Reselling Continuous ASM as a Deliverable Between Pentests

Pen-test firms have a structural revenue problem. The work is project-based, the engagements are episodic, and the gap between a Q1 external assessment and the next one in Q3 is six months in which the client’s attack surface drifted, three new subdomains spun up in marketing’s account, an S3 bucket got reconfigured, and a TLS cert on a forgotten staging host expired into something exploitable. None of that shows up in the next report because none of it is being watched.

The firms that have figured out continuous ASM as a between-engagement deliverable are running it for two reasons. The honest one: they want recurring monthly revenue against the same client base they already have project relationships with. The defensible one: it makes their next pentest engagement materially better, because they walk in already knowing what changed.

This article covers how to package continuous ASM as a service line on top of HailBytes ASM. White-label scoping, three pricing models that work, the engagement mechanics that make it stick, and the operational mistakes that kill the margin.

Two ways to use HailBytes ASM in a pen-test firm

Before pricing, get clear on which of these your firm is actually doing — the economics and the sales conversation are different.

Internal scoping accelerator (firm-only)

You run HailBytes ASM internally as a pre-engagement reconnaissance and scoping tool. The output never leaves your firm. Used to scope SOWs faster (an external assessment quote in 24 hours instead of a week), to prep your testers before kickoff, and to prevent the “we discovered three subdomains halfway through the engagement” problem that blows up your hour budget. This is a cost-side investment that pays back as faster sales cycles and tighter engagement margins.

Continuous monitoring deliverable (client-facing)

You spin up a HailBytes ASM instance per client, white-labeled as part of your firm’s service offering, and bill the client monthly for ongoing external monitoring between point-in-time engagements. This is a recurring revenue line. Margin lives in the spread between the per-instance platform cost and the monthly fee, plus the analyst time required to triage findings and produce a monthly written summary the client’s security team can act on.

Most firms doing this well end up running both motions: internal scoping for every prospect and active engagement, plus client-facing continuous monitoring for the subset of clients who want and can afford it. The rest of this article focuses on the second motion, where the revenue is.

Three pricing models that work

Model 1: Retainer add-on ($500–$1,500/month)

Sold as an add-on to clients who already have an annual or semi-annual pentest engagement with you. Positioned as “continuous external monitoring between assessments, with monthly delta reports and immediate alerting on net-new high-severity exposures.” The recurring fee is small enough that the client’s security lead can approve it without budget cycles, and it turns a one-engagement-per-year client into a 12-month recurring relationship.

This is the model that lands fastest in firms whose existing client base is mid-market companies with internal security teams of 1–3 people. They want the watching, they don’t want to staff for it, and they trust your firm because they already bought the pentest.

Model 2: Standalone monitoring service ($1,500–$5,000/month, per attack surface size)

Sold as its own service line, priced by the size of the client’s external attack surface (apex domains in scope, expected subdomain count, IP ranges). Includes the monitoring platform, monthly written report from a senior consultant, and a quarterly deeper-dive readout call. Clients at this tier may or may not also do annual pentests with you — the monitoring is a complete offering on its own.

This works when the firm has the operational discipline to deliver a real monthly report rather than a CSV dump. Margin compression risk is real if the analyst time isn’t tightly bounded.

Model 3: Compliance-driven monthly attestation ($2,000–$7,500/month)

Sold to clients in regulated industries (healthcare, financial services, defense supply chain) who need documented evidence of continuous external monitoring for SOC 2, ISO 27001, NIST CSF, PCI DSS, or HITRUST. The deliverable is a monthly attestation letter from your firm, signed by a named consultant, mapping the prior-month monitoring activity to specific control requirements. The client uses it as audit evidence; you charge a premium for the consulting overhead.

This is the most defensible pricing tier because the client cannot easily DIY it — they need an outside firm’s name on the attestation. It’s also the longest-tenure model: clients in this tier renew on multi-year cycles tied to their audit calendar.

Sample P&L: Model 1 retainer add-on at $750/month

Mid-market client, 8 apex domains in scope, ~120 subdomains, single dedicated HailBytes ASM instance.

