Between April 2025 and April 2026 the public record filled up with data breaches. We picked eight of the most-publicized incidents, read the primary sources for each — vendor advisories, CISA directives, Mandiant reports, BleepingComputer and TechCrunch reporting, regulatory disclosures — and applied a single test to each one: would a competent external penetration test, given the same scope the attacker had, have surfaced the root cause before the attacker did?
For six of the eight, the answer is unambiguously yes. For the other two — the 2025 Cisco ASA campaign and the earliest wave of the Oracle E-Business Suite exploitation — the honest answer is partial: those were true zero-days at the moment of first compromise, and no testing program prevents that. But continuous testing still closes the patching gap for the long tail of victims hit after public disclosure, which in both cases was substantial.
This post is not a defense of penetration testing as a category. It is a specific argument that the cadence of testing — not just the depth — is what determines whether testing actually prevents breaches. The eight incidents below are the evidence.
Methodology
We restricted the analysis to incidents that meet four criteria: (1) publicly disclosed between roughly April 2025 and April 2026; (2) the victim is named or the incident is attributable; (3) the technical root cause is documented in public sources, not just "we were breached"; and (4) the root cause sits inside a category an external pentester would actually probe — application logic, authentication, authorization, exposed cloud assets, internet-facing edge devices, secrets in source, configuration of the public attack surface.
We deliberately excluded several large 2025 incidents whose root cause was outside what pentesting can address. The 2025 Salesforce attack waves are the cleanest example: UNC6040 (ShinyHunters) used vishing into help-desk staff to trick employees into approving a malicious Data Loader OAuth app — victims included Allianz Life, Pandora, Adidas, Chanel, Dior, Cartier, Qantas, and Air France-KLM — and the separate UNC6395 campaign abused OAuth tokens stolen from a Salesloft GitHub compromise to query Salesforce instances at Cloudflare, Cisco, Google, PagerDuty, Palo Alto Networks, and Proofpoint via the Salesloft Drift integration. In both cases the underlying OAuth flow was working as designed and the pentester has nothing technical to find. Pure social engineering, malicious insider cases (the May 2025 Coinbase / TaskUs incident, in which bribed overseas support agents exfiltrated data on roughly 70,000 customers, is the headline 2025 example), and physical theft were also out of scope. So were several breaches whose only public detail is "intrusion confirmed" with no technical root cause to evaluate.
What remains is eight incidents with documented technical specifics, drawn from a deliberately diverse set of sectors: AI hiring SaaS, two consumer mobile apps, an EdTech publisher, two U.S. federal agencies, an enterprise ERP wave, and a global VPN-edge-device campaign. For each, we cite at least two reputable primary sources and call out where any specific claim is unverified.
The Scoreboard
The full breakdown is below. Each incident is examined in detail in its own section.
| Incident | Sector | Root cause | Verdict |
|---|---|---|---|
| McHire / Paradox.ai | HR SaaS | Default admin password + IDOR on public API | Preventable |
| Tea Dating Advice | Consumer mobile | Unauthenticated Firebase storage bucket | Preventable |
| Pearson | EdTech | Public .git/config with GitLab PAT | Preventable |
| FEMA Region 6 / CBP | U.S. Federal | Unpatched NetScaler — CitrixBleed 2 | Preventable |
| NNSA / SharePoint ToolShell | U.S. Federal | Unpatched on-prem SharePoint — CVE-2025-53770 | Preventable (long tail) |
| TeaOnHer | Consumer mobile | Plaintext admin creds + unauth user-uploaded IDs | Preventable |
| Harvard / Envoy Air (Cl0p) | Higher ed / aviation | Oracle EBS zero-day — CVE-2025-61882 | Partial |
| 2025 Cisco ASA campaign | Networking edge | VPN web-server zero-day — CVE-2025-20333 / -20362 | Partial |
McHire / Paradox.ai — 64 Million Job Applicants Exposed via Password 123456
| Victim | Paradox.ai's McHire platform, used by McDonald's franchisees for AI-driven applicant screening |
| Disclosed | June 30, 2025; remediated within ~24 hours |
| Scale | Up to ~64 million job applicant records exposed: names, emails, phone numbers, full applicant chat transcripts, shift preferences, personality test results, session tokens |
| Vector | Default credentials on admin login + IDOR on public API |
Researchers Ian Carroll and Sam Curry signed up as a McDonald's franchisee on the McHire platform out of curiosity, ran into the standard admin login at https://www.mchire.com/signin, and tried 123456 / 123456. They were in. The credentials belonged to a Paradox.ai test or franchisee account, no MFA was enforced, and the admin surface they reached was rich enough to look around.
