What is penetration testing as a service (PTaaS)?

PTaaS is a delivery model that combines manual penetration testing with a software platform for scoping, scheduling, findings delivery, retesting, and remediation tracking. Instead of receiving a static PDF at the end of a project, clients log into a portal where findings appear as they are discovered, communicate directly with testers, request retests, and track remediation status over time. The underlying testing work is still performed by qualified human testers; PTaaS changes how the work is delivered, not the testing itself.

How is PTaaS different from a traditional penetration test?

A traditional pentest is a fixed-scope, time-boxed engagement that ends with a PDF report. PTaaS extends this with a portal for live finding delivery, continuous communication, on-demand retests, and remediation tracking that persists between assessments. Many PTaaS offerings also include scheduled recurring tests rather than a single annual exercise. The methodology and skill of the tester are the same; the difference is in the delivery, transparency, and ongoing relationship.

Is PTaaS the same as automated vulnerability scanning?

No. Automated vulnerability scanning runs predefined checks on a schedule and finds known issues by signature or pattern. PTaaS is human-led testing, supported by a platform. A scanner cannot chain low severity issues into critical attack paths, exploit business logic flaws, or test authorisation models the way a tester can. Many PTaaS providers integrate scanners into their workflow to handle the routine surface area, freeing testers to focus on issues that require human judgement.

How much does PTaaS cost?

Pricing varies widely by scope, frequency, and provider. Subscription PTaaS for a single web application can range from a few thousand to tens of thousands of dollars per year. Per-asset and tester-day pricing are also common. Compare PTaaS pricing on a like-for-like basis: number of tester days, retest inclusions, scope coverage, communication channels, and reporting formats. A lower headline price with limited tester time and no retests can cost more than a slightly more expensive package that includes both.

Who should use PTaaS?

PTaaS works well for organisations that ship frequently, manage multiple applications, need to track remediation across teams, or want auditable evidence of continuous testing. It is also useful for security consultancies that want to deliver work through a modern portal instead of static PDFs. Smaller organisations with a single annual compliance requirement may find a traditional fixed-scope pentest sufficient.

Does PTaaS satisfy compliance requirements?

Most PTaaS engagements satisfy the same compliance requirements as traditional pentests, including PCI DSS requirement 11.4, SOC 2 CC4.1, ISO 27001 A.12.6.1, and HIPAA risk assessment requirements. Verify with your provider that their methodology, tester qualifications, and reporting formats meet your auditor expectations. A formal final report is usually still required for audit evidence even when findings are tracked in a portal throughout the engagement.

How do retests work in PTaaS?

After a finding is reported, the client implements a fix and triggers a retest from the portal. A tester verifies whether the original vulnerability is resolved and updates the finding status to resolved, partial, or still vulnerable. Retests are often included in the subscription up to a defined number per finding or within a defined window. This is a significant practical advantage over the traditional model where retest is usually a separately scoped engagement.

Can I use PTaaS for internal as well as external testing?

Yes, most PTaaS offerings cover external network, internal network, web applications, mobile applications, APIs, cloud configurations, and source code review. Internal testing usually requires a deployment mechanism such as a VPN, jump host, or agent. Confirm the scope coverage and any access requirements with your provider during onboarding.

← Back to Blog

Business6 May 202613 min read

Penetration Testing as a Service (PTaaS): A Practical Buyer Guide

The traditional pentest model has not kept up with how software is built. Annual fixed-scope engagements that produce a PDF weeks after testing ends do not match the cadence of teams shipping daily. Penetration Testing as a Service (PTaaS) is the response: human-led testing delivered through a platform that supports live findings, retests, remediation tracking, and continuous engagement. This guide explains what PTaaS actually is (and is not), how to evaluate providers, how it fits alongside vulnerability management and structured pentesting methodology, and what to expect from a modern engagement.

What PTaaS Actually Is

PTaaS combines two things: human-led penetration testing and a software platform that delivers the results. The testing itself is unchanged at its core. Qualified testers still scope an environment, perform reconnaissance, exploit vulnerabilities under controlled conditions, and document what they find. What changes is everything around the testing: scoping, scheduling, communication, finding delivery, retests, and remediation tracking are all handled in a portal that both client and tester can see.

The shift mirrors what happened to other professional services. Legal work, design work, and tax preparation are increasingly delivered through portals because clients want transparency, not surprises. A modern security buyer expects the same.

