Author: Richard Curteis - Director

Published: 28/04/2025

Cut Costs, Not Corners

Updates to Realize Security’s External Pentesting Model

We are fundamentally changing how we conduct and bill for our CREST accredited external infrastructure assessments. Free pentesting! Well, almost, but let's not get ahead of ourselves. Starting off a post like that is almost certainly to raise some eyebrows. Nobody does anything for free and this is no exception. But, for our customers, it might as well be.

TL;DR

You'll now only pay for reporting days and not for time-consuming tasks like network scanning. That means fewer billable days and significantly more value.

What is external pentesting?

External penetration testing is an exercise whereby an assessor analyses and evaluates data representing the externally facing assets of a target organisation. These assets constitute the target 'attack surface'. The key here, for our purposes at least, is this, "… analyses and evaluates data…"

What data?

The data representing an organisation's 'attack surface' may vary in quantity and type. It can, however, be boiled down to at least two key high-level categories, network connected systems and open source.

Network connected systems encompasses server and network infrastructure, including web and API endpoints. These form a significant proportion of a typical organisations attack surface and is the perimeter upon which attackers apply pressure.

Open source is one that often does not get enough credit and is everything that is available on the internet. This can be leveraged by an attacker to enumerate networks, user hierarchy and even passwords, often without setting off security alerts.

Put like that, your physical infrastructure and open-source infrastructure should be assessed as one, right? We think so.

How is this data analysed?

Security tools do their job very well. They analyse large swathes of systems and produce standardised outputs which can be analysed by a human operator to determine risk. Similarly, whilst open-source services and breach data repositories offer web interface, they also offer programmatic interfaces, also using standardised input and output. This data can be gathered and analysed by human and automated operators.

Where Traditional Pentesting Wastes Time

Pentesting traditionally involved a scoping call where the assessor found out how many IP addresses and domains were in-scope. Then they 'guesstimated' how long it would take to scan and assess that infrastructure and produce a report. This meant clients paying for everything, including time spent waiting for scans to complete.

Changes to Realize Security's approach

What once took multiple days, or even weeks, and cost thousands is now streamlined. The human assessor focuses purely on validating results, performing manual validation, and producing a high-quality report. We've automated the time-intensive, repetitive parts intelligently. With our in-house tooling, we automate:

  • Infrastructure discovery and scanning
  • Aggregation of data
  • Initial risk triage

For you, this results in:

✅ Faster turnarounds
✅ Less wasted time
✅ Lower costs
✅ Same expert-level analysis
✅ Same CREST accredited reporting

Same Quality. Less cost.

Instead of charging, for example, for 10 full days including automated scanning you only pay for the actual reporting time. If the engagement takes 7 days of automated scanning but only 3 days of analyst time to validate and report, you pay for 3. Simple.

Is This AI Magic?

No. This is robust, consistent, code-based automation not experimental AI agents. While we're exploring agent-assisted testing, this approach is powered by tested, human-written automation. We keep a 'human in the loop' for accuracy and consistency.

Is This the Only Option Now?

Not at all. Some clients prefer a more hands-on incremental engagement and we're happy to provide that. This new model is opt-in and currently only applies to external infrastructure testing, but we're already working on automation-enhanced models for internal, web, and API assessments too.

Putting Money To Mouth

Realize Security will only bill for the reporting days of external infrastructure engagements. No fluff. No delays. No wasted hours. Just real value, real expertise and real savings.

Work Smarter. Not More Expensiver.

Security doesn't need to be slow or costly. Let's reduce your risk without draining your budget. Get in touch to learn how we're making penetration testing faster, leaner, and smarter.

a

Image: TriStar Pictures

Our Mission

To provide information security services, affordably and at scale, through innovative use of software development, automation and AI driven solutions.


  • © Realize Security Ltd. 2025
  • |
  • Company Number: 12606876
  • |
  • VAT No.: GB466083379