For SMEs and startups, things are always changing—new projects, growing teams, and evolving products. Amidst this growth, cybersecurity often takes a backseat. However, protecting your business from cyber threats is more important than ever.
In this episode, Anh Pham, Director of Penetration Testing and Security at Trava, explains how a robust Continuous Threat Exposure Management (CTEM) framework can help businesses stay secure. He also discusses how Penetration Testing as a Service (PTaaS) and Vulnerability Management as a Service (VMaaS) offer ongoing protection and risk management without the need for a full-time security team.
Anh shares how partnering with cybersecurity experts can give you peace of mind, letting you focus on your business while staying ahead of potential threats. Tune in for practical advice on implementing CTEM, PTaaS, and VMaaS to ensure your business is safe and secure.
Key takeaways:
- The role of PTaaS and VMaaS in continuous protection
- The benefits of partnering with cybersecurity experts
- Practical steps to implement CTEM, PTaaS, and VMaaS
Want to know exactly what to look for in a PTaaS provider? We’ve outlined everything you need to know in this guide: https://travasecurity.com/understanding-ptaas
Episode highlights:
(00:00) The aspects of a robust CTEM strategy
(01:15) Penetration Testing as a Service (PTaaS)
(02:29) Vulnerability Management as a Service (VMaaS)
(03:42) Why you need PTaaS and VMaaS in your CTEM framework
(06:32) How to start small with CTEM
(07:48) Making continuous cybersecurity affordable for SMEs and startups
Episode Transcript
[00:00:00] Anh Pham: for most startup and growing company, they actually change the environment, change a lot, the app change a lot. and it’s just unreasonable to expect them to be able to tackle all vulnerability, all issue, all fighting the identify, right?
[00:00:15] Anh Pham: So having these kind of services help them tackle really what matter to them and help them limit their exposure.
[00:00:42] Jara Rowe: Hey listener, I’m back with on and we are going to continue our conversation on continuous threat exposure management. So in the previous episode, we really dove into what CI is, but now we are going to get into how people can accomplish these things, and particularly without a designated security team.
[00:01:07] Jara Rowe: So Anh. I’m so excited to continue this conversation with you.
[00:01:11] Anh Pham: Likewise.
[00:01:13] Jara Rowe: Yes. All right. So the first question I have for you, you and I have actually talked about it before, and this is how I know that it fits in with the CTEM conversation. So what is penetration testing as a service and how does it differ from traditional pen testing?
[00:01:33] Anh Pham: Sure. PTaaS is pretty much a new and modern way to approach penetration testing, uh, especially for, teams and organizations that are constantly moving, constantly changing. Traditional
[00:01:46] Anh Pham: pen tests are often point-in-time static, slower. Uh, they usually schedule for once a year, and typically the end result of the deliverable is a static PDF report.
[00:01:59] Anh Pham: after, you know, a couple weeks of testing With PTaaS things get shipped to a more continuous approach. you get a completely different experience, faster test launches, you know, real-time visibility into issues that are being identified. Continuous retesting support and really, you gain access to a team of security experts year-round to help you in your, security program.
[00:02:24] Jara Rowe: Great. So yeah, you even said the key word here, continuous when it comes to PTaaS. So next question, another acronym that we always like to throw out in these conversations. VMaaS. So what is VMaaS?
[00:02:41] Anh Pham:
[00:02:41] Anh Pham: So VMaaS stands for Vulnerability Management as a service. it’s basically an upgraded vulnerability management program. you’re not just running vulnerability scan anymore. because a lot of company can run vulnerability scan, there are a lot of vulnerability scanning to available out there.
[00:02:57] Anh Pham: But usually what happens after they run a vulnerability scan is they get a list, a big list of result, vulnerability issues weaknesses, and they don’t know what to do next. Uh, with something like VMaaS you get, the same benefit of being able to run vulnerability scan, but you also have somebody to help you tune out for positive prioritize The issues and the weaknesses that actually matter and even track your remediation and your vulnerability program. So it’s especially helpful for teams without a dedicated security analyst, it’s a big unlock for them, right? Being able to gain that security equity, being able to weed out for positive issue, being able to really, tackle issues without having to make a huge investment.
[00:03:42] Jara Rowe: this sounds great for like smaller teams or startups. And again, like you don’t want a, bunch of like new investments and things like that, but I also heard you again say. Continuous and frequency, which is already helping me understand how like PTaaS and VMaaS fit into CE. But can you go in a little bit more and explain how these types of services support a CE strategy for a business?
