Most organisations conduct annual penetration testing, but almost none have continuous visibility into their exposure. And that gap – the time between tests – is precisely when attackers strike.
Vulnerability management, exposure management, attack surface management, and cloud security are converging into what Gartner calls Continuous Threat Exposure Management (CTEM). But what does that actually mean for organisations already doing annual pentests and quarterly scans?
What Changes in 12 months
Think about what happens to a typical organisation’s technology estate in a year:
New systems are deployed
Development teams launch new applications, infrastructure teams provision new servers, cloud environments expand as the business adopts new services, and AI and machine learning teams spin up GPU instances and model training environments. Each new asset introduces potential new attack surface – often outside the visibility of central IT.
Configurations shift
A firewall rule is updated and a port is accidentally left open, a cloud storage bucket is misconfigured during a platform migration, or an IAM role is granted excessive permissions “just for testing” and never revoked. This happens constantly through routine infrastructure changes, and nobody notices.
Software reaches end-of-life
A server runs an operating system version that loses support, a library in a web application stops receiving security updates, or a containerised application pins an old base image that’s no longer maintained. End-of-life and unpatched software is one of the most common exploitation vectors.
Critical vulnerabilities are disclosed
Log4Shell, ProxyLogon, MoveIT, CitrixBleed – major vulnerabilities emerge every year, often exploited within hours of public disclosure. Organisations that discover them at their next annual assessment may have been exposed for months.
All of this is happening continuously, but most organisations only find out once a year.
The Modern Attack Surface: It’s Not Just Vulnerabilities
Here’s what’s changed: modern breaches happen just as often through cloud misconfigurations as through unpatched software.
A publicly-facing storage bucket, an An IAM role with excessive permissions, or overly-permissive security group rules in AWS. These aren’t “vulnerabilities” requiring patches – they’re exposures requiring reconfiguration.
Traditional vulnerability scanning tells you which CVEs exist in your software, while modern exposure management tells you everything an attacker could exploit: software vulnerabilities, cloud misconfigurations, shadow IT, weak authentication, exposed admin panels, and drift from security baselines.
This is why the industry is evolving from point-in-time vulnerability assessments to continuous exposure management, because what matters isn’t just what’s vulnerable – it’s what’s exposed.
The Compliance Problem
Most compliance frameworks don’t just require annual penetration testing – they require ongoing vulnerability management, and they increasingly recognise that this means more than just patching.
ISO 27001 (Annex A.12.6) requires that organisations “obtain timely information about technical vulnerabilities” and take “appropriate measures” in response. The standard increasingly recognises that exposure management extends beyond just patching – it includes configuration management, access control review, and continuous monitoring.
PCI DSS Requirement 11 mandates regular internal and external vulnerability scanning, and specifically requires quarterly scanning for compliance. But it also requires organisations to maintain secure configurations. A misconfigured cloud environment that exposes cardholder data fails PCI DSS just as surely as an unpatched web server.
Cyber Essentials Plus requires evidence that software is patched and up to date, but also requires secure configuration of services, access controls, and network boundaries. Without ongoing scanning, passing the assessment relies on manual inventory management that’s rarely accurate – and misses configuration drift entirely.
Cyber insurers are asking harder questions at renewal. “We do an annual pentest” is becoming an insufficient answer. Insurers increasingly want evidence of continuous monitoring, configuration baseline management, and proof that new assets are discovered and assessed promptly.
Why Automation Matters
Manual assessment is expensive and doesn’t scale.
A qualified security consultant reviewing your environment might cost £1,000 per day. Running a thorough manual review of 50 IPs, five web applications, and three cloud accounts would take weeks, so doing it monthly is impractical.
But the real limitation isn’t just cost – it’s coverage. Manual assessment is always scoped to known assets. The test server someone provisioned last month? Not in scope. The AI model training environment the data science team deployed? Not in scope. The misconfigured S3 bucket created during yesterday’s deployment? Not in scope.
Automated continuous assessment changes this entirely. Attack surface discovery identifies assets you didn’t know existed. Cloud security posture assessment evaluates hundreds of configuration checks across multiple accounts simultaneously. Application scanning tests for both known vulnerabilities and common misconfigurations.
The key word is ongoing. A single scan is useful. Monthly automated scanning across your entire estate – with attack surface discovery surfacing shadow IT and trend analysis showing what’s new, what’s been fixed, and what’s persisting – is transformative.