Inside the admin panel, an internal API endpoint returned applicant records keyed by a numeric lead_id. The researchers decremented the ID. The next applicant's full chat transcript came back. They incremented it. The transcript before came back. The endpoint had no authorization check tying the requesting account to the records it could read. With ~64 million applicant IDs in the database, the entire applicant population was enumerable from one logged-in admin session.
This is not a sophisticated attack. The default-credential check is in the first hour of any external pentest playbook. IDOR on numeric-ID API parameters is the OWASP API Security Top 10 #1 risk (API1:2023 Broken Object Level Authorization) and is what every authenticated pentester probes for first when handed two test accounts. A single quarterly pentest of the McHire admin surface would have surfaced both. There is no reasonable interpretation under which annual or biannual testing was the correct cadence for a platform holding 64 million applicants' PII.
What CPT would have caught: Default credentials on admin login (caught by login-page testing on day one of any external pentest). IDOR on the lead_id parameter (caught by authenticated API testing within the first authenticated session). Both findings would appear in the executive summary of a junior pentester's report.
Sources: CSO Online — "McDonald's AI hiring tool's password 123456 exposes data of 64M applicants"; HackRead — technical details on the IDOR and chat transcript exposure; Claremont Graduate University Internet Crime & Data Center — postmortem timeline and remediation.
Tea — Open Firebase Bucket Spills 72,000 Verification Selfies and IDs
| Victim | Tea Dating Advice Inc. — women-only dating safety / background-check app |
| Disclosed | July 25, 2025 (initially via a 4chan post) |
| Scale | ~72,000 user images: ~13,000 verification selfies + government-issued IDs (driver's licenses, passports), ~59,000 images from posts, comments, DMs. Affected users who signed up before February 2024. A separate exposed database leaked an additional ~1.1 million private DMs. |
| Vector | Google Firebase Storage bucket configured with no authentication and directory listing enabled |
Tea positioned itself as a safety-focused women-only platform: users uploaded a verification selfie and a government-issued ID to prove identity, and that material was supposed to live behind authentication. It did not. The Firebase Storage bucket holding those uploads was reachable without credentials, and directory listing was enabled, so anyone with the bucket URL could enumerate every file in it.
The discovery played out publicly. A 4chan user posted that the bucket was open and dropped a sample. Within hours, dumps of verification selfies and government IDs were on torrent trackers. The company confirmed the breach later that day. A separate, even more sensitive database containing roughly 1.1 million private DMs surfaced as exposed in the days that followed.
The architectural pattern that produced this outcome — sensitive user uploads in a default-permissive cloud bucket that the application was supposed to gatekeep — is one of the most well-understood failure modes in mobile-app security. External attack-surface scanning routinely fingerprints Firebase, GCS, and S3 buckets referenced from a mobile binary or its API responses, and tests them for unauthenticated read and list access. Reverse-engineering an iOS or Android binary to extract Firebase configuration takes minutes and is a standard component of any mobile-app pentest scope.
What CPT would have caught: Unauthenticated Firebase Storage bucket with directory listing (caught by ASM-style bucket fingerprinting plus an unauthenticated-read test). The finding would have appeared as Critical severity in any mobile-app or cloud-pentest report. The gap between "we exist" and "we have an exposed PII bucket" was the entire history of the company until July 25.
Sources: 404 Media — primary reporting on the Firebase bucket and 4chan disclosure; HackRead — confirms 72K image breakdown and pre-Feb-2024 user scope; EFF — year-end retrospective contextualizing the breach.
