Security Exec + Practitioner Track: From Periodic to Persistent: Rethinking Pentesting with PTaaS

 

Session Description
As AI-powered threats and rapid software releases outpace traditional security practices, the traditional approach to pentesting isn't enough. Join experts from NowSecure and Synack to explore how Pentesting as a Service (PTaaS) can help organizations stay ahead of evolving risks with persistent, scalable, and integrated testing strategies.

Session Summary

  •  AI integration in apps introduces complex, often unrecognized security and privacy risks.

     

  • Rapid “time to exploit” means vulnerabilities are exploited within 24 hours of disclosure.

     

  • Continuous penetration testing is becoming essential, replacing traditional point-in-time models.

     

  • Mobile applications remain a critical, often underestimated security risk requiring focused testing.

     

  • Defense-in-depth and zero-trust principles are vital for securing mobile platforms and apps.

     

  • Industry-led AI security standards (e.g., OAS AI verification) are emerging to guide secure AI adoption.

     

  • Better integration of security, privacy, and legal teams is improving risk management and compliance.

Session Transcript

 

 

All right, thank you everybody for joining us. Uh my name is Michael Krueger. I'm the VP of professional services here at Now Secure and with me I've got uh Paul Moat from Sync. Uh Paul, why don't you go ahead and introduce yourself today? Yeah, thanks Michael. Um Paul Moat from Synak. I run I'm the VP of solutions architects for Synak. I've been here for about nine years. Great to have you uh on the call with us today. All right, so uh a little bit different today. We thought we'd have more of a casual conversation back and forth uh topic today. We're talking about penetration testing as a service. Uh we're going to have just a general conversation. Paul has some very interesting thoughts on the topic. Uh you'll find out I'm very passionate as well on uh penetration testing. So uh with that, let's jump on into things. Uh first of all, I thought we'd get started uh Paul with just talking a little bit about how each of us got involved with penetration testing or pen testing and a little bit about how our background plays into that. So I'll tee it up for you first and then I'll follow up with some answers of my own. Yeah, I I honestly I kind of stumbled into it. I wouldn't I wouldn't proclaim to be a pentester, but you know, I started off my career in the defensive space, receiving the pentest results, having to deal with the outcomes of it, not really understanding the process or why I was being pentested, just knowing that these folks would show up, they tell me what was wrong, and I'd have to go work through it. It wasn't until about 8 years ago, nine years ago that, you know, I made this shift and said, you know, I've been spending my entire career doing defense. it'd be really nice to to flip the script, go on the offensive side, work offensive capabilities, and help organizations figure out how to better integrate, you know, those results into the the strategies that they're building. So, that was I stumbled into it. It was a happy accident, if you will. That's great. Well, uh, for myself, uh, I've always been interested in puzzles and so I think it was a natural just evolution to start getting into information security. I've actually been doing uh cyber security, information security for about 20 years now and I always found offensive security or the thought process behind breaking something, bypass something just very very fascinating. And so my entire career has been mostly actually focused in the US Department of Defense uh and the intelligence community and uh it didn't get its start really in mobile actually a lot of more uh infrastructure related systems. So I I actually got my start uh testing hydroelectric power plants uh learning a lot about SCADA systems and the these very large uh interconnected uh supervisory systems and then moved over more heavily into the defense department and then finally uh I was a customer of now secure and fascinated with mobile mobile apps and where mobile devices were introducing threats to individual users across the globe and the more I started to dive into that I said well I really want to work with this company and uh been here about nine years since so little bit about me it's quite the journey it's very interesting that you started off in the the deeper darker depths of IC and SCADA that it's usually the place that people end up when they're when they realize like the most important stuff's that direction it's interesting you started and worked your way back out I did yeah and it's interesting ing uh you know you you'd like to think that a lot of things have changed over the years but I I've always found it interesting that when you boil a lot of the vulnerabilities a lot of the issues that we see even today and as we'll talk about I think with some of the evolutions in technology you boil some of that back down and it's still some of the same fundamental threats same some of the same fundamental motivations for a malicious actor to exploit a system and we see just the technology has evolved, the reasons um or the the results have evolved, but the reasoning behind it, the motivations behind it really haven't uh haven't changed much uh over the years. And so I found that really interesting that there's a lot of crossover. Yeah, I would agree. I think it's it some of the most prevalent vulnerability categories have been around for 20 plus years and a lot of the fundamental flaws that we still see are the same flaws we dealt with in the the early days of the internet and so haven't quite learned how to solve those problems yet but there's there is light at the end of the tunnel which is a good thing. Absolutely. So, you know, I bring up uh the evolution of technology and I think what we're hearing in 2025, right, we're hearing a lot of evolution in technology specifically around artificial intelligence, around AI, and it's AI enabled everything. AI, there's AI washing machines now. There's AI in our cars, there's AI in our televisions. We're hearing AI enabled everything. And I'm just kind of curious and I thought we could start by talking a little bit about your perspective, what you're seeing in the industry and then you know some of my thoughts on AI and I'm an old grumpy guy so I keroginly accept the the evolutions in tech but I'm curious from from specific from a threat perspective know how is AI kind of h how is it changing the threat landscape and what you're seeing uh on Synax side and then oh how how are we how are you responding to that? Yeah, I think um there's a lot of I mean it's a loaded question, right? I think the buzz word AI is a good one because it's all over the place. I think everybody knows we've got to got to adopt it, got to work through it. That genie's the genie's out of the bottle. You got to got to do what you have to do. But interestingly, you know, over the last, you know, five years or so, we've