Open Nav
Sign Up

Gartner SecOps Hype Cycle Highlights Continuous Expert-Level PTaaS Advantages

Roy Zinman

September 15, 2023

Recently, Gartner published the 2023 Hype Cycle for Security Operations.

Security operations technologies and services protect IT systems, cloud workloads, applications, and other digital assets from attack. They do this by identifying threats and vulnerabilities, and then taking steps to mitigate them. Security and risk management leaders use this Gartner research to develop and implement security strategies that are tailored to their needs.

As cloud architecture, open-source code and CI/CD evolve, this creates a larger attack surface and with it, a need for a more continuous, automated, and risk-based detection and management of vulnerabilities.  

In  their research, Gartner highlighted the concept of a CTEM program (Continuous Threat Exposure Management) as a key capability area which security and risk managers must include in their roadmaps. According to Gartner, “​​Exposure Management reduces the challenges organizations face inventorying, prioritizing and validating threat exposure that exist due to a rapidly expanding attack surface where traditional vulnerability management isn’t enough”. 

Gartner points out that siloing exposure activities such as penetration testing, threat intelligence management, and vulnerability scanning offers little to no awareness of the full scope of risks  the organization faces. Therefore, it is recommended to embrace a broader CTEM program, mobilizing the relevant organizational stakeholders, focusing on visibility and a risk-based, rapid response and reaction. 

Let’s see how adopting a continuous expert-level PTaaS solution aligns with Gartner’s recommendations for users:

  • When referring to Pen Testing as a Service (PTaaS), Gartner states that “PTaaS allows developers to talk to and receive guidance from pentesters instead of arguing with scanners”. A key feature of any PTaaS platform is a direct communication channel between developers and pentesters, enabling contextual discussions of vulnerability findings using the on-platform comments, and/or integrations with organizational productivity tools such as Slack, Teams and Jira.
  • Another driver for PTaaS according to the research is the limited in-house security expertise, which requires external assistance to meet compliance and risk objectives. In many cases this calls for using expert security researchers, as opposed to “typically vetted freelancers” which might provide variable quality results.
  • In the user recommendations section, the first advice is to create a mix of penetration testing, red team, automated testing and bug bounty / vulnerability disclosure program. It is better to get one vendor that can provide all of these, in order to get a comprehensive visibility.
  • Favor hybrid scanning models that combine human analysis and automation to increase both effectiveness and efficiency.
  • Select a PTaaS vendor that aligns with relevant compliance requirements, and not just focused on internet-facing infrastructure and applications. They also recommend Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service to alleviate the security skills gap.

Finding such a mix of certified expert support, automated capabilities and an integrated platform is not easy, as many vendors lack at least one of these parameters. 

When referring to EASM (External Attack Surface Mapping) which applies to discovery & monitoring of internet-facing assets’ for exposures from an attacker’s perspective and immediate remediation, Gartner recommends considering available capabilities from converging markets and existing vendors, as security testing, threat intelligence and broad security platforms all offer viable EASM features. Gartner states concern over “Already overburdened vulnerability management (VM) capabilities and teams concerned about adding to workload” which means that you would prefer some kind of a managed triage for the EASM findings. 

Summary 

Gartner’s 2023 Hype Cycle for Security Operations highlights the need for a more continuous, automated, and risk-based detection and management of vulnerabilities. The research recommends that organizations adopt a CTEM program (Continuous Threat Exposure Management) to reduce the challenges of inventorying, prioritizing, and validating threat exposure. Gartner also recommends adopting a PTaaS (Penetration Testing as a Service) solution to allow developers to talk to and receive guidance from pentesters instead of arguing with scanners. Finally, Gartner recommends considering available EASM (External Attack Surface Mapping) capabilities from converging markets and existing vendors.

Here are some specific recommendations from Gartner:

  • Create a mix of penetration testing, red team, automated testing, and bug bounty / vulnerability disclosure program.
  • Favor hybrid scanning models that combine human analysis and automation.
  • Select a PTaaS vendor that aligns with relevant compliance requirements.
  • Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service.
  • Consider available EASM capabilities from converging markets and existing vendors.

By following these recommendations, organizations can improve their security posture and mitigate the risks associated with a rapidly expanding attack surface.

About WASP

The WASP platform was built by OP Innovate to enable application security professionals to efficiently discover, assess, and manage their external and internal exposure

WASP combines advanced penetration testing, attack surface mapping, code analysis and contextual vulnerability prioritization, with remediation solutions that integrate with the DevSecOps pipeline to deliver a full life cycle of vulnerability visibility and control.

Continuous proactive testing

Manage the dynamic attack surface (external & internal)

Highly skilled and accredited team members (CREST, OffSec, etc) 

Respond to constantly emerging vulnerabilities and attack vectors 

Centralize multiple sources of vulnerabilities

Reduce the alert fatigue of false positives

See WASP solution overview

Resources highlights

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144

Our Red Team’s Favorite Penetration Testing Tools in 2025 (And How We Use Them)

When it comes to red team operations, the tools you choose can make or break the engagement. From initial reconnaissance to post-exploitation, having a streamlined,…

Read more >

pentesting tools - op

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019
Under Cyber Attack?

Fill out the form and we will contact you immediately.