← All posts

Why pentests don't protect you between tests

A penetration test is a manual, time-boxed engagement where a security firm tries to break into your systems and writes a report about what worked. They are valuable. They are also wildly insufficient as a primary defense.

The math nobody talks about

A typical SME pentest runs for two weeks. The report is delivered, you remediate the findings, you move on. The next pentest is 12 months later. Between them is 50 weeks of unmonitored change.

In those 50 weeks:

  • Engineers ship 200–800 pull requests.
  • Dependencies update 1,000+ times (sometimes silently, via Dependabot).
  • Cloud configs drift as features are added.
  • New SaaS tools get integrated; old ones get deprecated but stay connected.
  • Subdomains get spun up; certificates expire; DNS changes.

A pentest tells you what your security posture looked like on day 14 of week 1. By week 50, that report is archaeology.

What a pentest actually catches

Pentests excel at:

  • Application-logic flaws — privilege escalation through a creative API call, business-logic bypass on a checkout endpoint.
  • Chained exploits — vulnerabilities that require human creativity to combine.
  • Architecture review — does your trust boundary make sense?

These are the things automated scanners genuinely cannot find. Pentests will continue to be valuable for these.

What a pentest doesn't catch (and shouldn't be expected to)

  • A leaked AWS key committed yesterday.
  • An SSL certificate that expires next Tuesday.
  • A new subdomain pointed at a misconfigured CDN.
  • A third-party JavaScript library that was hijacked last week.
  • A password reset email arriving on a dead DKIM record.
  • A vendor in your supply chain disclosed a breach this morning.

These are operational security issues. They change every day. A two-week pentest twice a year is the wrong tool.

The continuous-monitoring approach

The right answer is both:

  • Continuous, automated monitoring for the operational issues. Daily DNS / TLS / dependency / secret / brand checks. Alert when anything regresses.
  • Annual or semi-annual pentests for the deep, creative stuff that automation cannot find.

Most SMEs spend $20,000–$100,000/year on pentests and zero on continuous monitoring. The economics suggest the inverse: a $200/month monitoring tool catches 80% of the issues a $50,000 pentest catches, every day, year-round.

What we recommend

  1. Do an annual pentest. Skip cheaper providers — pay for one that does manual review by senior testers.
  2. Run continuous monitoring on top. Catch the operational stuff between tests.
  3. Treat the pentest report as a roadmap, not a report card. Every finding should map to a continuous-monitoring rule that catches it next time.

If you want the continuous side handled with one platform, that is what NoDowntimeShield is. Start at /check.