Selecting and onboarding a PTAAS partner - 90 day plan

By Larissa Kolver, Head of Cyber Security at Securecom

Author Introduction

As a security leader focused on measurable outcomes, I bridge the gap between threat intelligence and day-to-day engineering, turning findings into fixes that executives can track. My background spans SOC operations, vulnerability management, and programme governance, which means I care as much about cadence and remediation as I do about discovery. I’ve seen first-hand how point-in-time checks leave Kiwi organisations exposed between releases, so my mission is simple – help teams move to evidence-driven assurance that keeps pace with change while keeping compliance costs in check.

Key Takeaway: When you move from point-in-time penetration tests to a subscription model like Pen Testing as a Service, success depends on nailing scope cadence, service levels, onboarding, and privacy or legal language up front. Get these right and continuous assurance can run alongside your delivery cycles without slowing the business.

Outline:

Why commit to a subscription testing model now
Scope cadence that aligns to how you release
SLAs that actually move risk and velocity
Contract terms for privacy, data handling, and safe harbour
A 90-day onboarding plan that drives early value
Total cost of ownership and procurement checks

Introduction

If you are at shortlist stage, you have likely concluded that annual, point-in-time testing is not enough for cloud, SaaS, API, and mobile heavy environments where change is constant. That conclusion is backed by both global and local context. New Zealand’s Privacy Act 2020 requires agencies to notify the Office of the Privacy Commissioner and affected people as soon as practicable if a breach is likely to cause serious harm, with the regulator signalling an expectation of within 72 hours once you become aware of a notifiable breach. That expectation drives leaders to prefer ongoing assurance over once-a-year checks. (privacy.org.nz)

ISO 27001:2022 added clarity as well. Annex A 8.8 focuses on proactive management of technical vulnerabilities, aligning security practice to continuous identification and mitigation rather than episodic audits. For many organisations, a subscription model that blends automated discovery with accredited manual exploitation and fast retests is the most practical way to evidence this control. (ISMS.online)

Locally, the NCSC’s quarterly insights show that incident volumes and large-loss events vary by quarter, but high-impact cases remain stubbornly present. Q4 2024 recorded the largest number of high-loss incidents seen in a quarter, underscoring why leaders want testing that keeps pace with change. (NCSC NZ)

This guide is a practical checklist for final down-selection and contracting. It assumes you will not talk about a specific solution until the final section. The aim is to help you pick a partner and a contract you can live with for the next 12 to 24 months, without adding drag to your delivery engine.

1) Why a new Operating Model?

You are selecting an operating model, not just a vendor. A PTaaS style subscription turns sporadic testing into a running service that slots into your change cadence and governance rhythm. It should combine automation for breadth with accredited manual testing for depth, and it should integrate cleanly with your ticketing and chat tools so that remediation feels routine. This is the difference between evidence of continuous assurance and a file share of PDFs.

From a compliance perspective, a running service helps you demonstrate readiness to assess and notify if a privacy breach occurs, and it supports ISO 27001 Annex A 8.8 by continuously managing technical vulnerabilities rather than treating them as annual events. (ISMS.online)

2) Scope cadence that works in the real world

Agree the testing rhythm before you sign. A proven pattern looks like this:

Unlimited external vulnerability scans to catch hygiene issues early.
Scheduled manual penetration tests against key assets such as public web, APIs, and externally exposed infrastructure.
Change-driven tests for critical releases or major architecture changes.
Explicit retests within defined windows to verify fixes.
This cadence keeps findings fresh and shortens the exposure window between releases.

Map this cadence to your release calendar. For product teams shipping weekly, time-to-first-report and retest turnaround matter more than a mammoth end-of-quarter engagement. For platform changes, ensure the partner can fast-path a targeted test without re-scoping the entire contract. OWASP’s Web Security Testing Guide remains a solid reference for ensuring depth in web and API testing. (OWASP)

3) SLAs that actually move risk and velocity

Do not sign without measurable service levels. The following SLAs are practical and outcome-focused:

Time-to-first-report for automated findings, measured in hours or a small number of days depending on risk.
Exploit validation windows, defining how quickly a potential critical is manually verified.
Remediation support response time for critical findings, including triage sessions with engineering.
Retest timelines after a fix is deployed, with a clear pass or fail signal and documented residual risk.
Reporting cadence that supports audit evidence without waiting for a quarterly bundle. These SLAs shift focus from page count to time saved and risk retired. They also align to how DevSecOps teams work, where the bottleneck is often feedback speed and clarity, not the number of findings.

