What is Intigriti's Penetration Testing as a Service (PTaaS)?
What is Intigriti's Penetration Testing as a Service (PTaaS)?
Intigriti's PTaaS is a modern security testing solution that combines the best aspects of traditional penetration testing with the agility and impact-driven approach of bug bounty programs. It offers structured, focused, and transparent penetration test engagements designed to deliver meaningful security insights and reward real impact.
How is Intigriti's PTaaS different from traditional penetration testing?
How is Intigriti's PTaaS different from traditional penetration testing?
Traditional pentests often involve long lead times, limited visibility until the final report, and a rigid, one-size-fits-all approach. Intigriti's PTaaS offers faster results (typically within 2-3 weeks), real-time collaboration and visibility into findings, flexible coverage for various asset types, and a "Hybrid Pay-for-Impact" model that incentivizes deeper testing for critical vulnerabilities.
How is Intigriti's PTaaS different from a standard bug bounty program?
How is Intigriti's PTaaS different from a standard bug bounty program?
While PTaaS incorporates the pay-for-impact incentive common in bug bounty programs, it provides a more structured and focused test setup. It involves committed researchers for a defined period, industry-standard pentest methodologies and formal deliverables like a Letter of Attestation or full penetration test reports depending on selected PTaaS type.
Who is Intigriti's PTaaS for?
Who is Intigriti's PTaaS for?
PTaaS is designed for:
Security-focused companies (like SaaS, FinTech, and high-growth organizations) that need agile, high-impact testing.
Enterprise buyers who require audit-ready, standards-aligned testing (e.g., for SOC-2, DORA, ISO 27001 compliance) but also want more flexibility and depth than traditional pentests offer.
What are the different PTaaS types offered by Intigriti?
What are the different PTaaS types offered by Intigriti?
Intigriti offers three PTaaS types:
Focused Pentest: For targeted testing of specific assets or to check for worst case scenarios, providing quick validation and a Letter of Attestation (LOA).
Comprehensive Pentest: A full-coverage security assessment with formal deliverables, including detailed reporting based on industry-recognized methodologies (e.g., OWASP WSTG) and assurance testing (validation of remediated findings).
Certified Pentest: Compliance-grade testing delivered by certified experts (e.g. CREST CCT APP, OSCP, SANS GPEN, etc.), best suited for regulated industries or enterprise security/compliance mandates.
What types of assets can be tested under PTaaS?
What types of assets can be tested under PTaaS?
PTaaS supports a broad range of assets, including web applications, APIs, AI models, mobile applications (iOS & Android) and network infrastructure.
How do I choose the right PTaaS type for my needs?
How do I choose the right PTaaS type for my needs?
The best type depends on your specific requirements:
Focused Pentest if you need dedicated researcher time to validate your assets with an easy-to-consume report (letter of attestation).
Comprehensive Pentest if you need assurance for full test coverage of your assets in scope following industry standard checklists and a full penetration test report.
Certified Pentest if you require testing by certified experts only on top of all comprehensive pentest deliverables to meet specific compliance mandates.
Can Intigriti's PTaaS be used for compliance purposes?
Can Intigriti's PTaaS be used for compliance purposes?
Yes, particularly the Certified Pentest type. This type is designed for compliance-grade testing by certified experts and can help meet requirements for standards like SOC-2, DORA, and ISO 27001, etc. Intigriti has also achieved CREST accreditation, further supporting the quality of Intigriti’s PTaaS service.
How does the "Hybrid Pay-for-Impact" model work?
How does the "Hybrid Pay-for-Impact" model work?
This model combines a base bounty (daily rate) to keep researchers focused on the defined scope with a bounty pool (additional rewards) for meaningful and impactful results. This approach encourages researchers to conduct in-depth testing and identify critical vulnerabilities. Both, the base bounty and the bounty pool can be adjusted based on asset complexity to attract the right skills.
How quickly can a PTaaS engagement start, and what's the typical duration?
How quickly can a PTaaS engagement start, and what's the typical duration?
Engagements can often start in days, not weeks. Intigriti's PTaaS aims to deliver meaningful results typically within 2-3 weeks, offering a faster turnaround than many traditional pentests.
How are researchers selected for a PTaaS engagement?
How are researchers selected for a PTaaS engagement?
Once the scope of the pentest has been reviewed and the goals and objectives have been defined, the pentest will be launched for applications. Intigriti’s vetted researchers for pentests will be able to apply. Planned enhancements aim to improve researcher selection visibility and specialization matching further.
What kind of reporting can I expect?
What kind of reporting can I expect?
Reporting varies by type:
Focused Pentest: Includes a Letter of Attestation (LOA).