The label PTaaS is not standardised. Different vendors use it to mean very different things. Some run mostly automated scanning behind a marketing layer. Others deliver traditional pentests with a portal bolted on. The most useful definition centres on the outcome for the buyer: human-led testing, delivered through a platform, with continuous access to findings, communication, and retests.

PTaaS, Traditional Pentests, and Vulnerability Scanning

Buyers often compare these three options when they should be combined. Each addresses a different problem, and a mature security programme uses all three.

Vulnerability scanning

Automated, signature-based, fast, and broad. Catches known issues across many assets cheaply. Cannot chain logic flaws or reason about authorisation. Best run continuously. See how to run an external scan and authenticated vs unauthenticated scanning.

Traditional pentest

Human-led, fixed-scope, time-boxed, ends with a PDF report. Suitable for annual compliance, point-in-time validation, or one-off assessments. Communication is episodic and remediation tracking happens off-platform.

PTaaS

Human-led testing delivered through a platform. Findings appear live, communication is continuous, retests are baked in, and remediation status persists between assessments. Often subscription-based with recurring tests. Best fit for teams shipping frequently or running a structured AppSec programme.

For a fuller comparison of when to bring in a red team instead, see red team vs penetration testing.

What a PTaaS Engagement Looks Like

A typical engagement runs in five phases. Each phase produces visible artefacts in the portal so the client always knows where the work stands.

1. Scoping and onboarding

Define targets, environments, credentials, testing windows, contacts, and rules of engagement. Domain ownership is verified for any external testing. Stored credentials for authenticated testing should be encrypted at rest. SecPortal uses AES-256-GCM for stored scan credentials and supports DNS or meta tag domain verification before any external work begins. See domain verification for responsible scanning.

2. Reconnaissance and surface mapping

Identify the actual attack surface. Subdomain enumeration, technology fingerprinting, open ports, exposed cloud assets, and authentication flows. The output of this phase often shapes the rest of the engagement. Findings here are usually low severity but highly informative.

3. Active testing

Manual testing against the in-scope assets, supported by automation for routine checks. Findings are logged into the platform as they are discovered, scored against CVSS (or the agreed equivalent), and prioritised. Critical findings should be communicated within a defined SLA, often the same business day. Use the CVSS calculator to verify any score.

4. Reporting

A formal report ties findings together with an executive summary, methodology, scope, risk narrative, and remediation guidance. Even with live in-portal delivery, a final written report is usually still required for audit evidence. AI-assisted drafting can cut report turnaround significantly without removing the tester from the loop. See security assessment report template and how to write a pentest report.

5. Remediation and retest

The client implements fixes, marks findings as ready for retest in the portal, and a tester verifies. Remediation status persists between engagements so the next assessment starts from a known baseline rather than a blank slate. This is where PTaaS most obviously pays back the platform investment.

How to Evaluate a PTaaS Provider

The PTaaS market is noisy. Use these criteria to compare offerings on substance rather than marketing copy.

Tester qualifications: who is actually performing the work? Ask for tester biographies, certifications (OSCP, CREST, CHECK, OSWE, GPEN and similar), and example redacted reports. PTaaS marketing often emphasises the platform; the testers do the testing.
Methodology transparency: the provider should clearly describe their methodology and how it maps to OWASP, PTES, NIST SP 800-115, or equivalent frameworks.
Scope coverage: external network, internal network, web applications, mobile applications, APIs, cloud configurations, and source code review. Match this to your environment.
Communication SLAs: how quickly are critical findings communicated? Is there a chat channel inside the portal? Is there an identified named tester or only a queue?
Retest policy: are retests included in the subscription, and how many per finding? Within what window? Retests are where many providers quietly add costs.
Reporting formats: portal access, PDF executive summary, technical PDF, CSV exports, integrations with Jira or similar. Ask for a redacted sample.
Data handling: where is finding data stored, how is it encrypted at rest and in transit, who has access, and how is it deleted at end of contract? This matters for regulated industries.
Reference clients: ask for two reference customers in your industry. A vendor that cannot produce one is a flag.
Pricing model: per-asset, per-tester-day, subscription with included tests, or scope-based fixed price. See how to price pentest services for the structure of common pricing models.