$165/month gross margin is thin. Run that math on a 20-client portfolio and it’s $40K/year of recurring contribution — useful but not transformative. The reason firms still run this model: the retainer doesn’t exist on its own. It exists alongside the annual pentest engagement at $20K–$60K, which the recurring monitoring relationship makes both more likely to renew and faster to scope. The retainer is the customer-retention infrastructure, not the primary revenue.

Where this gets interesting is when you tighten analyst time below 2 hours/month. If your monthly summary is templated, the platform handles delta detection automatically, and your consultant only spends real time on the engagements where ASM surfaces an actual high-severity finding (typically 1–2 months a quarter), the average drops to ~45 minutes/month. That flips the P&L: $750 − $120 − $65 − $150 = $415/month, or ~$5,000/year per client. At 20 clients that’s $100K of recurring contribution against a fairly modest service-delivery footprint.

White-labeling: what to put your name on, what to leave alone

HailBytes ASM is built to be deployed inside your firm’s AWS or Azure account, which means you control the access surface entirely. The white-label question is what the client actually sees in your deliverables.

• Monthly written report — fully your firm’s document, branded, signed by a named consultant. Pull data from the ASM exports and assemble in your existing report template. This is the deliverable the client’s CISO forwards to their board.
• Real-time dashboard access — if you give the client direct access to the ASM dashboard (most firms don’t for Model 1), put it behind your firm’s SSO and a custom subdomain. The platform is a tool; the relationship is yours.
• High-severity alerting — route critical-finding webhooks into your firm’s ticketing system, not the client’s. Your senior consultant validates and triages first, then escalates to the client with context. The client is paying for human judgment on top of automated detection.
• Attestation letters (Model 3) — on your firm’s letterhead, mapped to the client’s control framework, signed by a named partner or director. The client’s auditor recognizes your firm; that’s the asset they’re paying for.

How continuous ASM makes your pentests better

The hidden margin lever in this whole motion is what continuous monitoring does to your existing pentest engagements with the same clients. Three concrete operational improvements:

1. Scoping happens in 30 minutes. When the client asks for an external pentest quote and you already have 9 months of attack-surface data on their environment, you know the asset count, the subdomain churn rate, the tech stack signals, and the obvious exposed services. Scoping calls that used to take a week become a same-day SOW.
2. Pre-engagement recon is already done. Your testers walk into the engagement with a current asset inventory and a starting list of weak signals to chase down. Instead of burning the first 30% of the engagement on reconnaissance, they spend it on exploitation and impact analysis. Either you bill the client more efficiently, or you absorb the savings as engagement margin.
3. Findings have context. “We found this exposed Jenkins instance” lands differently when the report can say “exposed since March 14, three weeks before this engagement, with no internal owner identified during ASM monitoring.” That context is the difference between a finding the client patches and a finding the client takes to their board.

Operational mistakes that kill the margin

• Letting the monthly report bloat. Set a hard cap: 3–5 pages, executive summary on page one, no raw scan dumps. Every page beyond five is consultant time you’re not getting paid for.
• Sending the client every alert. The platform will surface dozens of low-severity changes per month. The client doesn’t want them; they want the two or three that matter, with your consultant’s opinion on whether to act. Triage discipline is the product.
• Mixing up the trial path. The AWS and Azure marketplace listings give a 30-day free trial — use it to evaluate the platform on your firm’s own attack surface first, before you stand up your first client instance. The trial makes the internal scoping use case obvious before you commit to client-facing delivery.
• Pricing per-asset instead of per-client. Asset counts drift; the client pushed three new subdomains live last week and you’re going to chase them for a contract amendment? Don’t. Price per client at a tier that accommodates reasonable growth.

The reNgine question

Pen-test firm CTOs evaluating HailBytes ASM almost always ask the same question: “What’s the difference between this and the open-source reNgine I could host myself?” The honest answer for the internal-scoping use case is “not much, if you have the engineering time to host it.” The honest answer for the client-facing recurring-revenue use case is different: when you bill a client $750–$5,000/month for continuous monitoring, the platform’s uptime, the audit logging, the marketplace billing path your client’s procurement will accept, and the ability to point at a vendor SLA become operational requirements. Self-hosting a free open-source tool against client SLAs is a worse business than running someone else’s managed deployment. Different math, different decision.