Comprehensive Pentest: Includes a Letter of Attestation or full Penetration Test Report.
Certified Pentest: Includes a Letter of Attestation or a full Penetration Test Report following all requirements by set out by CREST.
How do I track the progress of my PTaaS, and can I communicate with researchers?
How do I track the progress of my PTaaS, and can I communicate with researchers?
You get full visibility throughout the assessment via the Intigriti platform. Findings are delivered in real time. You can interact directly with the researcher via a dedicated communication channel or through the platform to ask questions or provide context.
What is CREST, and why is it relevant to penetration testing?
What is CREST, and why is it relevant to penetration testing?
CREST is a recognized standard in the cybersecurity industry. For Intigriti, achieving CREST accreditation for its PTaaS offering signifies a commitment to quality, recognized methodologies, and the ability to meet the stringent requirements of regulated industries and enterprise clients.
Is Intigriti CREST accredited?
Is Intigriti CREST accredited?
Yes, Intigriti has achieved CREST accreditation. This is a key part of our strategy to provide trusted, high-quality penetration testing services.
What does Intigriti's CREST accreditation mean for its PTaaS offering?
What does Intigriti's CREST accreditation mean for its PTaaS offering?
Intigriti's CREST accreditation means that our PTaaS offering, particularly the Certified Pentest type, aligns with CREST's recognized standards for delivering penetration testing services. It underscores our capability to provide:
Compliance-ready testing suitable for enterprises and regulated sectors.
Services delivered with a high degree of professionalism and technical capability.
Increased trust and assurance for customers who require adherence to internationally recognized security testing standards.
What are the proposed base bounties for the different versions of Intigriti's PTaaS?
What are the proposed base bounties for the different versions of Intigriti's PTaaS?
Here is a breakdown of the proposed pricing for each version:
PTaaS Type | Description | Base bounty | Bounty Pool Structure |
Focused | A targeted pentest on a specific subset of an asset (e.g., based on OWASP Top 10), without researcher tracking. | €300/day | Plus a bounty pool (pay-for-impact). |
Comprehensive | A full pentest with a detailed test checklist. This does not require the researcher to be certified. | €450/day | Plus a reduced bounty pool. |
Certified | A CREST-accredited full pentest conducted exclusively by certified security personnel. | €600/day | Plus a reduced bounty pool. |
What is the difference between a Letter of Attestation (LoA) and a pentest report?
What is the difference between a Letter of Attestation (LoA) and a pentest report?
While both a Letter of Attestation (LoA) and a penetration test report are outcomes of a security assessment, they serve different purposes and are intended for different audiences—with varying levels of detail.
A Letter of Attestation (LoA) is a short, formal document that confirms a penetration test was carried out. It is typically shared with third parties such as customers, partners, or auditors who require proof of testing without access to sensitive vulnerability information. It focuses on transparency and trust without disclosing technical details.
Intigrit's LoA includes:
The name of the organization tested
The scope of assets covered
The dates of the engagement
An executive summary outlining the general security posture and testing outcome
A metadata overview of all identified submissions or findings, including short impact summaries for each
A pentest report, on the other hand, is a detailed technical document aimed at internal teams such as security, engineering, or compliance. It provides a full breakdown of the testing process and results, supporting remediation and long-term security improvements.
Intigriti's full pentest report includes:
Executive Summary: A non-technical summary of overall risks and security posture
Methodology: A breakdown of testing techniques and tools used
Checklist Results: A record of all tests performed and their outcomes
Detailed Findings: Comprehensive descriptions of each vulnerability, with severity ratings, potential impact, and supporting evidence
Business Risk Assessment: Insight into how each finding affects your organization from a risk perspective
Remediation Advice: Actionable recommendations and best practices for fixing the issues
In short:
The LoA acts as a lightweight proof of testing for external assurance, while the pentest report is a complete, actionable guide to addressing discovered vulnerabilities—making it the more valuable and comprehensive deliverable for internal use.
How do I request an Intigriti PTaaS engagement?
How do I request an Intigriti PTaaS engagement?
Existing customers can use the new pentest request wizard in the Intigriti platform to submit their scope, objectives, and requirements directly. New customers or those with complex needs can contact the Intigriti sales or customer success team for assistance.
Does Intigriti use CREST-certified researchers for all PTaaS engagements?
Does Intigriti use CREST-certified researchers for all PTaaS engagements?
The Certified Pentest type specifically includes a "Certified testing team". Researchers may hold certifications such as CREST’s CCT INF / CCT APP or CREST equivalent certifications such as the OSCP, OSWE, SANS GPEN, etc. While other types leverage our wide pool of vetted, proven researchers, the Certified type is explicitly designed to work with certified professionals only to meet higher compliance and assurance needs.