Why Are Your B2B Customers Demanding Pen Tests?

Posted on August 4, 2020 - by Sherif Koussa - in Growing Your SaaS Company

pen tests roi

We hear a lot about pen testing in business today. But what exactly is pen testing and how is it different from something like vulnerability scanning? When do you use one over the other? Why are customers, VCs, and even accelerators demanding pen test reports from their vendors?

And how did we end up in a place where knowing the answers to these questions can make or break it for your company’s success? 

“Software is eating the world,” is a famous quote by Marc Andreessen, the co-founder of Netscape and general partner at the infamous Andreessen Horowitz, a private, venture capital firm in Silicon Valley.

The technology landscape has changed rapidly in the last 10 years since Marc uttered those words. This rise of tech firms is thanks to increased access to some of the main ingredients required to build a technology company.

Pen Test ROI: Get the Most Out of a Pen Test for Your Business

Join us for a live interview and Q&A on August 13, 2020 12:00 pm EDT

The Rise of Tech Companies – And Hackers

1. The Map: Unicorns like AirBnB, Uber, DataDog, SpaceX, Instacart, and others gave aspiring entrepreneurs the map to realize their own dreams of changing the world in their respective areas of expertise.

2. The Tools: Gone are the days where entrepreneurs need hundreds or even tens of thousands of dollars to start a tech company. Today, you can set up a free EC2 and GitHub account, add a code editor, spin up a website and you’ve launched!

3. The Investors: According to TechCrunch, there are more VC funds than ever, with US VC deal activity in 2018 alone estimated to be $130.9B up from $36.9B in 2008.

Ok, so there are more tech companies, you get it. But why are all these tech companies doing pen testing?

The increased number of technology companies, many of which are changing the way we live and interact with one another and the world around us. This has led to a slow but strong change of habits, reflected best with the boom of e-commerce. 2019 was the first year where the total market share of “non-store” or online U.S. retail sales was higher than retail for the first time in history.

Even healthcare, which historically has been a market most lagging in digital transformation, is currently accelerating at rapid rates driven by the situation that COVID-19 has created. Digital healthcare transformation is now one of the highest growing industries estimated to reach $210B by 2025 with a CAGR of 14.2%. 

Digital transformation across industries now has a lot of information flowing over the internet, processed by billions of lines of code, running over new technologies such as cloud, containers, orchestration, and more! This has created even more opportunities for hackers to monetize data. 15 years ago nothing other than credit cards could be monetized, now threat actors are making bank on everything from stolen health identities, to Uber rides and airline miles.

Ok, so hackers have more things to hack. Still, why pen testing?

There are four main drivers behind the increase in penetration testing demand.

4 Reasons Pen Tests Are Becoming a Business Requirement

1. Gruesome Cyber Attacks: Several cyber attacks left a mark that can’t be erased easily. Yahoo losing 3 B records, First American Financial Corp losing 885 million records, Facebook losing 540 million records and Marriott international losing 500 million records are imprinted in all of our minds, even if we don’t understand how it all went down.

2. Compliance & Regulations: Increasing digital transformation as well as the deteriorating security scene led to both industry and government regulations dominating how we communicate and do business. In the last two years alone, four governments have started to act:

EU with GDPR. Canada with the Get Cyber Safe guideline. UK with the Minimum Cyber Security Standard. Australia with their Information Security Manual

3. Enterprise demand: A decade ago it was normal for a Fortune 500 acquiring an enterprise software to pay for a pen test. Nowadays, it is almost impossible to start talking to an enterprise without a SOC 2 certificate and a recent clean pen test report.

4. Agile engineering minds: Software engineers want to build smart and safely. With security being seen as a quality issue, engineers are looking for security partners to share the burden. 

Security was historically seen as a cost center. However, more companies are hacking how to get a return on their security spend, particularly pen tests. 

From a basic automated vulnerability scan to a high assurance ethically hacked pen test, making the most out of your investment of time, money and resources is crucial for growing startups and scaleups.


Securicy is joining forces with SoftwareSecured to help make sense of when a vulnerability scan will do, when a pen test is necessary, and how to make the most out of any security investment you make.

Join us for a live virtual event on Thursday, August 13th, 2020 at 12:00 EDT.

About the author

Sherif Koussa is an OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and Secure Coding Instructor. Sherif began his security career as the lead developer for OWASP WebGoat 5.0, and served as a mentor for SANS Institute and exam consultant for GIAC, where he authored more than 500 Java and .NET questions. He also worked for Wells Fargo Bank in the central security code review team.

100 million lines of code later, Sherif brings lessons learned from writing insecure code as a developer, along with years of experience as a security code review engineer and pen-tester, finding vulnerabilities in custom code.

Sherif is also CEO and founder of Software Secured (https://www.softwaresecured.com) and Reshift Security (www.reshiftsecurity.com). Software Secured specializes in Penetration Testing as a Service (PTaaS) and instructor-led training.

Reshift Security is a developer-first security tool that automates the process of finding and automatically fixing vulnerabilities in custom code, with a click of a button.