Rethinking The Role Of Penetration Testing

Uploaded on 2025-03-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

There are two different penetration testing camps: those that see it as an ongoing security intelligence function and those that see it as a compliance-driven necessity. 

There’s likely not a single cyber security professional unaware of the benefits of penetration testing, from helping organizations identify security gaps and demonstrating compliance to boosting their incident response readiness. 

With attackers using AI-driven tools to rapidly map widened attack surfaces and spot unpatched vulnerabilities, it’s perhaps no surprise penetration testing is gaining traction. And that’s traction not just among large businesses with large budgets but also among your average small or medium-sized business - which is again understandable given 43% of cyberattacks are now focusing on small businesses.

In fact, the global penetration testing market size was valued at $2.20 billion in 2023 and is projected to grow from $2.45 billion in 2024 and reach $6.35 billion by 2032.

Annual Pen Tests vs Frequent Testing & PTaaS

However, despite its increasingly widespread adoption, I still see many companies treat penetration testing as a static, once-a-year assessment - simply relying on vendors and ticking check boxes - rather than viewing it as a dynamic, ongoing intelligence function.

Those in the ‘security check box’ camp tend to run automated tools to check for known security issues; scans that adopt an “outside-in” perspective. This is great for spotting open ports, weak passwords, or unpatched systems. But what they often don’t do is demonstrate their exploitability or combined impact, so it remains a passive exercise. 

They run pen tests, typically annually, but only to meet a specific compliance requirement - whether it be PCI-DSS, HIPAA, or ISO 27001 - or to confirm the findings of their vulnerability scans. While they offer a deeper ‘snapshot’ of security at that moment, they’re left with long intervals where new vulnerabilities slip by unnoticed.

Of course, compliance is critical for establishing baseline security controls. But attackers don’t care about check boxes; what they care about is exploiting the gaps between regulatory requirements that simply aren’t designed to handle evolving cyber threats and real-world security postures. Not only can scanners miss complex exploit chains that combine multiple minor flaws, but when we look at the rapid pace of software updates and how new exploits are found daily, an annual or semi-annual test may not cut it.

On the contrary, we have those in the ‘intelligence tool’ camp: companies that champion proactive, frequent testing and Penetration Testing as a Service (PTaaS).

Businesses that think this way tend to be forward-thinking and proactive in their entire approach to cybersecurity, aware that the average cost of a data breach – which can run into millions, especially when you factor in legal fees, fines, and reputational damage – far outweighs the average cost of a pen test. 

So, instead of treating tests as periodic events, they conduct frequent, iterative assessments to continuously evaluate their security posture. It’s an approach that shifts the focus from ‘are we compliant?’ to ‘how do attackers see us, and how fast can we react?’ and might involve:

  • Mixing external (outside-in) and internal (inside-out) approaches to simulate real-world attacker behavior.
  • Tracking metrics such as mean time to detect and mean time to remediate, so they can see how quickly their team responds to simulated breaches and identify bottlenecks.
  • Feeding intelligence into security operations so that they can use testing insights to fine-tune defenses, adjust detection rules, and train security teams on emerging threats.

The above strategy is often carried out via a PTaaS, which typically includes:

Internal & external network testing: including multiple internal IPs, external IPs, and servers, targeting vulnerabilities from both insider threats and external actors.

Website assessments: including coverage for websites, scanning for weak configurations, SQL injection points, and cross-site scripting (XSS) flaws.

External web application testing: this takes a Black Box approach, focusing on runtime exploitation; supports login systems, API inputs, functions, and roles; utilizes tools like BurpSuite, manual scripts, and custom exploits; and has no code review included, meaning it simulates an attacker’s view of the app.

Whether you’re in camp ‘intelligence tool’ or camp ‘security check box’, the real question here isn’t whether organizations should conduct pen tests but rather how they can use them to actively strengthen security. 

It’s my belief that only when testing is viewed and used as an ongoing intelligence-gathering process rather than a point-in-time exercise can businesses truly uncover how attackers think, how their defenses perform under real-world scenarios, and how quickly their teams can respond to threats.

Rajeev Gupta is Co-founder & Chief Product Officer at Cowbell

You Might Also Read:

Network Pen Testing Is A Cybersecurity Secret Weapon:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« Why The Future Of Banking Hinges On Harnessing Gen Z Talent
Staying Ahead Of First-Party Fraud & Abuse »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Ixia

Ixia

Ixia provides testing, visibility, and security solutions to strengthen applications across physical and virtual networks.

Hyve

Hyve

Hyve provide a wide range of managed web hosting services including private, hybrid and public VMware cloud hosting.

Micro Focus

Micro Focus

Micro Focus is one of the world’s largest enterprise software providers. We deliver trusted and proven mission-critical software that keeps the digital world running.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

Cloudmark

Cloudmark

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world’s inboxes from wide-scale and targeted email threats.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

Adzuna

Adzuna

Adzuna is a search engine for job ads used by over 10 million visitors per month that aims to list every job everywhere, including thousands of vacancies in Cybersecurity.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

SYN Ventures

SYN Ventures

SYN Ventures invests in disruptive, transformational solutions that reduce technology risk.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

WeVerify

WeVerify

WeVerify is a platform for collaborative, decentralised content verification, tracking, and debunking.

Gray Swan

Gray Swan

Gray Swan is the safety and security provider for the AI era, founded by world leading experts in the AI safety and security space.