Crowdsourced Security:
The Next Generation of Penetration Testing
Highlights
While penetration tests can
be highly effective, the current
model for resourcing and
deploying them is not.
Only 18% pen test purely for
compliance. More seek true
risk reduction, expedited
go-to-market, and improved
customer trust.
The next generation of pen
testing rejects constrained
resourcing models for crowd-
source pay-per-engagement.
Platform-powered
crowdsourced pen tests
provide immediate access to
a diverse set of skilled and
vetted pentesters.
Crowdsourced pen testing
can deliver valuable results
within minutes versus weeks
or months with traditional pen
The Bugcrowd platform
reduces operational
overhead, integrating with
agile development workflows.
Incentivized pen testing can
result in 7x more high-value
vulnerabilities, reducing
overall cost per vulnerability.
Getting Started
Want to learn more about how your organization can leverage Bugcrowd’s Pen Test to exceed
compliance initiatives? Curious about our other security testing solutions? Contact us today!
www.bugcrowd.com/about/contact
Challenges With Traditional
Penetration Testing
Penetration tests help organizations assess risk within a given system by
approximating the likelihood of malicious exploit. As a result, they have
become a mainstay for several compliance initiatives like PCI-DSS and
SOC 2. But while the value of hands-on attack simulation is clear, systemic
flaws in how they have been resourced and deployed have left security
leaders questioning their efficacy.
“You should know what the penetration testers
are going to find, before they find it. [...] use third-
party tests to verify your own expectations. Highly
experienced penetration testers may find subtle
issues which your internal processes have not picked
up, but this should be the exception, not the rule.”
UK National Cyber Security Centre
For many pen test providers, reliance on full-time talent in a resource-
constrained market has forced a focus on utilization over outcomes.
Pentesters are often matched by availability rather than experience, and
customers requiring rare skills may wait up to 3 months before testing
can commence. Even then, back-to-back scheduling and limited testing
timeframes have lead to an over-reliance on time-saving scanners, while
all but eliminating room for creative exploration.
Given these parameters, it’s hardly surprising that a 2018 Bugcrowd
survey of 200 cybersecurity leaders found 56% were dissatisfied with
their current penetration tests. High cost, poor results, and inability to
support or integrate with agile development workflows, contribute to
the growing list of frustrations held by security leaders everywhere.
Nevertheless, it is true that pen tests, in any form, are well-understood
and accepted by auditors, customers, and investors alike. And while the
need for these services will likely persist, new models for connecting
and enabling talent now provide a method for satisfying compliance
objectives without sacrificing speed, coverage, cost, or ease of use.
Introducing the Bugcrowd Pen Test Portfolio

While many organizations share a need for compliance, not all have the same testing requirements or capacity.
Some seek continuous coverage, to match increasingly rapid development cycles. Others need shorter testing
windows throughout the year, as dictated by engineering workflows or budgetary and procurement cycles. Equally,
an organization’s appetite for tester incentivization may be shaped by its bandwidth to address vulnerabilities and
ability to maintain an elastic pool of monetary rewards.

To address these varied needs, Bugcrowd has launched a new approach to pen testing. Our Pen Test portfolio
offers two distinct solutions, Next Gen Pen Test (incentivized) and Classic Pen Test (project-based), which address
unique security testing goals. Both are hosted by the Bugcrowd platform, which enables them to leverage the
diverse expertise of the global hacking community, while still providing methodology-based coverage and essential
compliance reporting.

Next Gen Pen Test - An Overview

Bugcrowd’s Next Gen Pen Test (NGPT) pairs highly vetted and deeply experienced pentesters with organizations
that want to incentivize discovery of vulnerabilities to greatly reduce risk, increase go-to-market velocity, and
exceed methodology-driven compliance initiatives. By leveraging a fully-managed crowdsourced security model
backed by industry-leading technology, NGPT quickly matches and motivates the right skills for every program
without lengthy scheduling delays or costly overhead. NGPT’s unique incentivization layer rewards pen testers for
valid findings, increasing the volume and variety of critical vulnerabilities discovered over a shorter period of time.

Incentivized, Continuous Coverage Real-Time Vulnerability View

CrowdMatchTM matches and incentivizes the Results are viewable through the platform as
right pentesters for every program to ensure soon as they are submitted by the pentester.
coverage while motivating better results. Bugcrowd triages and prioritizes each finding.

Methodology + Always On Reports SDLC Integrations + Retesting

Flexible assessments to satisfy various Integrations like JIRA and GitHub connect your
compliance requirements, on your time, with security and software development lifecycles.
reporting tailored to your needs. Retesting is included to ensure proper fix.