Running PTaaS as a Consultancy

For security consultancies, PTaaS is no longer a differentiator. It is becoming a baseline expectation. Clients who have used a portal-based delivery model from another vendor rarely accept a PDF-only engagement again. Consultancies that do not deliver through a portal lose work to firms that do.

Building a PTaaS platform from scratch is expensive and rarely the right call for a services firm. A more practical path is to adopt an existing platform that supports engagement management, findings tracking, and branded client delivery. SecPortal provides engagement management, findings management, AI-assisted reports, a branded client portal on a subdomain you control, invoicing, and continuous monitoring in a single workspace, so the consultancy keeps the client relationship and the brand.

For broader operational guidance, see scaling a security consultancy with automation and managing multiple security engagements.

PTaaS Pricing Models

Pricing varies more than the public marketing suggests. The four common models, in roughly increasing order of customer commitment:

On-demand tester days: buy a block of days, schedule them when needed. Predictable budget, less continuous visibility.
Per-asset annual: a fixed annual fee per application or asset, with one or two scheduled tests and unlimited retests within a window. Common for AppSec programmes covering several apps.
Subscription with included tests: a recurring fee that includes a defined number of tester days per quarter or year, ongoing portal access, and retests. Closest to the SaaS model.
Hybrid: a subscription baseline with project-based add-ons for larger or out-of-scope work. Often the most flexible for organisations with variable test volume.

When comparing quotes, normalise on tester days, retest inclusions, and explicit scope. A higher headline number that includes 10 tester days and unlimited retests usually beats a lower number that includes 5 days and one retest per finding.

PTaaS and Compliance

PTaaS engagements satisfy the same compliance requirements as traditional pentests when the methodology and reporting meet auditor expectations. Common mappings:

PCI DSS: requirement 11.4 mandates internal and external penetration testing. See PCI DSS assessment guide and PCI DSS framework page.
SOC 2: CC4.1 and CC7 controls expect periodic testing of system security. See the SOC 2 compliance guide.
ISO 27001: Annex A.12.6.1 calls for vulnerability management; pentests provide direct evidence. See the ISO 27001 audit checklist.
HIPAA: the security rule risk assessment requirement (164.308(a)(1)(ii)(A)) is commonly satisfied with a combination of vulnerability scanning and pentesting.
NIST CSF and NIST SP 800-53: the Identify and Protect functions, and controls CA-2 and CA-8, expect penetration testing and ongoing assessment. PTaaS provides the continuous assessment evidence.

Verify before signing that your provider can produce a final report that your auditor will accept. A portal that holds findings is not by itself an audit artefact.

Common PTaaS Pitfalls

Buying a scanner with a portal: some PTaaS offerings are rebranded vulnerability scanning. Ask how many human tester hours are included per engagement and what the testers actually do with that time.
Hidden retest costs: the headline price may include only one retest per finding. Subsequent verifications are billed separately. Read the contract.
No named tester: if every engagement is staffed from a queue, methodology consistency and quality vary across tests. A named tester or small named team produces more coherent results.
Over-promising on coverage: no provider can deeply test every endpoint of a complex application in 5 tester days. Match scope to the available tester time honestly.
No offline report: some providers refuse to produce a downloadable PDF. This causes audit problems and creates lock-in. A defensible PTaaS offering produces a static report at the end of every engagement.
Ignoring findings management: the portal is only useful if findings are well structured, scored consistently, and integrate with the client's issue tracker. Vague findings in a slick portal are still vague findings.

When PTaaS Is Not the Right Fit

PTaaS is not always the right answer. Consider a traditional fixed-scope pentest when:

You need a single annual assessment to satisfy a one-off compliance requirement and have no plans for continuous testing
The asset is a one-time deliverable (an installer, a firmware image, a hardware device) where ongoing testing does not apply
You need a scenario-based red team exercise rather than a structured pentest
Internal politics or procurement constraints make a recurring subscription harder to approve than a single project

For a deeper look at provider selection regardless of delivery model, see how to choose a security assessment provider.

Frequently Asked Questions About PTaaS

Deliver pentests through a branded portal your clients actually want to log into

SecPortal gives security consultancies engagement management, findings tracking with CVSS scoring, AI-assisted reporting, and a branded client portal on your own subdomain. Run PTaaS engagements without building a platform. See pricing or start free.

Get Started Free