Don’t Rely on Periodic Penetration Testing

While periodic penetration testing is a very value service, it should not be relied upon to determine whether or not your organization is secure from cyber attacks.

Some organizations rely on annual pen tests to meet regulatory or cyber insurance requirements, which is fine, but don’t get the false sense of security that your pen test 6 months ago gives you any sense of how secure you are today.

Pitfalls of Periodic Pen Tests

1. It’s only a “snapshot in time” view of Information Technology Risk. A typical penetration test may take anywhere between 1-6 weeks and is composed of many test phases. Perhaps the pen test team spends one week on the external attack surface, two week on the internal, a couple weeks assessing web applications, another week on phishing. The test team may very well identity important vulnerabilities during the different phases, but the dynamic nature of Information Technology means that by the time you get the report, it will most likely be out of date.
2. They usually don’t include time for the pen test team to re-test remediated vulnerabilities. More often than not, organizations don’t ask us to come back and validate that remediation efforts were successful. Our experience shows us that 11% of the time, when a customer thinks they remediated a vulnerability, it is still vulnerable.
3. IT staff are disconnected from pen test staff and don’t have an easy way to communicate with them about vulnerabilities. During a periodic pen test, most communications happen regarding test execution and report finalization.

Continuous Penetration Testing is the Answer to the Above Pitfalls

1. Continuous penetration testing with Lifeguard™ provides an up to date view of IT risk. Our pen test team is conducting manual penetration testing on a daily basis. Our test activities are visible in the Lifeguard platform, and you will know without a doubt, the size and status of your attack surface
2. Lifeguard service includes free vulnerability remediation validation testing. Our goal is to identify vulnerabilities as quickly as possible, have your staff remediate them, and our team validate the remediation as quickly as possible to shrink the attack window – the time an attacker has to find and exploit any given vulnerability. If we have to re-open a finding 10 times until your IT staff fixes it, we do.
3. IT staff are invited to the platform on day one of the pen test and have immediate visibility into findings/vulnerabilities on their hosts.