Pearson — A Public .git/config File Cost an Education Giant Terabytes
| Victim | Pearson plc — global education / publishing |
| Disclosed | May 8, 2025 (initial intrusion January 2025; lateral movement through May) |
| Scale | "Terabytes" of customer information, financial records, support tickets, and source code from AWS, Google Cloud, Snowflake, and Salesforce. Pearson described the data as "largely legacy"; specific record count not disclosed. |
| Vector | Publicly exposed .git/config file leaked a GitLab personal access token; that token unlocked internal repos containing additional hard-coded cloud credentials |
The initial foothold was a forgotten developer-environment endpoint with a publicly reachable .git/ directory. Inside that directory was a config file that contained a GitLab Personal Access Token, embedded for some long-ago automation reason and never rotated. Attackers fetched the token, authenticated to GitLab, and pulled internal repositories — many of which contained additional hard-coded credentials for AWS, Google Cloud, Snowflake, and Salesforce. From January through May, those secondary credentials were used to enumerate and exfiltrate production data across multiple cloud environments.
Of every breach in this analysis, this is the one where the time-to-find for an external pentester is measured in seconds. Nuclei templates for exposed .git directories have existed for years. truffleHog and gitleaks identify embedded secrets in any retrieved Git history within a single scan. Continuous attack-surface management tools fingerprint exposed .git directories on every newly-discovered subdomain and path. Once the PAT is in hand, secondary scanning of accessible repositories for hard-coded cloud credentials is also standard pentest practice — and would have caught the same secrets the attackers did.
Pearson's intrusion ran for approximately four months before public disclosure. A continuous external-pentesting program with weekly subdomain enumeration and exposed-file scanning would have flagged the .git directory long before January 2025 — and even if missed initially, would have caught it on the next sweep, almost certainly before the attackers found and weaponized it.
What CPT would have caught: Exposed .git/ directory on a developer-environment subdomain (caught by automated nuclei-style scanning on every sweep). Hard-coded credentials in any retrievable repository content (caught by truffleHog / gitleaks). This is the single most basic external-pentest finding in this entire analysis.
Sources: BleepingComputer — primary reporting confirming .git/config PAT exposure and downstream credential abuse; Hoplon Infosec — GitLab PAT specifics.
FEMA Region 6 and CBP — CitrixBleed 2 on an Unpatched NetScaler
| Victim | FEMA Region 6 (Arkansas, Louisiana, New Mexico, Oklahoma, Texas, ~70 tribal nations) and U.S. Customs and Border Protection |
| Timeline | Initial access June 22, 2025; discovered July 7; exfiltration attempts July 14; DHS announced termination of 24 FEMA IT staff on August 29; data-exfiltration confirmation September 10, 2025 |
| Scale | Employment records, internal email archives, and limited PII for federal staff in Region 6. Specific record count not publicly disclosed. DHS terminated 24 FEMA IT staff including the CIO and CISO over the incident (announced August 29, 2025). |
| Vector | CVE-2025-5777 ("CitrixBleed 2") — unauthenticated out-of-bounds memory read in Citrix NetScaler ADC/Gateway, used to leak session tokens that bypassed MFA on the agency's Citrix VDI |
Of every incident in this analysis, FEMA / CBP is the cleanest fit for the continuous-pentesting case. The vulnerability was not a zero-day. Citrix disclosed CVE-2025-5777 on June 17, 2025. Public proof-of-concept exploits were released within weeks. CISA added the bug to its Known Exploited Vulnerabilities Catalog on July 10, 2025.
FEMA's NetScaler was breached on June 22 — five days after Citrix's advisory and well before KEV listing — but the exfiltration attempts and continued exploitation ran into mid-July, by which point the patch had been available for nearly a month and CISA had mandated remediation across federal agencies. The device was internet-reachable, externally enumerable, and unpatched against an actively-exploited CVE on KEV.
Continuous external pentesting and ASM continuously fingerprint internet-facing NetScaler / Citrix devices and match them against the latest KEV-listed CVEs. The lag between "CISA adds CVE to KEV" and "your CPT provider re-tests every internet-facing instance you own and reports the unpatched ones" is, for a competent provider, hours — not the weeks or months a quarterly pentest cadence imposes. This is precisely the gap continuous testing exists to close.
What CPT would have caught: Internet-exposed Citrix NetScaler with an unpatched, KEV-listed CVE (caught by continuous external scanning matched against the KEV feed). The Critical-severity finding would have been delivered within hours of the KEV listing on July 10 — potentially in time to prevent the exfiltration that ran through mid-July, and certainly in time to prevent the months of internal lateral movement that followed.