Understanding CTEM: The Modern Framework
Gartner introduced the concept of Continuous Threat Exposure Management (CTEM) as a framework for how modern organisations should manage their security posture. It consists of five stages:
- Scoping – Define your technology estate and priorities
- Discovery – Identify all assets, including shadow IT and forgotten infrastructure
- Prioritisation – Risk-based ranking of exposures based on exploitability and business impact
- Validation – Test whether exposures are actually exploitable through manual testing
- Mobilisation – Orchestrate remediation and track progress
Most vulnerability platforms stop at stage three. They discover assets, scan for issues, and prioritise findings, but they don’t validate whether those findings are actually exploitable in your specific environment, and they don’t integrate into your remediation workflows.
This is where the combination of Continuous Vulnerability Management and Penetration Testing delivers complete CTEM. CVM provides stages one through three: continuous discovery of your attack surface, automated assessment across infrastructure and cloud, and risk-based prioritisation in a central platform. Penetration testing provides stage four: expert validation of whether exposures are exploitable, testing of attack chains that combine multiple weaknesses, and validation of cloud misconfigurations in context. Together they enable stage five: remediation workflows informed by both continuous data and expert validation, with clear prioritisation based on real-world exploitability.
When the same team delivers both – when your CVM findings feed directly into your annual pen test scope, and your pen test findings inform CVM prioritisation – you get complete CTEM delivery from a single provider who understands your environment.
Continuous Assessment Doesn’t Replace Pen Testing
This is critical: continuous vulnerability management is not a replacement for penetration testing.
Continuous assessment identifies known vulnerabilities by matching signatures against databases of disclosed CVEs, it detects cloud misconfigurations by comparing current state against security baselines, and it discovers new assets through attack surface monitoring. It finds what’s known, documented, and detectable through automated means, and it does this quickly, at scale, and continuously.
Manual penetration testing validates exploitability, chains multiple exposures together, tests business logic, and finds the issues that signatures don’t detect. It simulates how a skilled attacker would combine a misconfigured IAM role with an exploitable web application to gain access to sensitive data. It finds what creative, experienced attackers would find, and it does this deeply and thoroughly, at a point in time.
Both are essential, and neither replaces the other.
Organisations that only do pentesting have a continuous visibility gap – they’re blind to what changes between assessments. Organisations that only do automated scanning have a depth gap – they don’t know which exposures are actually exploitable in combination. The answer is both: continuous assessment as the ongoing baseline, with annual penetration testing for deep validation.
What Always-On Exposure Management Looks Like
With continuous assessment running monthly across your estate, your security posture changes from reactive to proactive:
A critical CVE is published on a Monday.
Your Wednesday scan identifies all affected systems across your infrastructure and cloud environments. By Thursday, your team is remediating. Without continuous assessment, you’d wait until the next pen test – potentially months away – or worse, discover it through a breach.
A developer deploys a new application.
Attack surface discovery automatically includes it in the next scan. Any vulnerabilities or misconfigurations are surfaced immediately. Without continuous monitoring, it might never be formally assessed – or only be discovered when it appears in an external security researcher’s disclosure.
Shadow IT surfaces automatically.
That forgotten test server someone provisioned six months ago appears in your attack surface discovery. So does the AI training environment the data science team deployed with default credentials still enabled. Without continuous monitoring, these assets could sit exposed indefinitely.
A cloud engineer creates a new storage bucket and accidentally leaves it public.
Cloud posture scanning identifies the misconfiguration – not a vulnerability requiring a patch, but an exposure requiring immediate remediation. Without continuous cloud security assessment, it could remain exposed until the next audit, compliance review, or data breach notification.
An IAM role is granted overly broad permissions “just for testing”.
Cloud posture monitoring flags the excessive permissions within 24 hours. Without continuous exposure management, this privilege escalation path would remain until someone manually audits IAM policies – which rarely happens frequently enough to matter.
A new zero-day targeting a specific cloud service is disclosed.
Your cloud posture scanning already has visibility into every instance of that service across all your cloud accounts. Within hours, you know exactly where you’re exposed and can prioritise remediation. Without continuous cloud visibility, you’d be scrambling to even inventory which accounts might be affected.
The Evolution Is Clear
The shift from annual pentests to always-on exposure management isn’t about replacing one with the other. It’s about recognising that modern attack surfaces – spanning on-premise infrastructure, cloud platforms, SaaS applications, APIs, and containerised workloads – change too rapidly for point-in-time assessment alone.
Annual penetration testing remains essential for deep validation, but between those tests, you need continuous visibility into what’s exposed, what’s misconfigured, and what’s changed since yesterday.
The organisations getting this right are combining continuous vulnerability management for breadth with annual penetration testing for depth, treating cloud misconfigurations with the same urgency as unpatched CVEs, and discovering shadow IT automatically instead of waiting for it to appear in breach notifications.
Most importantly, they’re never in the dark about their exposure, and that makes all the difference.