Unlike traditional pen tests which deliver results at the end of the assessment, NGPT also provides immediate
access to vulnerabilities as they are received. Our in-house team of security engineers then triages, validates, and
prioritizes every vulnerability, while baked-in remediation advice, and SDLC integrations like JIRA and GitHub help
development teams fix fast. For organizations that want to keep pace with rapid development cycles, NGPT can be
deployed as an on-demand or continuous program, with premium SLAs, retesting, and coverage analysis included.

Chaim Mazal
Vice President, Head of Information Security, ActiveCampaign
“I could have called anyone to get a clean bill of health, but that’s not our business. We called
Bugcrowd because we wanted the most in-depth vetting of our security posture. It’s beyond
compliance — it’s about true risk reduction, and we wanted a great partner to get us there.”
Next Gen Pen Test - How it Works

All Bugcrowd Pen Test solutions are delivered via the Bugcrowd platform, enabling rapid setup, with access to fully
vetted testers and seamless workflow integrations for increased visibility and control. NGPT engagements begin
with Bugcrowd’s Trust and Triage Engine, which helps select, vet, and enable the right pentester based on skill and
experience, as well as additional factors upon request like geo-location, ID-verification, and background checks.

Selected testers then follow our BugHunter methodology (unless otherwise specified), which blends OWASP
Top 10, PCI, NIST, and Hi Trust standards, with industry best practices. For continuous engagements, additional
pentesters and security researchers apply their own tactics for expanded coverage and risk reduction. Our team
of in-house security engineers accepts, validates, and rewards incoming submissions on a rolling basis, to facilitate
faster remediation before a final report is rendered. Finally, Bugcrowd’s baked-in remediation advice and retesting
services ensures what’s found is also fixed.

Next Gen Pen Test -The Value of Continuous Testing

Next Gen Pen Test is offered on-demand, or on a continuous basis. Where possible, continuous testing helps
assure coverage across the entire software development lifecycle. New code introduces new opportunities for
vulnerabilities, increasing risk between point-in-time security tests. While automated scanners provide continuous
coverage, they also produce extraordinarily high volumes of noise, making it difficult to find true signal in a
mountain of false positives, or low-risk “known-knowns.” NGPT pairs the value of continuous testing and always-on
platform reporting, with the compliance-driven requirements of structured, methodology-based testing as needed.

Continuous Testing for Continuous Coverage

Methodology- Methodology-
Driven Test Driven Test
Security Coverage

Next Gen Continuous Testing Continuous Testing

Pen Test

Point-In-Time Point-In-Time
Traditional Test Code Test Code
Pen Test Release Release

Time
Classic Pen Test - Block Engagements For Testing When You Need It

Bugcrowd’s Pen Test portfolio brings the power of the Crowd to organizations with immediate compliance or
security testing needs. While Bugcrowd Next Gen Pen Test is defined by a layer of gamified incentivization,
Bugcrowd Classic Pen Test provides on-demand methodology-driven testing on a set, per-project rate.

A stackable pay-per-project model means every organization can now access thousands of thoroughly vetted,
and immediately available pentesters, while CrowdMatchTM technology ensures each is expertly assigned by skill
and experience. And because Classic Pen Test is powered by Bugcrowd’s advanced security platform, results
are viewable as soon as they are discovered and submitted, rather than weeks later. To help Dev fix even faster,
Bugcrowd validated and prioritized vulnerabilities can also be pushed directly into your existing security workflows
through integrations like JIRA, and ServiceNow. Classic Pen Test offers additional flexibility through add-ons like
expedited testing, executive reporting, and retesting.

<72 Hours Average Setup Time Supports High-Volume Testing

CrowdMatchTM skills matching technology Largest pool of available testers plus platform
helps rapidly assemble the perfect team automation speeds resourcing and launch.
from thousands of available testers. Get fresh eyes on multiple targets at once.

Real-Time Results & SDLC Integrations Methodology + Always-On Reports

Receive vulnerabilities as soon as they are Satisfy compliance requirements like PCI-DSS,
submitted, rather than at the end of the with options to expedite or enhance. Added
assessment. SDLC integrations help fix fast. platform views maximize transparency.

Bugcrowd’s Pen Test portfolio offers customers freedom of choice in determining the testing style right for them. All
solutions benefit from the Bugcrowd platform, and can be further tailored to meet individual customer preferences.