Sources: Nextgov — primary reporting on FEMA / CBP, attribution to CitrixBleed 2, employee terminations; BleepingComputer — CVE-2025-5777 disclosure timeline and public PoC release; Arctic Wolf — vendor-grade technical analysis.
NNSA / SharePoint ToolShell — The Long Tail of an Unpatched RCE
| Victim | U.S. National Nuclear Security Administration (Department of Energy), and the wider ToolShell campaign which hit 400+ on-prem SharePoint servers across 148+ organizations including the U.S. Department of Education, Florida Department of Revenue, and Rhode Island General Assembly |
| Disclosed | NNSA compromise reported July 22, 2025 (exploitation began July 18) |
| Scale | NNSA: "a very small number of systems" per DoE; no classified information accessed. Wider campaign: 400+ on-prem SharePoint servers across 148+ organizations. |
| Vector | CVE-2025-53770 ("ToolShell") — unauthenticated remote-code-execution chain in on-prem SharePoint Server, with attackers stealing MachineKey material to forge ViewState tokens for persistent access |
The earliest exploitation of CVE-2025-53770 was a true zero-day on July 18, 2025. We will not pretend continuous pentesting prevents zero-days. But the post-disclosure long tail is where this incident gets interesting from a CPT perspective.
Microsoft published guidance on July 22, 2025. CISA flagged active exploitation on July 20. By that point, Linen Typhoon, Violet Typhoon, and Storm-2603 (Microsoft's attribution) were mass-scanning the internet for unpatched on-prem SharePoint instances. The 400+ compromised servers across 148+ organizations were predominantly hit in the days after Microsoft and CISA published — not in the zero-day window.
For any organization running on-prem SharePoint, a competent CPT provider would have reported "internet-exposed on-prem SharePoint Server — immediate priority" within hours of the Microsoft advisory. For most of the 148+ victim organizations, that would have been days to weeks ahead of when their internal patching cadence got around to it. The pattern is identical to FEMA/Citrix Bleed 2: not zero-day exploitation, but post-disclosure exposure that lingered because no one was continuously checking.
What CPT would have caught: Internet-exposed on-prem SharePoint Server flagged as Critical-severity within hours of CVE-2025-53770 publication. For the long tail of victims hit after July 22, this is exactly the gap continuous testing closes. (For the very first wave of zero-day victims, no testing program would have helped — and we are not claiming otherwise.)
Sources: BleepingComputer — NNSA confirmation, July 18 exploitation date, ToolShell attribution; Microsoft Security Response Center — technical writeup and attribution; CISA advisory and KEV listing.
TeaOnHer — "Spilled in Less Than 10 Minutes"
| Victim | TeaOnHer — consumer mobile app marketed as a male-targeted copycat of the Tea app |
| Disclosed | August 6, 2025; deeper methodology writeup August 13, 2025 |
| Scale | ~53,000 users at time of reporting. Exposed: usernames, email addresses, driver's-license images, verification selfies, user-reported locations, post content tied to identifiers. The developer's own admin email and plaintext password were also discoverable on the public server. |
| Vector | Plaintext admin credentials on the public server + user-uploaded driver's licenses and selfies served from publicly reachable URLs with no authentication or signed access |
TechCrunch's reporters documented their full methodology: less than ten minutes of casual web-app inspection. They found the app's user-uploaded driver's licenses and selfies served from publicly accessible URLs — no auth, no signed URLs, just predictable paths. They also found the app creator's admin email and plaintext password sitting on the public server, which would have granted potential admin-panel access on top of the already-unauthenticated PII.
Both findings are first-day pentest playbook items. Discovery of admin panels, testing for unauthenticated access to user-uploaded media, and grepping responses for credential-shaped strings are standard practice. The app was effectively unauthenticated end-to-end for sensitive PII — government-issued ID images, in this case — and had been since launch.
This is the canonical demonstration that the value of pentesting is not just the depth of the engagement but whether the engagement happens at all. TeaOnHer never had a pentest. A junior engagement, even an automated scan with manual triage, would have caught both findings before any user uploaded a driver's license to it.
What CPT would have caught: Unauthenticated public URLs serving user-uploaded driver's licenses (caught by anonymous endpoint enumeration on day one). Plaintext admin credentials in publicly reachable server responses (caught by response-grepping for credential patterns). TechCrunch found both in 10 minutes; a paid pentester would have found them faster.