kind of seen, you know, app apocalypse like lots and lots of sprawling attack surface. Lots of web apps. Everybody wants to be digital. they want to get in front of their clients and all that. AI introduces kind of a new threat vector which is the developer is no longer just a developer in the background. It's every user now can work with AI and do stuff with AI and integrate AI into apps and it's crazy. So what we see is organizations putting AI everywhere. And interestingly enough I think a lot of organizations don't ask do we really need AI for this function? So it's like if something is binary like yes or no do you really need AI to do it for you? And the answer is yes from everybody who's developing. Um, but from a security standpoint that creates all kinds of blackbox scenarios where it's like what how are we defining it? What's the architecture look like? Can an attacker break out at any point moment in time through that? And can the AI do something that is a non-traditional threat vector, right? like can it if can somebody jailbreak it and have it tell my user how to do something that is illegal that we shouldn't be the source of that information that those types of threats or you know even threats of saying how do I make sure my AI isn't saying something that's going to offend my clients that's going to be create you know irre like completely non-recoverable damage to our reputations there's there's that aspect of it and on the flip side of it what we're seeing is adversaries are moving a lot faster to what we call time to exploit you know it used to be that you'd have a notification there's some new threat vector, a new CVE, something else of interest, some new research that was published and you got 30, 60, 90 days to kind of sort through it and do your normal process. Um, if you look at some of like this the CISA Kev lists that are out there, there's some other um interesting vulnerability research. What we're finding is a lot of vulnerabilities that are being published uh on the KEV list are exploited within 24 hours of the notification, which basically means that the time that we thought we had before, we definitely don't have now. And you have to assume that on the back end. The reason for that is because now adversaries are equipped to do things like rapidly develop research and exploitation using those underlying capabilities that they just didn't have before. And so AI can bridge their gaps and make them significantly better because where they were weak, it can fill the gap. For us, that means the the amount of leeway we have in terms of defenders is just that much smaller, right? We're really under the gun to act quickly. So that's kind of what we see is we see apocalypse AI being innovated and everything creating all new threat paths that we didn't know existed and having to go attack those even new vulner categories and on the offensive side from an adversary standpoint they're just getting rapidly faster at getting getting time to exploit. Yeah, that's interesting that you say that specifically on more of the defensive side too. Um, we're we're seeing a lot of questions around not only what uh threat vectors can AI that I've introduced into my app, what can that do within my app's ecosystem or within my entire environment? But we're also seeing that unknown of do I have AI in my app that I didn't know about? And something that I really like to weigh in on is a lot of those third party components that you're introducing to your applications, we see them constantly, those are updating, those dependencies are updating and very infrequently are they notifying their users, especially if we're talking open source, very infrequently are they notifying their users that they're introducing these new technologies. And so we actually end up in almost uh not only a security concern here by th those uh SDKs or those components leveraging those technologies but we're also introducing or we're seeing more of a privacy concern. Um there are a lot of organizations that are implementing very strict rigid privacy policies specifically answering AI. I know a lot of enterprises now have specific directives around the use of AI and so it's concerning that these third parties are doing that unbeknownst to the developer who is trying to adhere to their organization's policies and procedures and what they're telling their their enterprise-wide users. But now these third-party components are really rolling these out and so developers are having to scramble and go oh no what have I included in my app and is it leveraging a large language model of some sort either the big ones that we know about or some of the smaller models or some of the newer models that are coming out that we've heard about you know such as the the deepseek model for example. Uh the other thing I find very interesting is and actually exciting is more on the awareness around security for AI and how some of the industry is actually like moving very quickly. uh arguably not quickly enough, right, because this technology rolls out so quickly. But it's been very nice for me to see the industry response and the awareness around the potential implications for AI security. And so um I know for example, OASP, the OASP organization is actually implementing not a AI top 10, but an actual uh AI security verification standard. Now secure talks a lot and we're an advocate for the OASP MAS project uh on the mobile side but now there is an OAS project specifically geared towards AI and secure AI rollout. So we're excited to see that you know it's in it's in its infancy right now but it it's beginning to roll out and we're already seeing uh a lot of momentum behind that project which I think is uh really exciting to see within the industry. Yeah, I agree. I think it's like it's an interesting statement because I think when like cloud rolled out, there wasn't a a lot of awareness or focus or discussion around cloud security. There was assumptions around it. I think organizations are still navigating cloud security and how to go about proper cloud architecture and having hybrid cloud and everything else. Um I agree that it's interesting when we hear from our customers about AI LLM implementations, it is always how do we go test this? Interestingly enough, I think there there still is a bit of technology going faster than process because a lot of times they're like, "Hey, we were navigating our own website and we realized our chatbot is using AI. We had no idea we implemented AI and now we're trying to figure out who owns it and why it was there and how it's implemented. Is it properly secured? What the architecture looks like?" But the point is they're looking for it, they see it, and they attack it versus kind of the it felt like we always had to have to have the conversation to the cloud of why it's important to secure it. you know what an unsecure what a a properly an improperly secured S3 bucket or Azure blob looks like and why it's a big deal. Everyone seems to already be switched and it's hey there's AI how do I secure this thing? What am I not thinking about? How