Organisations often use penetration tests to uncover weaknesses in their security, or to confirm their security controls are effective. So, sometimes customers ask us if Glasstrail is the same as penetration testing. Let’s find out!

What is penetration testing?

First up, let’s understand how penetration testing works. Also known as ethical hacking, penetration testing is done by cyber security experts. They use a variety of tools and techniques to attempt to exploit vulnerabilities in a system, often attempting to gain access to sensitive data or resources.

Pentesters can be given different levels of information or access to a target depending on the type of testing you want to do.  In some cases, full access to the source code is provided so testers can more readily find exploits (‘white box’ testing). In most cases however, the testing is done as ‘black box’ or ‘grey box’ testing where the tester is only provided with public information or a small amount of information about the target and attempts to gain access.

How does this differ to Glasstrail?

Glasstrail has a different purpose when compared to penetration testing. The focus of Glasstrail is holistic external attack surface management – it’s more interested in how an attacker might see your online presence when trying to exploit you.  To do this well, it relies on a few things: high scan frequency, breadth of coverage, capturing issues and risks, and also collating inventory information.

While penetration testing is a great way to deeply validate a system’s security, it:

• is expensive because it requires skilled cyber security experts.
• tends to be done infrequently - especially if a 'white box' approach is used - due to cost and availability of testers, and the time it takes.
• is more targeted. To keep scope in check, experts are normally asked to focus on specific target sites or assets – rather than the whole internet estate
• does not aim to map out your internet estate.

Glasstrail serves as a complementary tool to pentesting, as it:

• costs less per year than most single pen tests do, as it is fully automated.
• can scan frequently (e.g. weekly) with ad hoc scans available on demand.
• covers a broad spectrum of issues, from breached account credentials to email security and web security.
• automatically discovers and suggests assets that may be part of your internet estate, from IP addresses to technologies in use. This provides an up-to-date picture of your internet estate.

Our experience is that penetration test reports can be great and insightful, but they are typically long, and the findings are not presented as ‘work items’ ready to assess and remediate.  Sometimes this means they end up in the(virtual) filing cabinet rather than being acted on.

When Glasstrail produces findings, they are ranked and workable within Glasstrail, i.e., they have status such as “raised”, “tolerated”, “remediated” or “not relevant”. Once you have resolved an issue it can be closed – and your dashboard will reflect the good work you have put in. You can then also see your trends over time and share this with key stakeholders to show progress and your overall security posture.

If infrequent penetration testing is your only line of defence, you’re leaving the door open to hackers in between tests. If you flip this approach and deploy Glasstrail on a continuous basis, with penetration testing to support and backup, you’ll have a more robust protection strategy.

Getting started with understanding your exposure is easier than you’d think. You can either get in touch for a demo. Or simply sign up your domain up for a free trial – and see for yourself where your attack surface vulnerabilities are.

‍