There is a ritual that plays out in thousands of companies every year. A security team hires a pen testing firm. The consultants arrive — sometimes in person, sometimes via VPN — and spend two to three weeks probing an environment that has been partially frozen in place for the occasion. Scope is defined. Assets are listed. Credentials are handed over.

Six weeks later, a PDF arrives. It runs to 200 pages. The executive summary describes the engagement. The findings section lists twelve vulnerabilities, three of which are critical. Remediation guidance is appended. The PDF is shared with the board. The board nods. The CISO closes the ticket. The annual pen test is complete.

And then the company ships code on Monday morning, exactly as it did on the Friday before the consultants arrived.

The Math Nobody Wants to Do

Modern engineering teams at growth-stage companies push code daily. Sometimes multiple times a day. Infrastructure changes weekly — new microservices, new cloud configurations, new third-party integrations, new employee access grants. The attack surface of a live company in 2026 is not a static object. It is a living system that changes faster than any annual assessment can track.

Consider the arithmetic. If you pen test once per year and your engineers commit code five days a week, your security assessment covers approximately two percent of your operational window. The other ninety-eight percent is unvalidated assumption.

2%
of the year covered by annual pen test
51
weeks of unvalidated exposure
$4.45M
average cost of a data breach (IBM, 2025)

The pen test is not wrong. It is not fraudulent. The consultants are often excellent at what they do. The problem is structural: you are applying a periodic, bounded tool to a continuous, unbounded problem. And most organizations have not fully reckoned with what that gap actually costs.

What Changes While You're Not Looking

The attack surface expands in ways that are individually innocuous and collectively significant. A developer spins up a staging environment and forgets to restrict access. A cloud storage bucket is misconfigured during a rushed deployment. A new SaaS tool is onboarded — another OAuth integration, another set of permissions, another surface. A contractor is granted temporary VPN access and the access is never revoked.

None of these are dramatic events. None of them would appear in a threat model built during the pen test window. All of them are the kind of small, practical decisions that engineers make a hundred times a week.

The uncomfortable reality: The average enterprise has 5,000+ cloud assets. Roughly 70% of those assets are unmonitored at any given time. The pen test covered the ones you knew about, in the state they were in, on the days the consultants were present.

The PDF as Security Theater

There is a secondary problem with the annual pen test that is almost never discussed: the artifact it produces is optimized for the wrong audience.

The 200-page PDF is written to justify the engagement, satisfy a compliance checkbox, and give the security team something to present to leadership. It is not written to drive rapid remediation. The critical findings are buried in technical language that developers cannot act on without significant translation. The remediation guidance is generic. The prioritization is unclear. By the time the PDF is distributed, the environment it describes has already changed.

The result is a document that looks like accountability but functions as a record of a moment that no longer exists.

What Continuous Testing Actually Means

The alternative is not simply "testing more often." Testing quarterly instead of annually cuts your unvalidated window from 98% to 75% — still not an answer. The real shift is architectural: security validation needs to operate at the same cadence as the engineering work it is meant to validate.

This means automated, continuous attack simulation that maps to your live environment. It means findings delivered in real time, not in a PDF six weeks after the engagement ends. It means the security posture your board is looking at when they review disclosures reflects your environment today, not the environment as it existed during a two-week window eleven months ago.

Most importantly, it means finding the credential reuse path from your VPN to your AWS console before an adversary does — not after the annual window closes and the consultants are three engagements down the road.

The question to ask your security team: "If we suffered a breach tomorrow, what percentage of our current environment has been validated against a real attack scenario in the last 30 days?" If the answer is anything less than most of it, the pen test you paid for is a historical document, not a security posture.

The Forcing Function

The SEC's cybersecurity disclosure rules have created an unexpected pressure on this problem. Public companies must now file a Form 8-K describing a material cybersecurity incident within four business days of a materiality determination. The quality of that disclosure — and the company's ability to defend it — depends on having an accurate, current picture of their security posture at the moment the incident occurs.

A company whose most recent security validation is eleven months old is not well-positioned to make that determination quickly, accurately, or confidently. A company that runs continuous adversarial validation is.

The annual pen test had a good run. For most of the history of enterprise security, it was the best available tool for the job. But the job has changed. The environment changes daily. The adversaries operate continuously. The regulatory expectations are real-time. The only rational response is a security practice that operates at the same pace as the threat.

See what continuous testing finds in your environment.

Tadpole deploys autonomous agents that simulate real adversaries — 24/7, across your entire attack surface.

Request early access →