Sources: TechCrunch — primary disclosure; TechCrunch — "10 minutes" methodology writeup; Malwarebytes — independent corroboration.
Harvard, Envoy Air & The Oracle EBS / Cl0p Wave (Partial)
| Victims | Harvard University and Envoy Air (a subsidiary of American Airlines), among approximately 100 organizations affected. Other publicly-named victims include Wits University, The Washington Post, Allianz UK, Dartmouth College, and the University of Pennsylvania. |
| Disclosed | Initial exploitation as early as July 10, 2025; mass exploitation August–September 2025; Oracle emergency patch October 4, 2025; Cl0p named victims publicly mid-October through November |
| Scale | Cl0p claimed 1.3 TB exfiltrated from Harvard; ~26 GB of archives released for Envoy Air. Total impact across roughly 100 organizations. |
| Vector | CVE-2025-61882 — unauthenticated remote code execution (CVSS 9.8) in the BI Publisher Integration component of Oracle E-Business Suite's Concurrent Processing product, exploitable via crafted HTTP request. Per Mandiant's writeup, two distinct exploit chains were observed: the UiServlet chain in July 2025 activity and the larger SyncServlet chain in the August 2025 mass-exploitation campaign. |
The activity is attributed by Mandiant to a suspected FIN11 cluster operating under the Cl0p extortion brand — with explicit caveats from Mandiant that the Cl0p name has been used by multiple threat actor groups and that full attribution remains uncertain. Per Mandiant's technical writeup, the operators used CVE-2025-61882 as a true zero-day from at least July 2025 (UiServlet chain) into the larger August 2025 mass-exploitation campaign (SyncServlet chain), deploying GOLDVEIN.JAVA, SAGEGIFT, and SAGELEAF payloads. The first wave of victims were compromised before Oracle was aware of the vulnerability. No testing program would have prevented that.
This is one of two cases in our analysis where we score continuous pentesting as partial rather than fully preventive. But the partial score has nuance, and the nuance favors CPT meaningfully.
First: an externally-facing Oracle E-Business Suite instance is itself an architectural finding that any external pentest would highlight. EBS is an enterprise ERP; in most modern architectures it should be reached through a VPN or zero-trust gateway, not from the open internet. CPT does not require a CVE to exist to flag "your ERP is internet-reachable" as a recommendation.
Second: Oracle patched on October 4, 2025. Multiple victims were compromised after the patch was available. The exploit chain itself was leaked publicly on October 3 by the "Scattered Lapsus$ Hunters" group, providing a working PoC against any EBS instance still discoverable on the internet. For the long-tail victims, this is identical to the FEMA / NNSA pattern — post-disclosure exposure that would have been flagged by continuous re-testing within hours of the Oracle patch.
Honest assessment: CPT does not stop a true zero-day at the moment of first compromise. It does flag the architectural exposure ("EBS is on the public internet at all"), and it does close the post-disclosure patching gap for the long tail. Both contributions matter for an incident with 100 victim organizations spread across months.
Sources: Mandiant / Google Cloud — technical writeup, victimology, payload analysis; BleepingComputer — Oracle patch date, CVE details, exploit-chain leak; SecurityWeek — Envoy Air confirmation; Security Affairs — Harvard confirmation and 1.3 TB scale.
2025 Cisco ASA Campaign — CVE-2025-20333 / -20362 (Partial)
| Victim | At least one unnamed U.S. Federal Civilian Executive Branch (FCEB) agency had its Cisco Firepower device infected with the FIRESTARTER backdoor (per CISA). The same campaign affected an unknown number of additional government and enterprise organizations worldwide. |
| Disclosed | CVEs published and CISA Emergency Directive ED 25-03 issued September 25, 2025 (Cisco was called in to investigate as early as May 2025) |
| Scale | Not publicly quantified. CISA's ED 25-03 mandated immediate identification and mitigation of potentially compromised Cisco devices across federal agencies on a compressed timeline. |
| Vector | CVE-2025-20333 (CVSS 9.9, RCE in the VPN web server, requiring valid VPN credentials in isolation) chained with CVE-2025-20362 (missing authorization that exposes restricted endpoints to unauthenticated attackers). The chain achieves unauthenticated end-to-end RCE on internet-facing Cisco ASA / Firepower devices with VPN web services enabled. Attackers (UAT4356) modified ROM to persist through reboot and patching, deployed RayInitiator bootkit and LINE VIPER shellcode loader, and disabled on-device logging. |
This is the second of our two partial cases. The CVEs were true zero-days at first compromise, and several of the technical capabilities used by UAT4356 — ROM modification to survive reboot, shellcode loaders that disable on-device logging — are far beyond what any external pentest would attempt or detect. We are not going to claim CPT prevents a state-actor zero-day campaign with bootkit-grade persistence.
