Penetration Testing – How Often Is Enough?

When do I Have Enough Security – How often should I conduct a penetration test?

In today’s world, massive data breaches and sophisticated malware litter news headlines. So much that it feels as though it’s more of when your organization will fall victim rather than if. Still, many organizations choose to only meet baseline compliance requirements and seldom perform penetration testing. Sometimes just being “good”, isn’t “good enough”. Not conducting preemptive security assessments is a recipe for disaster, but how often is enough? 

Most authorities will say that you should test before placing a system or software into production and after any major change. We all agree those are key milestones that should trigger security testing in any IT risk management program but there’s more to it than that. It’s less about how often you should test but more about a continuous conversation about the ever-changing attacker landscape, your organizations risk appetite, and general forward thinking. 

Attacker Landscape

You understand what’s valuable in your organization; unfortunately, attackers do too. Attackers can range from rogue employees to criminal empires, so understanding the threats against you is a critical component to your testing regimen and pace. Researching current security trends and the associated threat actor’s behavior can give you a clue as to the depth and frequency of testing required. 

Risk Appetite 

As the saying goes, “Just enough security is the right amount of security”. It doesn’t make good business sense to spend more on a security control than what you are securing. Strive to put controls in places that give you the most bang for your buck. Keep in mind that risk in general can never be completely eliminated but you can take measures to drastically reduce the impact or likelihood of an attack. Taking a defense in depth approach to protect your most valuable assets is a great starting point and a best practice. 

Forward Thinking

Key business endeavors can often create new attack vectors and invite threat actors you didn’t anticipate. Does your organization plan to acquire another business, move into a new industry, or is it on the verge of an R&D breakthrough? Knowing where your organization is headed can better prepare you by creating a solid foundation for your security program. 

Regrettably, risk management isn’t a set it and forget it activity and testing cadence is made up of a culmination of decisions. Continuous conversation and review may be what keeps your organization’s brand out of the notorious section of the news tomorrow.

To speak directly with one of our cybersecurity experts, please leave the following information or contact us at

Speak to a Cybersecurity Expert