The annual penetration test has been a fixture of security programs for over a decade. Once a year, a team of testers spends a week or two probing your applications and infrastructure, produces a report, and then disappears until next year. For a long time, this was sufficient. Applications were deployed quarterly, infrastructure was relatively static, and the threat landscape moved slowly enough that a yearly snapshot provided reasonable assurance.
That world no longer exists. Most organizations deploy code multiple times per week. Cloud infrastructure changes daily. Attack techniques evolve continuously. And the annual pentest, by design, can only assess what exists at the moment of testing. Every deployment between tests introduces potential vulnerabilities that will not be identified until the next annual engagement.
The question is not whether annual testing is worthless. It is not. The question is whether your organization's risk profile, change velocity, and compliance requirements demand something more.
The Limitations of Annual Penetration Testing
Annual penetration testing has fundamental structural limitations that no amount of tester skill can overcome:
- Point-in-time assessment: An annual test evaluates your security posture on the specific week the test occurs. Any vulnerabilities introduced by code deployments, infrastructure changes, or new integrations in the other 50 weeks of the year go undetected until the next test
- Knowledge reset: Each annual engagement starts with the tester relearning your environment, your business logic, your architecture. Time spent on reconnaissance is time not spent finding vulnerabilities. This is particularly costly for complex applications
- Compliance-driven timing: Many annual tests are scheduled to coincide with audit cycles rather than development milestones. The test happens in Q4 because the audit is in Q1, regardless of whether a major feature launch happened in Q2
- Remediation lag: After the annual test, findings go into a backlog. Some get fixed quickly, others languish until the next test deadline creates urgency. There is no mechanism to verify that fixes are effective until next year
- Scope creep without coverage increase: As applications grow throughout the year, the annual test scope often stays the same due to budget constraints. New features, new APIs, and new integrations may never be tested
What Continuous Penetration Testing Actually Means
Continuous penetration testing is not a single methodology. It is a spectrum of approaches that provide ongoing security testing throughout the year rather than concentrating all testing into a single engagement. The models vary significantly:
Penetration Testing as a Service (PTaaS)
PTaaS platforms combine automated scanning with human-led testing on a subscription basis. You get access to a client portal where you can submit new applications and features for testing, track findings, manage remediation, and request retests. The testing team maintains knowledge of your environment year-round, eliminating the annual knowledge reset.
Recurring scheduled testing
This model schedules multiple penetration tests throughout the year, typically quarterly. Each test can focus on different applications, new features, or areas that have changed since the last engagement. This approach works well for organizations with predictable release cycles.
Event-triggered testing
Testing is triggered by specific events: major releases, new feature launches, significant infrastructure changes, or M&A activity. This approach aligns testing with actual changes rather than arbitrary calendar dates, ensuring that new attack surface is evaluated before it reaches full production exposure.
Continuous automated testing with periodic manual assessments
Automated vulnerability scanning and DAST tools run continuously or on every deployment, with full manual penetration tests conducted quarterly or semi-annually. The automated layer catches known vulnerability patterns, while the manual tests find the complex, context-dependent issues that automation misses. For more on understanding the difference, see our attack surface management guide.
Cost Comparison: Annual vs Continuous
The cost analysis of annual versus continuous testing reveals that continuous programs, while higher in absolute dollars, deliver significantly more value per dollar spent.
| Component | Annual Testing | Continuous Program |
|---|---|---|
| Web app pentest | $7,500 - $15,000 (1x/yr) | Included (2x/yr) |
| Network pentest | $8,000 - $12,000 (1x/yr) | Included (1x/yr) |
| API pentest | $7,500 - $12,000 (1x/yr) | Included (1x/yr) |
| Vulnerability scanning | $3,000 - $8,000/yr | Included (quarterly) |
| Attack surface monitoring | Not included | Included (continuous) |
| Retesting | $2,000 - $5,000 (1x/yr) | Included (unlimited) |
| Annual total | $28,000 - $52,000 | $37,500 (bundled) |
When you compare the cost of purchasing individual annual tests against a bundled continuous program, the economics are clear. Lorikeet's Offensive Security Bundle at $37,500 per year includes two web application pentests, one network pentest, one API pentest, quarterly vulnerability scanning, and continuous attack surface management. Purchasing these services individually would cost $28,000 to $52,000, and you would still lack the continuous monitoring and institutional knowledge that come with an ongoing relationship.
The hidden cost of annual testing: Beyond the direct engagement cost, annual testing creates hidden costs. The annual scramble to prepare environments and provision access consumes engineering time. The post-test rush to remediate findings before the audit deadline creates overtime. And the 11 months between tests represent unmanaged risk that could result in a breach far more expensive than any testing program.
Compliance Requirements for Testing Frequency
Compliance frameworks have varying requirements for penetration testing frequency, and the trend is clearly moving toward more frequent testing:
PCI DSS
PCI DSS requires penetration testing at least annually and after any significant infrastructure or application change. PCI DSS v4.0 added the requirement for a documented penetration testing methodology and increased expectations around scope. For organizations with frequent deployments, the "significant change" trigger effectively requires more than annual testing.
SOC 2
SOC 2 does not mandate a specific testing frequency, but the Common Criteria require evidence of regular vulnerability identification and remediation. Most auditors expect at least annual penetration testing, and the trend is toward expecting more frequent testing as part of your continuous monitoring program. Organizations with quarterly or continuous testing programs receive cleaner audit opinions.
ISO 27001
ISO 27001 requires management of technical vulnerabilities (Annex A control A.8.8) but does not prescribe a specific testing frequency. Your risk assessment should determine the appropriate frequency based on your threat landscape, asset criticality, and rate of change. Most certification auditors expect to see at least annual testing, with more frequent testing for high-risk environments.
HIPAA
HIPAA does not explicitly require penetration testing, but the Security Rule's risk analysis requirement (164.308(a)(1)(ii)(A)) implies regular technical evaluation of security controls. OCR enforcement actions have increasingly cited lack of penetration testing as evidence of inadequate risk analysis. Annual testing is considered the minimum standard of care.
When to Upgrade from Annual to Continuous
Not every organization needs continuous penetration testing. Annual testing is sufficient when your application is stable, your deployment frequency is low, your compliance requirements specify annual testing only, and your risk profile has not changed significantly. Here are the signals that indicate you have outgrown annual testing:
- Weekly or daily deployments: If your engineering team ships code more than once a month, annual testing leaves too many changes unexamined. Each deployment is a potential vulnerability introduction point
- Growing attack surface: New applications, new APIs, new microservices, new integrations. If your attack surface is expanding faster than your annual test scope, gaps are forming
- Compliance pressure: Multiple compliance frameworks, each requiring evidence of regular testing. An annual test satisfies the minimum requirement, but auditors increasingly want to see continuous security assurance
- Customer security requirements: Enterprise customers demanding evidence of ongoing security testing, not just an annual report. Continuous programs provide always-current evidence of your security posture
- Previous breach or near-miss: If your annual test missed something that was later exploited or discovered through other means, the coverage gap is no longer theoretical. It is a demonstrated deficiency
- Acquisitions or mergers: Integrating new systems and codebases introduces risk that needs immediate assessment, not testing in next year's cycle
The Client Portal Advantage
One of the most significant differences between annual engagements and continuous programs is how findings are managed. Annual tests produce a PDF report that gets emailed, discussed, and then slowly loses relevance as the codebase changes. Continuous programs use client portals that provide:
- Real-time finding management: Vulnerabilities are reported as they are discovered, not batched into a report weeks later. Your team can begin remediation immediately rather than waiting for the final report
- Remediation tracking: Each finding has a status, an owner, and a timeline. You can track remediation progress across your organization without maintaining separate spreadsheets
- One-click retesting: When your team fixes a vulnerability, request a retest directly through the portal. The testing team verifies the fix and updates the finding status. No scheduling calls or SOW amendments
- Historical trend data: Over time, the portal builds a picture of your security posture improvement. You can see which vulnerability categories are decreasing, which are persistent, and where your engineering investment is having the most impact
- Compliance evidence: Export audit-ready reports at any time showing your current testing status, open findings, remediation rates, and historical assessments. This evidence is always current, not stale by the time your auditor reviews it
Lorikeet's client portal provides all of these capabilities for customers on our Offensive Security Bundle and individual engagement clients alike. The difference is that bundle customers have continuous access to testing resources and can submit new scope for assessment as their applications evolve.
Building a Continuous Testing Program
Transitioning from annual to continuous testing does not happen overnight. Here is a practical approach that most organizations can implement over 6 to 12 months:
Phase 1: Baseline and inventory. Start with a comprehensive annual test to establish your baseline. Simultaneously, deploy continuous attack surface management to maintain visibility into your external footprint. This combination gives you both depth (the manual pentest) and breadth (continuous ASM monitoring).
Phase 2: Integrate automated scanning. Add quarterly or monthly automated vulnerability scanning to your CI/CD pipeline and production environment. This catches known vulnerability patterns between manual tests and provides the continuous evidence that compliance frameworks increasingly expect.
Phase 3: Introduce periodic manual testing. Move from one annual test to two or more focused assessments per year. Align these with major releases, new feature launches, or compliance milestones. Each test builds on the previous one's knowledge rather than starting from scratch.
Phase 4: Full continuous program. Establish an ongoing testing relationship with your provider. New features and changes are submitted for testing as they are deployed. The testing team maintains current knowledge of your environment and can evaluate changes in context. Findings flow continuously rather than in annual batches.
Starting point: If your budget supports only one change this year, add attack surface management to your existing annual pentest. ASM at $299 per month provides continuous external visibility that fills the gap between annual tests. This combination of annual depth plus continuous breadth is the most impactful first step toward a continuous security testing program.
Making the Business Case
Justifying the move from annual to continuous testing requires framing the investment in terms leadership understands: risk reduction, cost avoidance, and competitive advantage.
Risk reduction: Annual testing leaves an average of 11 months between assessments where new vulnerabilities go undetected. For organizations deploying weekly, that means roughly 45 deployments that were never security tested. Continuous testing reduces the window of undetected vulnerability exposure from months to days.
Cost avoidance: The average cost of a data breach continues to rise. The difference between a vulnerability found during testing and a vulnerability found during a breach is the difference between a few hours of engineering time and millions in incident response, legal fees, and customer notification costs. Continuous testing finds more vulnerabilities earlier.
Competitive advantage: Enterprise sales cycles increasingly involve security questionnaires and evidence reviews. Being able to demonstrate continuous security testing, current ASM coverage, and an up-to-date vulnerability posture accelerates deal closure. Customers are choosing vendors who can show ongoing security diligence over those who can only produce a single annual report.
Move Beyond Annual Testing
Lorikeet's Offensive Security Bundle at $37,500 per year includes multiple penetration tests, quarterly scanning, and continuous attack surface management. More testing, better coverage, lower per-test cost than purchasing annual engagements individually.
