Rethinking The Role Of Penetration Testing

Uploaded on 2025-03-31 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

There are two different penetration testing camps: those that see it as an ongoing security intelligence function and those that see it as a compliance-driven necessity. 

There’s likely not a single cyber security professional unaware of the benefits of penetration testing, from helping organizations identify security gaps and demonstrating compliance to boosting their incident response readiness. 

With attackers using AI-driven tools to rapidly map widened attack surfaces and spot unpatched vulnerabilities, it’s perhaps no surprise penetration testing is gaining traction. And that’s traction not just among large businesses with large budgets but also among your average small or medium-sized business - which is again understandable given 43% of cyberattacks are now focusing on small businesses.

In fact, the global penetration testing market size was valued at $2.20 billion in 2023 and is projected to grow from $2.45 billion in 2024 and reach $6.35 billion by 2032.

Annual Pen Tests vs Frequent Testing & PTaaS

However, despite its increasingly widespread adoption, I still see many companies treat penetration testing as a static, once-a-year assessment - simply relying on vendors and ticking check boxes - rather than viewing it as a dynamic, ongoing intelligence function.

Those in the ‘security check box’ camp tend to run automated tools to check for known security issues; scans that adopt an “outside-in” perspective. This is great for spotting open ports, weak passwords, or unpatched systems. But what they often don’t do is demonstrate their exploitability or combined impact, so it remains a passive exercise. 

They run pen tests, typically annually, but only to meet a specific compliance requirement - whether it be PCI-DSS, HIPAA, or ISO 27001 - or to confirm the findings of their vulnerability scans. While they offer a deeper ‘snapshot’ of security at that moment, they’re left with long intervals where new vulnerabilities slip by unnoticed.

Of course, compliance is critical for establishing baseline security controls. But attackers don’t care about check boxes; what they care about is exploiting the gaps between regulatory requirements that simply aren’t designed to handle evolving cyber threats and real-world security postures. Not only can scanners miss complex exploit chains that combine multiple minor flaws, but when we look at the rapid pace of software updates and how new exploits are found daily, an annual or semi-annual test may not cut it.

On the contrary, we have those in the ‘intelligence tool’ camp: companies that champion proactive, frequent testing and Penetration Testing as a Service (PTaaS).

Businesses that think this way tend to be forward-thinking and proactive in their entire approach to cybersecurity, aware that the average cost of a data breach – which can run into millions, especially when you factor in legal fees, fines, and reputational damage – far outweighs the average cost of a pen test. 

So, instead of treating tests as periodic events, they conduct frequent, iterative assessments to continuously evaluate their security posture. It’s an approach that shifts the focus from ‘are we compliant?’ to ‘how do attackers see us, and how fast can we react?’ and might involve:

  • Mixing external (outside-in) and internal (inside-out) approaches to simulate real-world attacker behavior.
  • Tracking metrics such as mean time to detect and mean time to remediate, so they can see how quickly their team responds to simulated breaches and identify bottlenecks.
  • Feeding intelligence into security operations so that they can use testing insights to fine-tune defenses, adjust detection rules, and train security teams on emerging threats.

The above strategy is often carried out via a PTaaS, which typically includes:

Internal & external network testing: including multiple internal IPs, external IPs, and servers, targeting vulnerabilities from both insider threats and external actors.

Website assessments: including coverage for websites, scanning for weak configurations, SQL injection points, and cross-site scripting (XSS) flaws.

External web application testing: this takes a Black Box approach, focusing on runtime exploitation; supports login systems, API inputs, functions, and roles; utilizes tools like BurpSuite, manual scripts, and custom exploits; and has no code review included, meaning it simulates an attacker’s view of the app.

Whether you’re in camp ‘intelligence tool’ or camp ‘security check box’, the real question here isn’t whether organizations should conduct pen tests but rather how they can use them to actively strengthen security. 

It’s my belief that only when testing is viewed and used as an ongoing intelligence-gathering process rather than a point-in-time exercise can businesses truly uncover how attackers think, how their defenses perform under real-world scenarios, and how quickly their teams can respond to threats.

Rajeev Gupta is Co-founder & Chief Product Officer at Cowbell

You Might Also Read:

Network Pen Testing Is A Cybersecurity Secret Weapon:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« Why The Future Of Banking Hinges On Harnessing Gen Z Talent
Staying Ahead Of First-Party Fraud & Abuse »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CW Jobs

CW Jobs

CWJobs.co.uk is a leading specialist IT recruitment website covering all areas of IT including Cyber Security.

Australian Information Security Association (AISA)

Australian Information Security Association (AISA)

AISA champions the development of a robust information security sector by building professional capacity and advancing the cyber security of the public, business and governments in Australia.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

WeSecureApp (WSA)

WeSecureApp (WSA)

WeSecureApp is specialized in providing Cyber Security Solutions to safeguard your applications and networks.

Datec PNG

Datec PNG

Datec is the the largest end-to-end information and communications technology solutions and services provider in Papua New Guinea.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

National Initiative for Cybersecurity Education (NICE) - USA

National Initiative for Cybersecurity Education (NICE) - USA

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

Axiado

Axiado

Axiado Corporation is a security processor company redefining hardware root of trust with hardware-based security technologies, including per-system AI.

Grant Thornton

Grant Thornton

Grant Thornton is one of the world’s leading networks of independent assurance, tax and advisory firms.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

VanishID

VanishID

VanishID (formerly Picnic) is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

Cyberi

Cyberi

Cyberi provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance to incident management and response, and technical security research.

Comcast Technology Solutions (CTS)

Comcast Technology Solutions (CTS)

Comcast Technology Solutions delivers proven technologies for global video, media, communications, data applications, and cybersecurity & compliance.

CIS Secure

CIS Secure

CIS Secure is an innovator, integrator and expert advisor supporting the broadest portfolio of powerful, mission-specific C5ISR communications and cybersecurity solutions.