[00:04:12] Anh Pham: Sure. Um, so CTEM basically is a framework, right? and then services like PTaaS and VMaaS help you put that framework into action and help you actually put them into practice. so PTaaS essentially is gonna be the one that provide that validation layer. or validation phase of, by allowing you to conduct testing continuously, validate, uh, impact of exposure, validate that you’re fixing one, the things that actually matter.
[00:04:41] Anh Pham: And then VMaaS help you with manage everything in between, right? Uh, between scoping identification, to prioritization and also to validation and remediation. So VMaaS is the tool to help you put all of that work into practice. So together they make see them actionable and not just a theoretical framework anymore.
[00:05:02] Jara Rowe: Yeah, that’s super helpful. So again, I feel like you’ve already kind of gone into this, but what are the benefits of these services for like a growing company?
[00:05:14] Anh Pham: So for smaller company or growing company, the benefit is actually, pretty big. first off, you get access to real security expertise, continuous security, continuous validation, continuous testing without needing to hire a 14 year security engineer and security analyst. Right? Because we all know.
[00:05:34] Anh Pham: cheap. you move faster to audit, because you are practicing security. You’re practicing testing, you’re practicing validation. Uh, identification scoping continuously. So when audit time comes, you don’t have to scramble and try to do all of that within, the span of weeks or something, because you already have all of that.
[00:05:51] Anh Pham: most importantly, you really focus on what matters for your organization at, Whatever stage you’re, you’re in. because for most startup and growing company, they actually change the environment, change a lot, the app change a lot. and it’s just unreasonable to expect them to be able to tackle all vulnerability, all issue, all fighting the identify, right?
[00:06:16] Anh Pham: So having these kind of services help them tackle really what matter to them and help them limit their exposure.
[00:06:24] Jara Rowe: That’s great. Yes. Especially for a startup, you are always changing things, so that absolutely makes sense to me. So, say that I, I wanted to start using like a CTEM framework. What’s the first or one practical step a company should take to get started?
[00:06:44] Anh Pham: so I always advise people to start small and start simple. the thing with all of these program and all of these services is you don’t have to try to tackle everything when you first started. pick something within your environment, maybe as your most critical system. They enable you to deliver your service.
[00:07:01] Anh Pham: Maybe it’s your main SaaS product, maybe it’s your main application, whatever it is, and then start implementing, these services around it, right? So start thinking about continuous vulnerability scanning, performing continuous testing, and validation. then, you know. that, and one, you have a mature in a process around that system.
[00:07:22] Anh Pham: Then as you grow and scale, you can think about extending that framework to cover other system or other assets or other part of your environment.
[00:07:32] Jara Rowe: Absolutely. So again, we’ve mentioned things about like. Not needing a full-time team or adding additional investments. So we definitely know that there’s always a cost and we wanna make sure things are as affordable as possible for people. So how do these services make continuous security more affordable and accessible for like a startup?
[00:07:57] Anh Pham: So they replace a lot of the big upfront costs, Like, think about VMaaS and PTaaS. If you were a small company or a growing company that want to practice this right now without these services, you have to make a, make a front investment into tooling in the people that run those tool.
[00:08:15] Anh Pham: You need to make an investment in your, in defining your processes, all of that. And then even after that, there’s no guarantee that you will be able to do it right? Because again, you’re just starting, right? You’re
[00:08:25] Anh Pham: still learning. So this is a big risk. when you make that sort of big investment upfront with these services, you’re basically able to shortcut that process.
[00:08:35] Anh Pham: So you starting small, you learning, you cover interest one or two system at first, but you are not compromising. On, you know, the tooling, the process, the expertise, you’re able to immediately tap into all of that and get started fairly quickly in weeks or even shorter.
[00:08:51] Anh Pham: it’s basically the way that these services,making continuous security more accessible for a smaller company.
[00:08:57] Jara Rowe: Yeah, absolutely. That is great.
[00:09:00] Jara Rowe: Okay Anh. Thank you so much for answering all of these questions that I have for you when it comes to CTEM and PTaaS and VMaaS. So I’m going to try to wrap us up here to make sure I understood what you said to me. So. CTEM is a framework that is really situated about like continuous looking at things and improvements, and in that PTaaS is the validation step, and then VMaaS is really checking all the vulnerabilities and everything in between.
[00:09:36] Jara Rowe: Is that accurate?
[00:09:38] Anh Pham: That is correct.
[00:09:39] Jara Rowe: All right. Fantastic. Well, listener, I hope that you got as much out of that as I did, and make sure you subscribe and stay tuned for the next episode. And if you need anything else from on or myself, you can head on over to travasecurity.com. Thank you.