VMaaS

Why annual penetration tests are no longer enough

Attack surfaces change weekly. A point-in-time pen test is still useful, but it cannot keep pace with cloud sprawl, SaaS adoption and a steady drumbeat of new CVEs. Continuous vulnerability management is the new baseline.

VMaaS6 min read

The annual test was designed for a different estate

Ten years ago a mid-market firm had a server room, a handful of public IPs and a Citrix farm. A scoped, once-a-year penetration test gave reasonable assurance because the estate barely moved between tests.

Today the same firm runs Microsoft 365, two or three IaaS subscriptions, a dozen line-of-business SaaS tools and a hybrid workforce on laptops that may never touch the office network. The attack surface changes every week — sometimes every day.

What an annual test misses

A snapshot tells you what was true on the test date. It does not tell you what changed the following week when marketing connected a new SaaS app, or when a developer published a misconfigured storage bucket, or when Microsoft shipped a patch that broke an exposed service.

  • New CVEs disclosed between tests — the average UK SME accumulates dozens of exploitable findings within 90 days.
  • Shadow IT and SaaS sprawl — apps procured by departments without IT oversight.
  • Cloud configuration drift — IAM changes, public buckets, exposed management ports.
  • Third-party and supply-chain exposure — partners and vendors that touch your data.
  • Identity risk — stale accounts, weak MFA coverage, over-privileged service principals.

Continuous vulnerability management as the new baseline

Vulnerability Management as a Service (VMaaS) closes the gap between tests. Authenticated scanning, agent-based discovery and external attack-surface monitoring run continuously. Findings are triaged by humans, prioritised against exploit intelligence, and routed to the right owner with a clear remediation path.

Pen testing still matters — it validates business logic, chained attacks and assumptions that a scanner cannot reason about. But it sits on top of a continuous baseline, not in place of one.

  • Run continuous scanning across internal, external, cloud and identity surfaces.
  • Use a managed service to triage findings — raw scanner output is not a remediation plan.
  • Treating the annual pen test report as a 12-month assurance artefact.
  • Buying a scanner without owning the operational process that acts on the output.

What good looks like for a UK mid-market firm

A mature programme combines weekly or daily authenticated scanning, monthly executive reporting, quarterly external EASM reviews and an annual penetration test that focuses on application logic and red-team scenarios.

Most importantly, the mean time to remediate critical findings should be measured in days, not weeks. That is only achievable when scanning, triage, ticketing and patching are operated as one workflow — which is exactly what a managed VMaaS provides.

Key takeaways
  • Annual penetration testing alone leaves 50+ weeks of unmonitored change.
  • Continuous vulnerability management is the modern baseline for mid-market firms.
  • Pen testing remains valuable for logic flaws and red-team validation, on top of the continuous baseline.
  • Measure success by mean-time-to-remediate, not by scan volume.
Talk to us
Book a cyber security assessment
More reading
Back to all resources