At a Glance: Bugcrowd Pen Test Versus Traditional Pen Testing

TRADITIONAL CLASSIC NEXT GEN

PEN TESTING PEN TEST PEN TEST

Methodology-driven testing with reporting according to compliance requirement

CrowdMatchTM to quickly locate and enable the largest pool of experienced pentesters

Rapid deployment with an average setup time of under 72 hours

Real-time results with submitted vulnerabilities immediately available in-platform

SDLC integrations like JIRA and GitHub plus an open API to fit your security lifecycle

Vulnerability validation, prioritization, and remediation advice to help Dev fix faster

Continuous coverage for rapid development cycles and greatest risk reduction

Incentivized vulnerability discovery for more, high-value findings from top pentesters

Coverage Analysis, retesting, and premium SLAs included at no extra cost

Choosing the Right Solution: Finding Your Fit on the Bugcrowd Platform

The Bugcrowd platform provides access to a number of different crowdsourced testing solutions that complement
one another for increased risk reduction, and security workflow integration. The technology, people, and
processes that underly this platform enable rapid skill matching, fully managed vulnerability triage and prioritization,
real-time vulnerability access, and SDLC integrations to facilitate faster response and remediation.

All Pen Test portfolio programs support compliance initiatives through methodology-driven testing, yet are
differentiated from traditional pen testing in their ability to locate and activate ‘always-on’ resources from a pool
of hundreds of thousands of uniquely skilled pentesters and security researchers. Next Gen Pen Test supports
greatest risk reduction through a layer of incentivized gamification which rewards researchers for findings.
Advanced tooling like one-click retesting and features like Coverage Analysis and Premium SLAs further
distinguish Next Gen Pen Test from traditional testing. Classic Pen Test, on the other hand, provides greater
flexibility in time-blocked coverage through a more predictable pricing plan, and does not include a bounty “pool”
component for incentivization. Add-on features enable customers to build the coverage that’s right for them.

Choosing the Right Solution

Richard Rushing
CISO, Motorola Mobility

“Planning a traditional penetration test is a painful process. There are a lot of hoops to jump
through, not to mention, scoping is difficult and the methodology is strict. Bugcrowd’s Next Gen
Pen Test leverages the crowdsourced security model to bring 10x the security coverage needed
for today’s application and the cost savings. You can’t beat it.”
Comparing Results - Bugcrowd Versus Traditional Pen Testing

Why Crowdsourced Security - Key Benefits for Pen Testing

LOWER OPERATIONAL
RAPID RISK REDUCTION MORE COST-EFFECTIVE
OVERHEAD

Setup times averaging under 72 hours Incentivized or project-based options Cloud-based, managed solution
with streaming vulnerability visibility help meet compliance goals within any seamlessly integrates into your existing
reduces both risk and overhead budgetary framework. More findings SDLC for frictionless operation; workflow
compared to traditional methods. reduces cost-per-vulnerability automation reduces time in platform.

ATTACK SURFACE COVERAGE

Bugcrowd Pen Test programs support several “target” types. On premise or cloud-based applications, IoT and
mobile apps can all be tested, either in production or pre-production environments.

Web Front-End API

Server/Cloud Mobile IoT

 While Classic Pen Test is available in stackable blocks of on-demand effort, Next Gen Pen Test offers both on-
demand and continuous models. Choose the one right for your software development cycle.

On-demand Pen Testing is a great choice for organizations looking for a Crowdsourced
Security replacement for periodic penetrations tests.

Continuous Pen Testing is useful for high-value targets or for organizations with agile
development that contributes to dynamic attack surface.

Bugcrowd Makes Pen Testing Easy and Effective

Bugcrowd’s industry-leading crowdsourced security offerings are based on three key elements:

Crowd Platform Management

Right skills, Right incentive Bugcrowd Security Platform The Experts
Quality, impact, coverage, All-in-one platform for simplified Industry leading team with
and trust – harness the power vulnerability reporting and experience in enterprise security
of human creativity. solution management. and pentesting.

• Continually assessed for skills, experience, • Remediation acceleration through baked-in • Vulnerability triage, validation, and
and performance; ID verification, and security workflows to eliminate overhead and remediation advice through our in-house
background checking. reduce risk of human error. team of Security Operations experts.

• Hundreds of thousands worldwide provide • Visibility into vulnerability lifecycle, bounty • Ongoing health monitoring provided via our
rapid activation and 24x7 coverage. pool, and pentester activity. team of dedicated Account Managers.

• Diversity of backgrounds and attack • Seamless integration into your SDLC and • Pentester management, payout guidance,
methodologies support a broad range of security systems and processes; Bugcrowd’s and dispute resolution through our team of
targets (web, API, IoT, mobile). API facilitates all of your additional use cases. dedicated Researcher Success Managers.

Trusted by Leading Companies Around the World

Getting Started
Want to learn more about how your organization can leverage Bugcrowd’s Pen Test to exceed
compliance initiatives? Curious about our other security testing solutions? Contact us today!
www.bugcrowd.com/about/contact