A Focus on Penetration Testing – Part 1

3 mins read

Thinking differently about Pen Testing…

Penetration testing has traditionally been treated as an annual exercise. Book the test, receive the report, fix what you can, and move on until next year.

But in today’s cloud-first, Microsoft-centric and AI-enabled environments, risk does not wait twelve months. New services go live, integrations change, suppliers connect, permissions shift and attack surfaces evolve continuously.

That is why organisations need to think differently about penetration testing. Not as a one-off compliance activity, but as part of an ongoing assurance model that helps validate controls, evidence compliance and give leaders confidence that digital services are secure today, not just when the last test was completed.

In this three-part series we explore:

Part 1

Why annual penetration testing is no longer enough

Part 2

How to turn findings into meaningful risk reduction

Part 3

What continuous assurance looks like in practice

Part 1: Why Annual Penetration Testing Is No Longer Enough

Most organisations can tell you when their last penetration test took place. Far fewer can confidently say whether the controls protecting them today are still working as intended.

In today’s environment, cyber risk evolves significantly faster than traditional testing cycles. Cloud platforms are continually updated, new integrations are introduced, AI-powered technologies are being adopted at pace, and users, suppliers and applications regularly change. Yet many organisations still rely on an annual penetration test to provide assurance for the next twelve months.

For organisations delivering critical public services, this gap can create significant risk. NHS Trusts, Police Forces, Fire and Rescue Services and Local Authorities increasingly depend on digital services to support frontline operations, protect sensitive data and maintain public confidence. Small technology changes can have disproportionate impacts if security controls are not continually validated.

Pen Testing Series

The Risk Is Moving Faster Than the Testing Cycle

The uncomfortable truth is that a clean report from last year does not prove that today’s environment is still secure. Every new service, integration, supplier connection or configuration change can alter the attack surface before the next annual assessment. New services are adopted, AI capabilities are introduced, cloud workloads are reconfigured and suppliers are connected.

For organisations delivering critical public services, every change can alter the attack surface and introduce risk long before the next annual assessment.

The shift required is cultural as much as technical. Penetration testing should no longer be viewed as a once-a-year event to satisfy an audit. It should become part of an ongoing assurance model where risk is reviewed, tested, remediated and evidenced throughout the year.

This aligns closely with Microsoft’s cloud security messaging. Microsoft’s Cloud Adoption Framework describes cloud governance as a continuous process, supported by guardrails such as policies, procedures and tools that help organisations use cloud services productively while controlling risk. In a Microsoft environment, penetration testing should therefore sit alongside secure landing zones, identity controls, policy enforcement, configuration management and continuous monitoring.

The goal is not to slow innovation. It is to give teams confidence to adopt cloud, AI and modern workplace services safely, with the right governance and guardrails in place.

Questions worth asking:

If your organisation completed a penetration test six or twelve months ago, what has changed since then?

?
Have new cloud services, integrations or applications gone live?
?
Have suppliers, users or permissions changed?
?
Have any high-risk findings been fully remediated and re-tested?
?
Could you evidence today that key controls are still working?
?
Would your board or risk committee have confidence that last year’s test reflects today’s exposure?

Annual testing can tell you where you stood on the day of the assessment. Ongoing assurance helps you understand where you stand today.  Before your next annual penetration test is due, review what has changed since the last one. If the answer is “quite a lot”, your testing cycle may no longer match your risk cycle.

Coming next…

In Part 2, we look at what happens after the report lands. Because the real value of penetration testing is not the list of findings, it is knowing which risks matter most, what needs fixing first and how to prove that remediation has genuinely reduced exposure.

If you would like to discuss anything in this blog post with a member of our team, get in touch by clicking here.