Companies face many challenging questions when maturing their security programs, the answers of which are rarely straightforward. One of the most important decisions security leaders need to make is whether to build an in-house penetration testing capability.

Defining Pen Testing

When it comes to the definition of penetration testing, it seems every company has its own. Most use it as a generalized term to describe any type of security audit or testing activity. Security professionals, however, would describe penetration testing as an exercise to evaluate particular attack scenarios with a specific, predefined outcome. They would also emphasize the clear difference between configuration review, vulnerability assessment, red teaming and penetration testing.

For the sake of common perception, I will use the term pen testing to denote the entire set of technical assessment activities security leaders can leverage to achieve security assurance.

The Pros

When it comes to the cybercrime landscape, what was once perceived as a game of cat and mouse has grown into a full-fledged battle between security leaders and organized, sometimes state-sponsored, criminals. These criminals launch new attacks every day against increasingly complex IT infrastructures. This necessitates security testing for businesses of all sizes. Due to the growing demand for pen testing, many companies are considering bringing this capability in-house.

Easy Integration

Among the most obvious benefits of in-house pen testing is easier integration in the change management process. With more in-depth knowledge of the design and architecture of enterprise systems, an internal assessment team can suggest plausible attack scenarios. The pen testing team members could also be integrated as SMEs to advise on security requirements early in the system life cycle.

Quicker Response

Another benefit is shorter response time. Depending on the internal organizational structure and engagement process, in-house analysts can respond to requests for pen testing much faster than external testing providers.

Increased Value

In-house pen testing also offers increased team focus and a higher level of coverage at a lower cost. An internal testing team could examine additional environments that an external team might not test due to cost concerns.

The Cons

Convenience always comes at a cost. An in-house security assessment team could come with a hefty price tag.

Segmentation and Specialization

It is great to have well-prepared technical people who know how to test the organization’s security controls in the most appropriate way. But keeping your army ready to act might require some budgetary gymnastics.

The IT field is becoming more and more segmented, making it almost impossible to find well-rounded professionals who know electronics, networks, applications, mobile and cloud inside and out. An internal testing capability includes a team of people, each with their own specialization. Many of these professionals will be able to work outside their area of specialization, but they won’t be as effective as someone with that specific skill set.

It is also important to consider redundancy, or how to remain operational while meeting testing demands in difference cases of absence.

Training and Accreditation

To keep your team current with the constantly evolving cyberthreat landscape, you will need to splurge for expensive trainings. In addition, new regulations require testing to be performed by accredited security professionals. Certifying your team will come at an additional cost.

Retention and Morale

The shortage of skilled professionals in the cybersecurity field is well documented and sure to affect the industry for the foreseeable future. That means recruiters are likely after your most qualified and highly trained employees, bombarding them with tempting offers.

It’s more important than ever for security leaders to maintain high levels of morale and motivation to keep the team together. Security professionals usually expect flexible work hours and locations, ample research time, extensive training, participation in conferences and more. Team leaders must know how to manage these expectations.

Automating Security Testing

Over the past 20 years, researchers and developers have endeavored to automate security testing as much as possible. Today, pen testing teams can leverage tools such as network scanners, dynamic and static code analysis tools, reverse engineering tool kits and more. Some tasks can be automated with open source and free tools, but commercial tools provide a level of efficiency security teams need to meet the growing demand for pen testing.

When planning and implementing internal testing capabilities, organizations often overlook the infrastructure supporting the testing operations. Bear in mind that the testing team will need to collaborate and share highly sensitive data, and this information will need to be stored as evidence. Data retention is essential, and the server infrastructure should be able to support it.

The Hybrid Model

Organizations may consider adopting a hybrid model to balance the expense of building and maintaining a full-fledged security assessment team and the benefits of establishing internal testing capabilities.

The most optimal solution may be to build an internal security assessment center and hire or train a limited number of security assurance specialists with intimate technical knowledge of your systems. This team should use hands-off resources to offer advice, outline a plan to meet a given testing objective, communicate with internal stakeholders and third-party providers to clarify the scope of the engagement, oversee the execution and relay the final results.

Some organizations might decide to equip internal teams with a pool of hands-on resources with which to perform limited testing. In most cases, however, the actual hands-on job is outsourced to specialized service providers.

Learn more about X-Force Red and IBM’s specialized pen testing services


To summarize, organizations stand to gain much by establishing in-house pen testing capabilities. Pros include:

  • The option to select from a wider pool of trained and accredited security testers; and
  • The option to rotate experts for a fresh pair of eyes.

This convenience doesn’t come without a cost, however. Cons of in-house pen testing include:

  • Extended time for preparation;
  • Additional expense; and
  • The need to establish well-defined attack objectives when complex enterprise systems are targeted.

There are numerous incentives to establish an in-house pen testing team, most notably the cost-saving benefits. There are, however, many not-so-obvious considerations organizations tend to overlook that could render such a team ineffective. When considering in-house pen testing, security leaders should explore all the available options and reach out to trusted security experts for advice.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today