do I approach it? Um and I love that the standards as you point out from AAS were just rapidly catching right up to it. Absolutely. Yeah. And it's interesting you talk about just uh also with the time to exploit and I think that's really interesting. It's timely that we're talking about that uh not just for AI but but for the larger threat landscape right and that uh something that on the now secure side and I know on the synax side as well the the message that we've really been pushing is that your more traditional pentesting your point in time uh sort of model is just not enough anymore. uh it was arguably an incomplete picture 10 years ago or so, but now with the evolution of the just the speed which with which exploits are being developed with which a malicious user without a large support system without botn nets and some of these larger distributed systems that they're able still with this AI enabled uh resource they're able to develop these uh exploits these malicious intrusions, even researching a new platform, the speed with which they can research is so much more increased with with some of these AI enabled tools. And so I think you know part of the message that we've started uh really pushing out uh to the industry is that your traditional pentest that one point in time is leaving just a a wide uh gap in your overall security posture and that that that single pentest isn't enough. And so we're starting to talk more of this idea of continuous pentesting and continuous testing of various levels, right? and how uh that can be approached. And so I'm curious, Paul, from your side, you know, how does Sync look at the continuous testing and how does that uh start to look at at um mitigating some of these uh faster time to exploit sort of scenarios. Yeah, it's kind of funny. When I when I first joined Synak, we only had a continuous offering. Um we kind of had to we had to back off on that a little bit because we realized we were we were too far in front of everybody. They weren't ready. They love the concept of continuous, but they weren't quite ready for continuous. So, we kind of had to go meet the market where they were. It's nice to see the pendulum finally swing in the other directions where it's like, hey, Apache Struts, Log 4J, when it hits, you have to have something that's already on to go very quickly validate whether or not you can be exploited. And so, organizations are finally coming around saying, I know that my threat landscape is dynamic. It's changing. Research changes very quickly, often by the minute. I need to be able to apply that pressure. And so a lot of our organizations are trying to figure out if they haven't already like how to implement the lowest stake stuff into continuous. And when I say continuous, it means having proof that things are actually being tested, looked at by humans, creativity is being applied, you actually have coverage, all of those things. And we have a lot of organizations finally making that shift that have been doing a lot of point in time pent testing. And then we have other organizations that have already been doing the point in time testing and they're moving back into the network saying well how do I apply continuous on an internal basis not just an external basis because I want I want 30 40 50 pentesters looking for stuff in my environment not just once a year I want it all the time around the clock if I can possibly get that. So uh the mentality is definitely there and we see organizations working their way through that process. It is a I would say it's a a SISA will get it right away. However, they do have their peers. They still have to go sell and influence and educate, right? The CIO and the CFO and the CEO. Like, why is this important? Why do we care about this? And it's well, hey, we have four toome appliances out there, whatever the acronym is. And today, a new zero day popped and we need to know right away whether or not we have that exposure. And we just don't have the ability to do that because we're so big. It's so complex to get through things. It's hard to get that validation. The adversary doesn't have the process. They don't have the handcuffs in place. We have to have something that's on to very quickly tell us whether we're impacted or not. Absolutely. No, we're hearing the same thing on our side is specifically with mobile to, you know, and that's been a classically maybe more overlooked uh aspect uh of an organization, right? the the web has been a little bit more mature and there uh the web testing side has been arguably maybe a little bit more cutting edge or tip of the spear, but mobile has at least in years past lag behind a little bit in some of the adoption and the frequency. And so that's a message that we're really pushing out on the mobile side is that uh you should adopt a continuous testing model for all of your architecture. Certainly your web resources, certainly your backend services, but also the web or the mobile applications themselves. And so we look at it uh very similarly. Uh certainly uh we leverage a lot of automation uh to do this at scale, right? That's important just uh with everything as we all talk about uh continuous pentesting is how can we do this at scale how can we make it approachable from from a syso standpoint and as you said you need to go sell this to other stakeholders and so I think you know definitely it's important to understand not only the return on investment right but but also just how does this scale with an organization as you to add additional resources, new mobile applications, new web apps, so on. Yeah, I think a question I' I'd ask you, it's funny. I remember giving my first like mobile threat intelligence briefing to a government group back in like 2015 where I was I got everybody to put their their phones up and say like, "Anybody play with Talking Tom?" And they were like, "Yeah." And it's like, "Did anybody look at the permissions that you signed off when you did that?" Like, I good news, I don't need malware anymore. I just need a functional app that your kids like and you can give me all the data I need. Then they were, it was interesting. were flying very fast with mobile but it wasn't it was interesting not a very sophisticated space it's still a huge threat vector because literally every user in your environment is a threat because they have all of your information interconnected with the device what is the what is the trend I think that you've seen over the last you know three or four years in terms of how folks are viewing mobile is it ramping up or they getting more more um sophisticated in that area yeah that that's a great question so so I'll answer it in two ways number one you mentioned uh mobile threat defense and I I find this an interesting sort of enigma of technology. uh the platform the platform is every handset will run on you know any number of different oss with different versions and uh yes those can be vulnerable those are vulnerable chasing a zero day is a exhausting game uh for a security team uh it's certainly a great defense and depth uh sort of protection