Pentest as a Service with NodeZero
Continuous, autonomous attack simulation delivered as a managed service — together with our technology partner Horizon3.ai and their platform NodeZero. Real attack chains mapped to MITRE ATT&CK, startable on demand, production-safe and GDPR-compliant. Complementary to the classic pentest — not a replacement.
NodeZero Run #42
last 24h · hybrid scope
What is Pentest as a Service?
PTaaS closes the gap between two annual pentests. Instead of a single snapshot, you get continuous, autonomous attack simulation against your production environment — driven and interpreted by SecTepe.
Continuous, not a snapshot
Regular runs surface drift, new exposures and regressions after releases immediately — instead of waiting for next year's pentest.
Autonomous attack chains
NodeZero combines vulnerabilities, misconfigurations and weak credentials into real attack paths — not just a list of single CVEs.
Production-safe & GDPR-compliant
Safe exploitation without DoS risk, no agents on endpoints, EU data handling and full logging of every action.
Horizon3.ai & NodeZero
SecTepe delivers PTaaS as a managed service on top of NodeZero — the autonomous pentesting platform from Horizon3.ai. You get platform strength combined with the analysis, triage and remediation expertise of a German security team.
Horizon3.ai
Pioneer of autonomous pentesting, founded in 2019 by former US special operations and NSA security experts. The platform is used globally by Fortune-500 enterprises, government agencies and managed security providers to continuously put attack surfaces under pressure.
- Founded by security practitioners with an offensive background
- Specialised in autonomous attack simulation in real operations
- Broad customer base across critical infrastructure, government and enterprise
NodeZero
Autonomous pentesting platform with a MITRE ATT&CK-based attack model. NodeZero maps your environment, looks for exploitable combinations of vulnerabilities and configurations, and rates every finding against a complete attack chain — instead of a pure CVSS list.
- No permanent agent required on endpoints
- External, internal and hybrid pentest runs
- Cloud modules for AWS, Azure and M365 / Entra ID
- 1-click fix actions with prioritised remediation playbooks
Horizon3.ai and NodeZero are trademarks of Horizon3.AI, Inc. SecTepe is an independent partner and does not act on behalf of Horizon3.ai.
What NodeZero delivers
Eight core capabilities that clearly set PTaaS apart from classic vulnerability scanning.
Autonomous Pentest Operations
Plans and executes attack chains autonomously — even across large, heterogeneous environments.
Exploitable Vulnerability Discovery
Shows what is actually exploitable — instead of just a raw CVSS list.
Full Attack-Chain Visualisation
Graphical chain from the entry point to domain admin or crown-jewel asset.
Credential Theft & Lateral Movement
Simulates credential theft, Kerberos attacks and lateral movement realistically.
Cloud Pentesting
Modules for AWS, Azure and Microsoft 365 / Entra ID including identity paths.
Phishing impact tests
Assesses the consequences of successful phishing without running a real employee campaign.
Continuous / on-demand runs
Startable on schedule or per click — before each release or after an incident.
1-click fix actions
Prioritised remediation playbooks with step-by-step guidance for Dev and Ops.
Our managed PTaaS process
Five clearly bounded steps — so PTaaS acts as a continuous security service, not just a tool.
Onboarding & scoping
Define crown jewels, environments, run frequency and rules of engagement together.
NodeZero setup
Tenant setup, runner deployment, integrations with AD, cloud accounts and ticketing.
Continuous pentesting
Automated runs on schedule or event — external, internal, cloud, hybrid.
Triage by SecTepe
Our analysts assess every finding in context, remove noise and prioritise.
Remediation & retest
Remediation guidance, retest after fix, trend reporting towards audit.
Classic pentest vs. PTaaS (NodeZero)
Both approaches complement each other — neither replaces the other. The table below lists the strengths per approach.
| Criterion | Classic pentest | PTaaS with NodeZero |
|---|---|---|
| Methodology | manual, analyst-driven | autonomous, platform-driven |
| Frequency | point in time (annual / release) | continuous / on-demand |
| Business-logic flaws | ✓ strong | limited |
| Environment coverage | scope-limited | ✓ very broad |
| Time to react to changes | project cadence | minutes to hours |
| Regulatory fit | ISO 27001, NIS2, TISAX, DORA (formal evidence) | complementary evidence of continuous effectiveness |
| Typical value | deep audit, logic risks | drift detection, release gating |
Best practice: an annual manual pentest for depth and creativity plus ongoing PTaaS for breadth and timeliness.