To keep privacy obligations in view, add a clause that the provider will flag suspected privacy-impacting issues immediately and cooperate in breach assessment. New Zealand guidance allows delaying public notice to avoid compounding risk while you patch, but only where risks outweigh the benefits of immediate notification. Contract language should reflect this nuance. (privacy.org.nz)

4) Contract terms for privacy, data handling, and safe harbour

Bring Legal and Privacy in early. Minimum viable contract language should cover:

Data handling and residency, including how evidence, payloads, and credentials are stored, encrypted, and deleted.
Attack window approvals and safeguards for production testing.
Safe harbour language that protects both sides when authorised testing triggers alarms or minor disruptions.
Cooperation duties for breach assessment, including timely access to test artefacts.
Subprocessor disclosures for any third-party testers or platforms.
Retention windows for evidence and reports, aligned to your policies and regulator expectations.
This language avoids the two extremes of either stalling operations or creating unhelpful loopholes. It also ensures you can meet your obligations to the Privacy Commissioner should a notifiable breach be suspected. (privacy.org.nz)

If you are maintaining ISO 27001 certification, reference Annex A 8.8 in the scope and attach a short control-mapping appendix so auditors can trace the service into your ISMS. (ISMS.online)

5) A pragmatic 90-day onboarding plan

A strong partner will propose an onboarding plan that minimises disruption and delivers early wins. Ask for the following by default:

Day 0 to 14 – define in-scope systems and environments, connect ticketing and chat, agree change windows, and kick off first scans plus an initial manual test against a high-value asset.
Day 15 to 45 – prioritise fixes with product owners, fast-path retests for criticals, and tune notifications to avoid alert fatigue.
Day 46 to 90 – run a trend review on findings, unblock remediation bottlenecks, and run a short tabletop that includes privacy roles so the team can practice assessment and notification.
KPIs to track – time-to-first-report, critical fix lead time, retest pass rate, reduction in open criticals, and audit evidence readiness.
This rhythm operationalises continuous testing and shows value to executives without a long runway.

Local context can strengthen your case. When high-loss incidents spike, boards ask if exposure windows are shrinking. Your KPIs are the answer. NCSC quarterly reporting demonstrates why these windows matter. (NCSC NZ)

6) Total cost of ownership and procurement checks

A subscription model typically replaces episodic spikes with a predictable annual operating spend. To compare fairly:

Include internal management time saved by avoiding re-scope cycles and new vendor onboarding every test.
Account for faster remediation that reduces incident hours and reputational risk.
Factor in the value of retests included in the fee versus change requests.
Confirm that the pricing scales with your asset classes and release cadence, not only with seat or asset counts.

These checks prevent the common situation where a low day-rate bid is more expensive once you include rework, retests, and lost time to triage.

7) Down-selection checklist

Use this one-page list in your final workshops. A strong partner should get a clear pass on each item.

Demonstrates accredited manual testing, clear exploit narratives, and the ability to chain findings for real business impact.
Proposes a scope cadence that mirrors your release rhythm, with explicit retest windows.
Commits to SLAs that measure speed to validated insight and verified fix, not page count.
Integrates with JIRA, Teams, Slack, and your CI or CD workflow via APIs.
Provides contract language for data handling, safe harbour, and breach-assessment support aligned to NZ obligations.
Offers an onboarding plan with Day 0 to 90 milestones and crisp KPIs.
Maps the service to ISO 27001 Annex A 8.8 to support your ISMS.
Can evidence measurable risk reduction and developer adoption from reference clients.

Next Steps

Gather 12 months of incident and vulnerability metrics and baseline your remediation times.
Model one realistic breach scenario and its direct and indirect costs to your business
Identify the audit and privacy evidence stakeholders want to see and where you currently fall short. Map readiness to the NZ Privacy Act notification expectations and ISO 27001 Annex A 8.8. (Privacy Commissioner)
Draft KPIs and a target cadence that operations, engineering, and risk leaders agree is practical, including change-driven tests for high-risk releases.

References and helpful resources

NZ Privacy Act 2020 obligations for notifiable privacy breaches and the regulator’s 72-hour expectation. (privacy.org.nz)
Guidance on delaying public notice where immediate notification increases risk while you patch. (privacy.org.nz)
ISO 27001:2022 Annex A 8.8 on managing technical vulnerabilities with continuous practice. (ISMS.online)
NCSC quarterly Cyber Security Insights highlighting incident and large-loss patterns in NZ. (NCSC NZ)
OWASP Web Security Testing Guide for depth and coverage in web and API testing. (OWASP)

How do I get started with Pen Testing as a Service?

Contact us today to discuss how Securecom Pen Testing as a Service deliver real business outcomes: www.securecom.co.nz/contact-securecom

For a public overview of Securecom’s penetration testing services, visit the service page. (Securecom)

PTAAS Blog Series

Rethinking Security Testing: A 5-Step Guide to Continuous Assurance

About the Author:

Larissa Kolver PMP®, AgilePM® – Head of Cyber Security, Securecom

Larissa is a seasoned cyber resilience leader who blends disciplined project governance with hands-on security engineering with over a 10-year career across financial, health and safety and technology sectors. At Securecom she heads the Security Operations function, translating continuous attack-surface insights into actionable remediation plans that executives can measure. Larissa is passionate about turning board-level risk appetite into practical cadence – replacing once-a-year checkbox tests with data-driven assurance tied to every release. Her mission is simple: help Kiwi businesses stay one step ahead of attackers while keeping compliance costs in check.

Email: larissa.kolver@securecom.co.nz

Concerned about security vulnerabilities in your application environments?

Talk to us about a PTaaS cadence that lowers your business risk.

"*" indicates required fields