but I think Too often when I talk to organizations, they're using that as their mobile security uh policy. We've implemented MTD. We've done our due diligence. That that's that. And I think that that's a great start, but it's very focused on the platform itself and those zero days and and kind of that initial perceived attack vector, which is the hardware, the platform itself. And I think that that's a good start, but I really the mobile app is arguably a easier or more efficient attack vector for exactly what you said, which is the information that is processed on that device. And so with the age of BYOD or even just shared devices, uh, company aside assigned handset, but arguably I'm still installing my personal apps. I'm installing my Gmail. Uh my kids have sports, so I'm probably installing a sports app. Those sort of external factors uh are typically uh they're typically allowed in a more permissive or partially permissive environment just for uh user adoption, right? you you have too locked down of a policy and users tend to find ways to either circumvent said policies or um they just push back uh against the security teams on just those real rigid security postures. So there's always a a balance, but kind of to answer your question here, I think that the applications themselves, uh that's a still fairly unrecognized attack vector or unpersceived attack vector for the overall mobile ecosphere because those apps can and do glean information from the device about other applications, about other data that exists on the device. And ultimately some of those applications either apps that you're building or apps that you're using are vulnerable in some way, form or fashion and do introduce a foothold that attackers can use either to get into your resources or otherwise exploit other other uh data on the device. And so I think, you know, I'd really like to see more of an emphasis on the mobile app itself. Uh and then pair that with a solid MTD uh sort of sort of implementation. I don't think it's one or the other. I think really that defense and depth like we do with everything. We have firewalls. We know that firewalls are only one part of a larger defense. I think same with mobile. We have that MTD. We have awareness of the apps that are existing within our uh environment, but we should still continue to test those apps and understand what other risk they introduce. Yeah, I love that and I would I would extend it too to the you know the apps that organizations are creating because I think we all know we got to get to where users have it have all their attention which is on their device and so I think everybody has like a digital extension of their footprint. You know, I saw earlier this year, you know, P school was a great example where, you know, they had a main web application that's used for school for kids. Like it's the schooling infrastructure for half the nation. Uh they were breached, but their main application is pretty strong, pretty resilient. But interestingly enough, the support portal that they use to manage the support function of that application is different, wasn't as secure, and a valid user account was used. So, they blended right into traffic, and they were able to steal 56 million identities or whatever the whatever the ridiculous count is. I got my letter from my kids. I feel bad. I'm going to have to figure out how to protect their identities. How does how does mobile play into that same type of, you know, that the same hole the organization looks at it and they go, here's our crown jewel. It's super secure and then we have this mobile app. Like how do how do people think about the mobile app when they're thinking about securing their external attack surface? Yeah, that that's a great question. So, so I think there's multiple answers to that and it depends on the maturity of an organization. Uh we talked to plenty of enterprises who do perceive that that mobile app is an essential part of that overall experience and they do treat it as a crown jewel as much so as any of their other uh top tier assets. I think as we get towards um a smaller organization there there's two things. There's an education that the mobile app is probably the most forward-facing component of your brand, of your user experience, of your interaction. And so it it probably doesn't receive the treatment that it needs to. And I think also going back to more of that platform uh discussion that we just talked about, I think it's overlooked that the platform that your app runs on can be compromised. And I often when with some of my consulting uh that I've done, I always say always assume that the platform the device on which your app is running is already compromised. Don't make the assumption that you're in a secure environment. Don't make the assumption this also don't make the assumption that Apple or Google or any of the large app stores out there are doing security testing for you. They're doing a base amount to ensure the safety and security of their individual app stores, but it's in their best interest to be permissive similar as we talked with apps on a BYOD. Um, but I think it I think you know it's interesting because uh the platform if we assume that it's insecure from the get-go then we can build in levels of protection. And again going back to that defense and depth, we assume that it will be compromised and we build that with security first in the mindset. And that that I think is something that we really need to talk about with mobile more. Build with security first. Assume that the platform will always be compromised and your app is that final line of defense. It's a good evolution, right? It's like zero trust for mobile. Yeah. Um, you know, I I'm also curious how how do you see the privacy? Uh, how do you see users um or companies that you're working with? How are they viewing privacy both in mobile but also just in security in general? Are they starting to recognize that there is a parallel between the two? And then I guess my follow-up question to that is how do you see uh penetration testing? How do you see that helping with uh solving some of the privacy concerns, regulatory and compliance concerns that that we see today? Absolutely. I think the teams are getting better at understanding the linkage between privacy, data, custody and so basically the legal teams are now realizing how important security is to their job function, right? So security has a has a mishap. Then all of a sudden the the legal folks have a bunch of work they got to go do because they got to work these announcements, figure out the laws, see what regulators need to be involved, all of those things. So we're starting to see that that better integration because it was be honest it was separate for a long long time unless there was a breach. We see folks collapsing right. It's also how the sysos are getting more visibility into the board because now it matters. People are they're realizing the impact to the organization. Um it's interesting in terms of how it comes out is a lot of times in our pen testing folks are looking for those

