Study: HackerOne’s pen-testing solution delivers 115% ROI over three years

The new HackerOne, a hacker-powered security platform, study conducted by Forrester Consulting reveals that businesses can save over $500,000 and 66 percent internal effort over three years by replacing traditional penetration testing with HackerOne Challenge for security and compliance.

Through extensive customer interviews, the Forrester Total Economic Impact (TEI) Study also indicates that moving to HackerOne Challenge for security and compliance needs reduces the duration of penetration testing, increases customer satisfaction and retention and greatly improves application security, reducing the likelihood of a security incident.

“Customers are speaking in one voice through this Forrester study,” said Marten Mickos, CEO, HackerOne. “Hacker-powered pen tests give the best bang for the buck, and the underlying time, security, development and compliance benefits are even stronger. The power of a community of over 400,000 hackers is unsurpassed.”

Among other benefits, the Forrester Consulting TEI Study found:

Organizations reduced cost and time from penetration testing by switching to HackerOne Challenge

In all cases, the time taken to complete penetration testing and get the results significantly decreases — an average of 50% reduction — resulting in less internal effort. The total eliminated costs in a three-year period are $156,784. One interviewee said, “Every $1 we spend on HackerOne Challenges would have meant $5 in the past for other pen testing and auditors.”

Greatly improved security, reducing the likelihood of a security incident

The quality of penetration testing performed by HackerOne is vastly improved compared to traditional solutions given the diverse range of skills and experiences found in the hacker community. This increases the speed in which findings and recommendations are submitted, allowing for any fixes to be made in a timely manner. Altogether, this reduces the risk of a breach. One customer explained, “We found 138 vulnerabilities in our first Challenge. They were found much faster and of higher complexity than what we had gotten from past providers.”

Reduction of internal security and application development efforts

Customers avoid hiring additional security experts because of the robustness of testing and remediation information on vulnerabilities provided by HackerOne. They also see improved bug identification, and knowledge transfer reduces application development time.

Increased customer satisfaction and retention

Having more robust audits makes existing customers more confident in their companies’ ability to securely provide the contracted services. It also prevents customers from leaving because of security flaws or delayed audit results.

From the information provided in the interviews, Forrester Consulting constructed a Total Economic Impact framework for those organizations considering utilizing HackerOne Challenge. The study looked at a one-time, bug-bounty engagement (repeatable as desired) in which ethical hackers test designated systems and applications for vulnerabilities. The study examined a composite company blended from the HackerOne customers interviewed — a US-based SaaS company with global operations that holds PII and cardholder information and completes two HackerOne Compliance Challenges per year; one test for the production environment that is required by its Qualified Security Assessor (QSA) and the other on the development environment — and compiled an associated ROI analysis that illustrates the areas financially affected.