What CPT does contribute, even here, is twofold.
First, the architectural finding: many organizations should not have their Cisco ASA / FTD VPN management web interface internet-reachable at all. Restricting management surfaces to known administrative source IPs, or moving them behind a separate VPN concentrator, is precisely the kind of recommendation an external pentest produces — and it would have removed the entire attack surface for this campaign for any organization that acted on it.
Second, the post-disclosure patching gap. After CISA's Emergency Directive on September 25, every internet-exposed ASA / Firepower instance became a Critical-severity finding for any continuous pentesting program. The follow-on guidance through November 2025 and again in April 2026 makes clear that the long tail of unpatched and uninvestigated devices was substantial — exactly where CPT closes the gap.
Honest assessment: Same as Oracle EBS. CPT does not stop a true zero-day at the moment of first compromise, and it does not detect bootkit-grade persistence on a network device once installed. It does flag the architectural exposure (VPN management web interface internet-reachable) and it does close the post-disclosure patching gap. For UAT4356-class adversaries, that combination is not sufficient on its own — layered detection on the device and the network is also required.
Sources: CISA — Emergency Directive ED 25-03; SecurityWeek — Cisco's attribution and technical detail; SecurityWeek — FIRESTARTER backdoor on the unnamed federal agency.
Patterns That Cut Across the Eight Incidents
Five themes emerge from reading these breaches together. Each one corresponds to a specific testing capability that continuous pentesting provides at a cadence annual testing structurally cannot.
Pattern 01 Unpatched, internet-facing edge devices were the dominant vector for high-impact 2025 incidents
FEMA / CitrixBleed 2, NNSA / SharePoint ToolShell, Harvard / Envoy / Oracle EBS, and the 2025 Cisco ASA campaign all share the same shape: a critical CVE drops, the patch lags, and the gap between "CISA adds the CVE to KEV" and "this organization re-tests every internet-facing instance" is the entire window the attacker needed. Annual pentests are useless against this — by the time the next engagement begins, the breach has happened. Quarterly pentests are inadequate. Continuous pentesting matched against the KEV feed compresses that window from weeks to hours.
Pattern 02 Default and weak credentials on admin panels are still a top finding in 2025
McHire's 123456 admin login on a McDonald's-branded surface and TeaOnHer's plaintext admin credentials left on the server show that this 1990s-era finding is not solved. Both were trivially discoverable with off-the-shelf tooling on day one of any pentest. The cost of catching them is one engagement; the cost of not catching them was 64 million records in one case and an entire app-launch's worth of users in the other.
Pattern 03 Broken object-level authorization (IDOR / BOLA) appears in consumer-facing breaches with disproportionate scale
McHire's IDOR is the standout, and it is not an outlier. OWASP API1:2023 Broken Object Level Authorization is the #1 risk in the API Top 10 for a reason: numeric primary keys plus missing authorization checks equals an enumerable user base. Any authenticated portion of a pentest scope hits this within hours. The cost of finding it is one engagement; the cost of missing it scales with the size of the user base.
Pattern 04 Secrets exposed on public-facing developer infrastructure remain a reliable initial-access vector
Pearson's GitLab PAT in a public .git/config is the textbook case for this category, and it is not unique. GitGuardian's State of Secrets Sprawl 2025 report documented 23.8 million new secrets leaked across public GitHub commits in 2024 alone, with the trend continuing in 2025. Continuous external scanning for exposed .git, .env, .npmrc, and similar artifacts is now table-stakes. So is downstream secrets scanning of any retrievable repository content.