vulnerabilities that are directly linked to privacy violations. So whether it's a business logic flaw in an application or something that was be uh something was able to be abused to get information that a user shouldn't have access to, right? It is a privacy violation if it was done maliciously. And so they're trying to figure out how do we get ahead of that? and they're asking us those questions ahead of time to to do a little more due diligence on making sure we know the the information that should be private and which information shouldn't. That way whenever something comes out it's properly articulated the impact would be much higher for them. So I think that I think it's finally starting to come around um the question is always that we always get from folks is just how do you how do you implement that at scale in a cost-effective way which is obviously like where the paz side for us comes in. uh the linkage of connecting the security team and the privacy group is really through the finding context to say like if we see certain c certain types of vulnerabilities this is how it layers in and it's us helping the syso or the app abstack director sell to their general counsel folks like here is the impact and and value coming out of the testing that ultimately helps your job and that you should be aware of and it pulls those folks into that conversation because um that's ultimately what the syso is trying to do they're trying to pull more people into that conversation with All right. Well, looks like we're out of time for today. Paul, thank you very much for joining us. Now, I like to always leave our listeners with a little call to action before we uh depart the uh session today. Uh any last anecdote, anything that you'd like to leave our listeners with today? Yeah, I think there's just a lot happening. Obviously, the stakes have never been higher in terms of what the threat landscape looks like, but there there is light at the end of the tunnel. I think having these conversations defining like how to do things in a cost-effective way, how to do them at scale, that is ultimately the name of the game. And so I think we're all here to help support that conversation. Absolutely. Thanks, Paul. I'll leave you with just uh one additional nugget and uh definitely uh if you found this valuable, let us know. Uh we'd love both of us on the SynX side, on the now secure side, we'd love to talk to you together about how we can help elevate your risk management program both on web testing, on your appliance testing, on your OTT app testing, on your mobile app testing. Come talk to us and let us uh fill you in with a lot of information on how we can help with AI and some of all of the other risks that we talked about today. So uh with that, uh thank you everyone for joining. Uh Paul, any final words? And uh thank you everybody.