IT Brief Ireland - Technology news for CIOs & IT decision-makers
Ireland
Ethical hacker structured pentest multi monitors robot scanner
#
DevOps
#
Application Security
#
DevSecOps

Survey shows pentesters favour PTaaS over bug bounties

Fri, 6th Mar 2026
Author image
By Catherine Knowles, News Editor

Cobalt has published new survey findings that rank penetration testing as a service (PTaaS) well ahead of public bug bounty programmes for identifying complex security flaws. The results also show little confidence among professional testers in fully automated scanning.

Cobalt's 'Pentester Profile Report 2026' draws on an anonymous survey of 198 offensive security professionals in Cobalt Core, its vetted community of pentesters. Emerald Research Group conducted the survey.

Overall, 58% of respondents ranked PTaaS as the most effective model for uncovering complex vulnerabilities. Public bug bounties ranked far lower, at 15%.

Support for automated approaches was minimal. Only 1% of respondents viewed "AI-only scanning" as effective for uncovering high-impact, exploitable vulnerabilities.

Human judgement

The results underline respondents' view that human-led testing remains critical. More than half of those surveyed (54%) said they had discovered a Zero-Day or N-Day vulnerability with no existing public patch or advisory.

Cobalt framed the findings as evidence that structured engagements produce deeper outcomes than open competition models. It also presented the data as a snapshot of how offensive security work is evolving as organisations weigh the cost and impact of different testing approaches.

"To understand where the industry is going, we went straight to the experts who see the vulnerabilities before the hackers do," said Joe Brinkley, Cobalt's Director of Research and Community. "What we found is a professional consensus: the 'race-to-the-bottom' nature of bug bounties is failing both the testers and the organizations they protect."

Preference shift

Nearly all respondents said they preferred PTaaS over bug bounties, with the survey putting the figure at 98%.

Respondents cited work-life balance, a collaborative culture, and the ability to deliver higher-impact outcomes. The report also highlighted frustration with the competitive dynamics common in many bug bounty programmes.

More than half of respondents (51%) said their primary frustration with bug bounty programmes was the pressure to be the first to submit a finding. The report suggested that this "first-to-file" dynamic can prioritise speed over depth.

Cobalt also pointed to what it described as an operational burden on internal security teams running bounty programmes. Pentesters estimated that 30% of bug bounty submissions were invalid or low-value "noise", the survey found.

Structured engagements

The report linked structured testing to more significant discoveries. It found that 65% of the most significant, career-defining vulnerabilities reported by respondents were discovered during PTaaS engagements rather than bounty hunting.

That split matters for organisations seeking actionable findings, since structured testing typically includes defined scope, communication, and follow-up. By contrast, bug bounty programmes vary widely in how they operate and how they triage findings, which can affect outcomes for both security teams and researchers.

One respondent described differences in working practices between the models, emphasising collaboration and real-time interaction with clients during PTaaS work.

"PTaaS gives us the confidence that our time is valued, but the real advantage is the collaborative nature of PTaaS," said Jesus Espinoza, Cobalt Core pentester, IT security consultant, and bounty hunter.
"Unlike bug bounties, we can ask clients questions in real-time to understand their business logic or request specific user roles to test different features. It's a professional, collaborative environment where we work together to find real vulnerabilities, rather than competing for low-hanging fruit."

Market context

Many organisations use a mix of assessment methods, including internal security teams, third-party penetration testing, bug bounties, and automated scanning. The survey suggests practitioners see clear trade-offs across these approaches, particularly around depth, speed, and administrative overhead.

The report argued that traditional pentesting and bounty models can operate in silos, with gaps in shared context, workflow alignment, and integration with remediation systems. Those issues can make it harder for organisations to maintain continuity across testing cycles.

Cobalt promoted continuous pentesting as an alternative, describing a programme-based model in which findings and historical context carry over between engagements. It said the structure reduces repetition and pushes testers toward more complex application logic.

Cobalt positioned the survey as a signal that security leaders are likely to scrutinise return on investment more closely, with increased focus on the testing model and the systems used to manage engagement and remediation.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Anthropic shifts enterprise billing to token-based pricing

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment