The question comes up in every security planning discussion: how often should we pentest? Annual? Quarterly? After every major release? The answer is not one-size-fits-all. The right testing frequency depends on how fast your application changes, what data it processes, what compliance frameworks apply, and how much risk your organization is willing to accept between assessments.
This guide provides a decision framework for determining the right pentesting cadence for your web application, with specific recommendations based on company profile and risk factors.
The baseline: annual testing at minimum
Every web application that handles customer data should be penetration tested at least once per year. This is not just a best practice. It is the minimum expectation of every major compliance framework, every enterprise customer security questionnaire, and every cyber insurance underwriter.
Annual testing provides a comprehensive security baseline, catches vulnerabilities introduced over the course of a year, satisfies compliance requirements, and produces the report that enterprise customers need to see. If you are doing nothing else, do an annual pentest. It is the single highest-value security investment for most organizations.
But annual testing has a significant limitation: it only tells you about your security posture on the day the test was performed. If you deploy code 200 times between annual tests, you have 200 opportunities to introduce vulnerabilities that will not be detected until the next assessment.
Factors that increase the required frequency
High development velocity
If your engineering team deploys code multiple times per week, your attack surface changes constantly. New features, refactored components, updated dependencies, and configuration changes all have the potential to introduce vulnerabilities. The faster you ship, the more frequently you should test.
Companies with continuous deployment pipelines should consider quarterly pentests focused on new and changed functionality, supplemented by an annual comprehensive assessment that covers the full application.
Sensitive data handling
Applications that process financial data, health records, personally identifiable information, or other sensitive data carry higher breach impact. The potential cost of a vulnerability being exploited is higher, which justifies more frequent testing to reduce the window of exposure.
Regulatory requirements
Some compliance frameworks specify minimum testing frequencies. PCI DSS requires annual penetration testing and testing after significant changes. SOC 2 auditors expect at least annual testing. HIPAA risk assessments should be conducted annually. If your compliance framework specifies a frequency, that becomes your minimum.
Enterprise customer requirements
Some enterprise customers require pentesting evidence that is less than six months old. If your customer base has this expectation, semi-annual testing may be necessary to ensure you always have a current report available.
Testing frequency recommendations by company profile
| Company Profile | Recommended Frequency | Rationale |
|---|---|---|
| Early-stage startup (pre-Series A) | Annual + before major milestones | Budget-conscious, but needs reports for fundraising and first enterprise deals |
| Growth-stage SaaS (Series A-B) | Semi-annual or quarterly | Rapid feature development, growing enterprise customer base with security requirements |
| Established SaaS (Series C+) | Quarterly + continuous scanning | Large attack surface, multiple applications, strict compliance requirements |
| Fintech / Healthcare | Quarterly + after significant changes | PCI DSS and HIPAA requirements, high-value data, regulatory scrutiny |
| E-commerce | Semi-annual + before peak seasons | Payment data handling, seasonal traffic spikes create testing windows |
When to trigger an additional pentest
Beyond your regular testing cadence, certain events should trigger an additional assessment regardless of when the last test occurred.
- Major feature launch. New functionality that changes authentication, authorization, payment processing, or data handling.
- Architecture changes. Migration to a new framework, new API gateway, new authentication provider, or new infrastructure.
- Post-incident. After a security incident, to verify that the root cause was addressed and to check for additional vulnerabilities.
- Pre-acquisition. Before being acquired, as the buyer's due diligence will require a current report.
- New compliance requirement. When pursuing a new certification (SOC 2, ISO 27001, PCI DSS) that requires pentest evidence.
- Major third-party integration. Adding a new integration that handles sensitive data or introduces new attack surface.
Building a layered testing program
The most effective approach is not just increasing pentest frequency. It is building a layered testing program that combines different assessment types at different cadences.
Continuous: Automated vulnerability scanning runs against your application on a weekly or monthly basis, catching known vulnerabilities and configuration issues as they appear.
Quarterly: Focused penetration tests that cover new features and changed functionality since the last assessment. These are smaller in scope and cost than a full assessment.
Annual: A comprehensive penetration test that covers the full application, including areas that have not changed. This serves as the baseline and produces the report for compliance and customer requirements.
Lorikeet Security's Offensive Security Bundle at $37,500 per year is built on this layered model. It includes an annual comprehensive web and API pentest, quarterly vulnerability scanning, and continuous attack surface monitoring. This combination ensures you are covered at every level without the cost of quarterly full-scope pentests.
The right question is not "how often?" The right question is "how much risk am I willing to accept between tests?" Annual testing means up to 12 months of undetected vulnerabilities. Quarterly testing reduces that to 3 months. Continuous testing with periodic manual assessments minimizes the window to weeks. The right cadence is the one that matches your risk tolerance and your budget.
Build the Right Testing Cadence for Your Application
Whether you need annual, quarterly, or continuous testing, we can help you design a program that fits your risk profile and budget.