Pattern 05 Cloud storage misconfigurations keep appearing in the consumer-app space
Tea's open Firebase bucket and TeaOnHer's directly-fetchable user-uploaded ID images both belong to a class of failure that was already old in 2017 (Verizon, Accenture, Republican National Committee S3 leaks). The pattern is especially common for fast-moving consumer apps that ship before any security review — exactly the engagements where a quick, focused pentest would have prevented headline-making damage. Mobile-app pentesting that includes Firebase / GCS / S3 bucket fingerprinting from the binary catches this on day one.
The Honest Boundary: Where Continuous Pentesting Cannot Help
We excluded several of 2025's largest incidents from this analysis because their root cause sits outside what any pentesting program can address. The same line should be drawn here, explicitly, so the case for continuous pentesting does not get oversold.
Pure social engineering. The 2025 Salesforce attack waves illustrate the limit. UNC6040 (ShinyHunters) used vishing into help-desk staff to trick employees into approving a malicious Data Loader OAuth app, hitting Allianz Life, Pandora, Adidas, Chanel, Dior, Cartier, Qantas, and Air France-KLM, among others. The separate UNC6395 campaign abused OAuth tokens stolen from a Salesloft GitHub compromise to query Salesforce instances at Cloudflare, Cisco, Google, PagerDuty, Palo Alto Networks, and Proofpoint via the Salesloft Drift integration. Pentesters do not get to test help-desk humans, and the underlying OAuth flows were working as designed. CPT does nothing here. The control class for this is identity-aware OAuth governance, monitoring of new third-party app installs, and security-awareness training — all of which Lorikeet endorses but none of which is pentesting.
Malicious insiders. The May 2025 Coinbase / TaskUs incident, in which bribed overseas support agents exfiltrated data on roughly 70,000 customers, is the headline 2025 example. CPT does not prevent an authorized user from doing what they are authorized to do.
True zero-day exploitation against fully-patched targets. The first-day exploitation of CVE-2025-61882 (Oracle EBS) and CVE-2025-20333 (Cisco ASA) belong to this category. CPT closes the post-disclosure window — sometimes by an order of magnitude — but it does not prevent an attacker from exploiting a vulnerability nobody knows exists yet. Layered runtime detection, EDR / XDR, network segmentation, and zero-trust architecture are the controls that mitigate that residual risk.
Supply chain compromises of third-party SaaS the victim could not have tested. A pentest of your own application surface does not extend to the security posture of a SaaS vendor whose API you consume. Vendor due diligence, SOC 2 review, and contractual security obligations are the controls there.
Acknowledging this boundary is part of the case for continuous pentesting being credible. CPT is not a one-stop control. It is the most cost-effective single control for the categories we documented above — six of eight in this analysis — and it is a complement to, not a substitute for, the controls that handle the four categories on this page.
What "Continuous" Actually Means in Practice
The argument in this article is not "do more pentesting." It is "test on triggers, not on a calendar." The triggers that matter are:
- A new CVE lands on KEV for a product you operate. Within hours, your CPT provider re-tests every internet-facing instance of that product in your environment and reports unpatched ones.
- A new asset appears on your external attack surface. A subdomain, an API endpoint, a cloud bucket, a CI/CD instance. Your CPT provider's ASM continuously discovers it, fingerprints it, and runs the relevant checks against it within the same business day.
- Your application ships a meaningful change. A new authentication flow, a new privileged endpoint, a new admin panel. Your CPT provider re-tests the affected surface area against the same playbook the attacker would use.
- An adversary demonstrates a new technique against a peer organization. Your CPT provider applies that technique to your environment and reports findings.
None of those triggers are addressed by an annual or semi-annual pentest. None of them are addressed by purely automated scanning either — a scan that finds an exposed .git directory does not, by itself, evaluate which credentials are inside the retrievable repository content, what those credentials authorize, or which downstream systems they pivot into. That is human pentest work, delivered on a continuous cadence, against an attack surface that is continuously discovered and re-discovered.
That is what continuous penetration testing is. The eight breaches above are evidence of what its absence costs.
Ready to Replace Your Annual Pentest With Something That Actually Catches Breaches?
Lorikeet Security delivers continuous penetration testing through our PTaaS platform: human pentesters against your continuously-discovered external attack surface, KEV-matched re-testing within hours of CVE disclosure, and a modern portal with live findings, real-time chat, and integrated reporting. Book a scoping call — we will show you what your last 12 months would have looked like with continuous testing instead of annual.