Where PTaaS is particularly strong
Four scenarios where continuous, autonomous pentesting delivers the biggest leverage.
Mid-market under NIS2
Regular evidence of effectiveness between audits — without building your own red team.
Critical-infrastructure operators
Continuous attack-surface monitoring for regulated sectors (energy, healthcare, finance).
MSSP and SOC customers
Complements detection & response with proactive validation: does your SOC react to real attack paths?
DevOps & release-driven teams
Release gating inside CI/CD: no release without a green PTaaS run on the changed attack surface.
What you get out of every run
Every PTaaS run produces directly actionable results — for the C-level, for technical teams and for audit.
Executive summary
C-level-ready summary with attack paths, risk score and progress over time.
Exploit evidence with attack chain
Reproducible steps, screenshots and MITRE ATT&CK mapping for every finding.
Prioritised 1-click fix actions
Remediation playbooks sorted by impact — Dev and Ops know immediately what to do first.
Trend reporting over time
Continuous view: are attack surfaces shrinking, are risks staying open for long?
Compliance mapping
Automatic mapping to ISO 27001 A.12.6, NIS2 risk management and DORA testing requirements.
SecTepe triage & remediation guidance
Our analysts interpret findings, remove noise and accompany remediation including retest.
PTaaS Trend — Q1/2026
12 runs · hybrid scope
Frequently asked questions about PTaaS
Answers to the most common questions about Pentest as a Service with NodeZero.
Does Pentest as a Service replace a classic penetration test?
Where does NodeZero run and how is data processed (GDPR)?
Is NodeZero safe for production?
How often should PTaaS run?
How is pricing structured?
Which environments does NodeZero cover?
Ready for continuous pentesting?
Start with a no-obligation NodeZero demo or a scoping call. We walk you through a live run against a demo environment — and show how PTaaS fits into your security operations.
How we work with you
We treat every engagement as a long-term partnership rather than a one-off delivery. Our approach is organised into four clear phases so that you always know what happens when, who owns which responsibility and which outcomes you can expect.
1. Free initial conversation
We learn about your starting position, your goals and the constraints you operate under. In 30 to 45 minutes we check whether our offering fits your situation, outline possible paths and answer your questions – no obligation attached.
2. Structured assessment
We capture the current state systematically – technically, organisationally and in regulatory terms. You receive a prioritised assessment that clearly names strengths, gaps and action areas and forms the basis for a robust offer.
3. Delivery with a dedicated lead
A senior lead guides you through the delivery with clear milestones, transparent effort and cost planning and a weekly status. All results are documented and remain fully owned by you.
4. Continuous operations & review
After project close, we stay alongside you in operations – via managed-service components, regular reviews, action tracking and proactive recommendations on new threats, regulatory changes or technology shifts.
Frequently asked questions about our services
The questions we are most often asked in first conversations – answered concisely. For anything else, our team is available at hello@sectepe.de or by phone at any time.
- How do we start working with SecTepe?
- All engagements start with a free initial conversation. You then receive an offer with a clear scope of effort, timeline and outcomes. On request we start with a small pilot to build trust and experience our delivery before moving into full implementation.
- What company sizes and sectors do you support?
- We work with small and mid-sized businesses as well as with corporate divisions and operators of critical infrastructure (KRITIS). Our core sectors are manufacturing, trades, healthcare, financial services, energy providers, public sector and the DACH mid-market.
- Do you work on site, remotely or hybrid?
- Both. Assessments, consulting and most managed services run remotely from our German data centres. For on-site work (workshops, training, incident response) we are primarily active in North Rhine-Westphalia, the Rhineland and the Ruhr area and extend our radius as needed.
- Which standards and regulations do you cover?
- We work to ISO 27001:2022, BSI IT-Grundschutz, TISAX, B3S KRITIS, NIS2, DORA and sector-specific requirements. Our methodology is grounded in recognised frameworks such as NIST CSF, MITRE ATT&CK, OWASP and OSSTMM, combined tailored to each project.
- How do you protect the confidentiality of my data?
- Confidentiality is anchored contractually and technically. Before every engagement we sign a mutual non-disclosure agreement, data is processed exclusively in German data centres, access is governed by zero-trust policies with multi-factor authentication, and all employees are contractually and GDPR-compliant bound to confidentiality.