, 2023

Mar 20, 2023 – May 18, 2023

May 18, 2023

Visit the HackerOne Pentest Watch a demo to see

web page for more information how HackerOne
and how to get started. redefines pentesting.

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 18

Appendix A:
Effectiveness

Quality of 
 How deep does the analysis go? Does it uncover both surface-level and deep-

Pentesting Findings
rooted vulnerabilities?

Are the findings actionable, significant, and provided with context?

Evaluation Matrix Beyond identifying vulnerabilities, does the approach offer insights on potential

business impact?

Use this checklist to evaluate each of the four

Human-centric vs. 
 How well does the approach balance human expertise and platform
security testing options presented in this
capabilities?
Platform-centric
eBook: traditional pentesting, traditional
How intuitive is the platform or interface for managing pentests?

Pentesting as a Service (PTaaS), community-

driven PTaaS, and automated pentesting.

Coverage 
 Does the method demonstrate comprehensive testing across all essential

Security leaders can use this checklist to Proof

components and systems?

determine whether their focus is on Is there a capability for continuous testing or periodic checks?

effectiveness, efficiency, or value, then 


Talent How does the approach ensure the expertise and qualifications of its pentesters?
decide on the most suitable path for their

Are the pentesters well-versed in the latest threats and technologies?

organization's needs.

Does the approach incorporate a diversified set of skills and experiences from its

talent pool?

How is talent vetted, and what ongoing training or certification is expected?

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 19

 Efficiency Value

Performance How long does it take to scope and launch a pentest? l bility
Sca a Is there a capability for continuous testing or periodic checks?

How quickly after initiation is the first set of findings received? Can the frequency of these checks be adjusted based on organizational

risk appetite and change rate?

Can the testing scale based on the application's size and complexity?

How much manual oversight is required? Is the process streamlined?

Pentestin g 
 How does the cost of the service compare with the perceived value and
How easy is it to adjust or expand the scope of testing?
ROI results delivered?

’
Are metrics and benchmarks provided to quantify the pentest s impact?

Customer 
 How accessible is the customer support/success team during the

Is there an automated way to measure the improvement in security
pentest process?
Support 
 posture over time through repeated testing?

& Expertise Is there a dedicated point of contact or technical engagement manager

Are the insights provided substantial enough to inform broader security
(TEM) assigned to guide you through the entire engagement?
,
and IT strategy beyond immediate vulnerabilities or compliance needs?

What qualifications and certifications does the TEM hold?

How many years of experience does the TEM have in overseeing pentests?
Risk 
 -
How effectively does the solution mitigate compliance driven risks?

How quickly does the support team respond to queries or concerns? Reduction Is there a balance between meeting compliance mandates and

- ,
Are post engagement support services offered such as guidance on
proactively addressing technical vulnerabilities?

vulnerability remediation?

What channels are available for support communication (e g . ., Slack, Liability 
 Does the solution offer any guarantees or assurances against

, ,
email chat phone)?
Assurance breaches?

How experienced is the support team in handling unique or 
 How is liability distributed between the service provider and the

complex issues? organization?

Feedback & 
 How seamlessly does the method integrate with existing systems tools , ,
Integrations and workflows?

Are prebuilt integrations or APIs available?

Is the feedback actionable and accompanied by clear remediation steps?

-
Is there real time collaboration and reporting between teams and

pentesters?

Retesting ,
How easy is it to initiate a retest especially after remediation?

Is retesting included as part of the pentest?

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 20

 C A SE STU DY

Challenge:
Appendix B: Unlocking PTaaS Value and More Slow, traditional pentesting with insufficient reports led to gaps in testing

Traditional the attack surface.

Pentests
As a world leader in digital products, solutions, and software, with over 10,000 Security was not included early enough in development, leading to

developers working separately from security.

partners across 100 countries, Zebra Technologies empowers its customers

(including 86% of the Fortune 500) with a broad portfolio offering and regularly No formal process was in place for reporting vulnerabilities, exposing the

company to more risk.

launches new products through organic innovation and acquisitions. 

With a business transformation in full swing, Zebra needed to double down on SOLUTION: A collaborative partner that works closely with Zebra to keep its attack

its security approach. Each new product or acquisition increased the potential HackerOne surface covered

for unknown assets that could cause gaps, making them more vulnerable to Pentest 

The ability to spin up rapid pentests with findings that go beyond .
via PTaaS
breaches and security risks. Traditional pentesting provided some coverage, but traditional scanners

the tests took time to spin up and were costly. Seeking a better solution, Zebra On-demand reports and feedback that help Zebra drive root causes back

into the SDLC

reached out to a leading research firm, which recommended HackerOne. A

rapid proof of concept provided impressive results, fueling internal decision

RESULTS: Customer, partner, and key stakeholders trust has increased.

makers’ interest and trust in the value of a vetted ethical hacker community

A Scalable,
combined with PTaaS.
Pentests give them visibility into findings in real time, allowing them to fix
Security-First
and retest while the test is ongoing.
Mindset
Read the full Zebra + HackerOne story.
Teams can immediately plan efforts to remediate any weak spots.

Speed and security of delivery practices support revenue and lower risk.

“From the workflows that make life easier to the speed of

our pentests and the quality of our product development—

all these benefits have lead to accolades from the “HackerOne can stand up our pentests three to five times faster than
executive team, developers, and customers.” traditional firms.”

Dr. Jasyn Voshell, Dir. of Product and Solution Security, Zebra Dr. Jasyn Voshell, Dir. of Product and Solution Security, Zebra

The Pentesting Matrix: Decoding Traditional and Modern Approaches | 21

HackerOne pinpoints the most critical security flaws across an organization’s
attack surface with continual adversarial testing to outmatch cybercriminals.
HackerOne’s Attack Resistance Platform blends the security expertise of
ethical hackers with asset discovery, continuous assessment, and process
enhancement to reduce threat exposure and empower organizations to
transform their businesses with confidence. In 2021, HackerOne was named a
‘brand that matters’ by Fast Company.

Trusted by

Book a meeting with a security expert

and scope your pentest today.

Contact Us