Why is annual pentesting insufficient for SaaS?

Modern SaaS ships weekly or daily. A pentest report from January is stale by March. Regulators caught up: DORA Article 24 and NIS2 Annex I both require continuous validation, not annual snapshots.

What is continuous pentesting?

Weekly or monthly attack-surface re-test with the same depth as a one-off engagement. Findings shipped as Jira tickets in real time. Audit trail signed and timestamped. Auditor receives continuously fresh proof of resilience instead of a 12-month-old PDF.

Does continuous pentesting replace the annual human engagement?

Not entirely. Agentic systems are strong on web apps, APIs, and external infrastructure. Internal network, AD, and social engineering still benefit from human expertise. The pattern: continuous agentic for 80 percent of the surface, one annual human engagement for the rest.

How does continuous testing affect engineering velocity?

Weekly findings hit the dev backlog as small ongoing fixes rather than a quarterly disaster recovery. Mean time to remediation drops from 60 days (annual model) to 5 to 10 days in continuous mode, which matches DORA Article 24 remediation expectations.

Annual pentests are broken: continuous testing for SaaS

The contradiction

A modern SaaS ships to production multiple times a day. The annual pentest tests a snapshot from twelve months ago. Between two engagements, the application becomes a product the previous report no longer describes.

This is not a theoretical gap. We see it in every client engagement: the high-severity findings on a web app rarely come from the code that existed at the last pentest. They come from features shipped in the months after.

Why annual cadence persists

Three reasons, none related to security outcome.

Cost. A serious boutique pentest is €15,000 to €40,000. Companies budget once a year because that is what they can afford.
Procurement cycle. Scoping plus contract plus calendar slot plus engagement plus report regularly takes three months. Doing it twice means six months of overhead.
Auditor habit. Most ISO 27001 and SOC 2 auditors stamp annual cadence as sufficient because it has historically been the market norm.

None of these are security arguments. They are friction arguments.

A pentest scoped twelve months ago, on a system shipped four months ago, is documenting the past. Auditors increasingly notice.

What continuous looks like in practice

Three concrete patterns we see working.

Pattern 1: per-deploy pentest gate. Every production deployment triggers an automated pentest scoped to the changed surface (new endpoints, modified auth flows, dependency changes). Results land in the deploy ticket. CI green plus pentest green equals ship.

Pattern 2: weekly full-surface rescan. A scheduled pentest covers every web app, API, and external IP every Monday. Findings are diffed against the previous week. New findings open Jira tickets automatically.

Pattern 3: quarterly deep engagement. Every three months, a full intrusion test runs at maximum depth. Results feed the board risk review and the auditor binder.

Most clients combine two. Per-deploy plus weekly. Or weekly plus quarterly.

What changes for the SOC and the CISO

The work shifts from "schedule the engagement" to "manage the alert volume." Three operational consequences:

Triage protocol. Continuous testing produces continuous findings. You need a clear severity-to-action map: P0 pages someone, P1 opens a ticket, P2 lands in the weekly review. Not different from existing alerting protocols, just applied to pentest output.
Remediation velocity becomes the bottleneck. Once detection is continuous, the time-to-fix metric replaces the time-to-test metric as the operational KPI. CISOs who chase a green dashboard end up running the dev team, not the security program.
Auditor evidence flips from snapshot to history. A DORA or NIS2 audit no longer asks "show me last year's pentest." It asks "show me the trend." Continuous testing answers that natively.

Pricing that actually works for continuous

The annual €25,000 pentest cannot scale to weekly. The math does not work. The shift requires a subscription that prices the platform, not the engagement.

At Fleuret we list a continuous tier at €35,000 a year, unlimited scans, weekly automated rescans, Jira push per finding, DORA-mapped audit PDFs with offline-verifiable Ed25519 signatures. Same price as one boutique pentest, run every week.

If you ship to production more than once a year and your pentest cadence does not match, let's talk.

Continuous AI pentesting and NIS2: why regulators no longer accept annual snapshots.
DORA pentest requirements 2026: the new EU finance baseline on cadence.
Pentest cost in Europe 2026: what continuous testing actually costs.
The compliance workflow moat: Jira plus signed audit PDF plus board export.

Annual pentests are broken: continuous testing for SaaS

The contradiction

Why annual cadence persists

What continuous looks like in practice

What changes for the SOC and the CISO

Pricing that actually works for continuous

The Fleuret newsletter

Privacy Settings

The contradiction

Why annual cadence persists

What continuous looks like in practice

What changes for the SOC and the CISO

Pricing that actually works for continuous

Related reading

The Fleuret newsletter

Privacy Settings