There are a lot of terms floating around offensive security right now. COST. CTEM. Exposure validation. Some of it is useful. Most of it is new wrapping paper on old delivery. This is what continuous offensive security testing actually needs to look like.
There are a lot of terms floating around offensive security right now.
Continuous offensive security testing (COST). Exposure validation. Attack surface this. Continuous Threat Exposure Management (CTEM) that.
Some of it is useful. A lot of it is just new wrapping paper on old delivery.
Because underneath all of it, most organisations are still stuck with the same problem they had years ago: a long list of findings, a compliance programme that looks busy, and very little confidence in what a real attacker could actually do.
That’s the bit we care about.
Not how many things could be wrong in theory. Not how many reports got delivered this quarter. Not whether a scanner found 200 more issues than last month.
What matters is much simpler than that.
If a real attacker targeted your organisation today, what would actually happen?
That is the entire point of Constant Cyber Attack.
One of the biggest misunderstandings about CovertSwarm is that people hear the word “constant” and assume we mean more pentesting. Or pentesting more often. Or pentesting on a subscription.
We don’t.
Constant Cyber Attack is not a prettier wrapper around the same old model. It is not a rolling set of scoped engagements with a different commercial structure. And it definitely is not vulnerability scanning dressed up as offensive security.
Attackers do not care about your testing window.
They do not care that the statement of work expired last Friday.
They do not care that this month is supposed to be web apps and next month is meant to be internal infrastructure.
They care about one thing: getting to an outcome.
That is the mindset we simulate. That is the gap we built this company around. CovertSwarm positions Constant Cyber Attack as a subscription model built around relentless, full-spectrum assaults rather than one-off engagements, which is consistent with that framing.
Too much of this market still rewards activity instead of proof.
How many vulnerabilities were found. How many test days were used. How many assets were scanned. How many tickets were raised.
That all sounds productive. It all looks nice in a board pack.
But it does not answer the question the CISO actually cares about, which is whether any of it translates into genuine attacker opportunity.
This is where most offensive security programmes lose the plot.
Probability is not proof.
A vulnerability score is not proof. A red-amber-green dashboard is not proof. A list of theoretical attack paths is not proof.
Proof is establishing whether an attacker can get in, move, persist, evade, and reach something that matters.
That is a very different standard. And it requires a very different model.
This is the part people usually want, and the part most vendors are least comfortable explaining.
So here it is.
We start with what matters.
Not a giant shopping list of assets. Not a vague ambition to “test everything”. Not an exercise in seeing how much we can fit into a fixed number of consultant days.
We start with crown jewels. Business-critical systems. Sensitive workflows. Assumptions the organisation is making about what is and is not defensible. The objectives an attacker would actually care about if they were trying to cause damage, steal data, move money, disrupt operations, or build persistence.
From there, we build attack hypotheses.
Where are the likely entry points? What trust relationships exist? What is exposed that should not be? What has changed? What would a patient attacker notice? What would an opportunistic one jump on immediately?
Then we run campaigns against those hypotheses.
Not isolated tests. Campaigns.
That means attack activity that can begin in one place, pause, evolve, resume elsewhere, and build over time. It means something learned in month one can become relevant again in month six. It means the context is preserved. The intelligence is preserved. The adversary mindset is preserved.
That continuity matters more than most of the market realises.
Because in too many traditional engagements, Fred tested you in January, Sarah tests you in June, they have never spoken to each other, and the customer is expected to mistake that for maturity.
It isn’t maturity. It’s fragmentation.
Another thing worth clearing up: constant does not mean your internal teams are under siege every hour of every day.
It means sustained adversarial validation over time.
There is governance. There is structure. There is planning. There is coordination. There is a campaign rhythm. Pressure increases when the environment shifts or a new threat emerges. Sometimes the value comes from revisiting something old with new context. And sometimes the right move is to validate a fix, measure regression, and see whether defensive improvements actually changed the outcome.
This is not noise for the sake of noise.
It is a deliberate operating model designed to reflect how attackers behave in the real world, without becoming a random source of pain for the customer.
That distinction matters, because a lot of the industry has made “continuous” sound like a synonym for “always on”. It isn’t. The way CovertSwarm describes its subscription model publicly is monthly cycles with full-spectrum coverage, not uninterrupted chaos, which supports that distinction.
This is where the model really diverges.
We are not trying to maximise findings. We are trying to validate outcomes.
That is a much more useful conversation than arguing over whether a report should contain 47 findings or 83.
Because customers do not need more volume. Most of them are already drowning in volume. What they need is clarity on what is genuinely dangerous in their environment.
Another mistake this industry makes is treating offensive security like a side quest.
Do a test. Drop a report. Present some findings. Leave.
That might satisfy an obligation. It does not build confidence.
Constant Cyber Attack only works properly when it is connected to the rest of the customer’s security ecosystem. That means detection teams getting signal they can use. It means remediation teams understanding what to fix first and why. It means leadership getting a view of actual attacker paths rather than just a pile of disconnected technical issues.
It also means re-testing. Re-running. Re-validating.
If a customer fixes something important, we want to know whether it is actually fixed. If a new exposure appears, we want to know whether it changes the attacker’s route to objective. If the environment evolves, the attack logic evolves with it.
That is how a real adversary behaves.
And if you are paying an offensive security company to simulate real adversaries, anything less should feel inadequate.
There is a lot of noise in the market right now around automation and AI, some of it sensible, some of it absolute nonsense.
Our view is very simple.
AI is awesome. Automation is awesome. Both are now non-negotiable if you want to move at the speed modern attackers are moving.
But neither replaces human judgment.
The repetitive groundwork of an attack can and should be accelerated. Reconnaissance, mapping, pattern recognition, certain categories of enumeration and repeatable validation tasks. That is exactly where machines can help. We’ve said publicly that our Red Team AI Division (RAID) exists to build and continuously advance those agentic capabilities inside Constant Cyber Attack, while keeping human operators at the centre of attack direction and judgment.
What they cannot do is replace intent.
They cannot replace lateral thinking, or the experience required to decide which thread is worth pulling, when to escalate, when to hold back, how to chain weak signals into something meaningful, or how to simulate the behaviour of a real attacker whose objective is not “complete the checklist” but “win”.
That human layer is where offensive security either becomes dangerous in the right way, or collapses into theatre.
Because the old model is under more pressure than ever.
Attackers are automating. Exploitation timelines are shrinking. The gap between disclosure and weaponisation is compressing. Security teams are under budget pressure. Most are overloaded already. More findings do not help them. Bigger spreadsheets do not help them. Louder dashboards do not help them.
They need proof.
They need prioritisation grounded in attacker reality.
They need to know what is genuinely reachable, genuinely exploitable, and genuinely worth acting on first.
That is why we built Constant Cyber Attack the way we did.
Not because it sounds good. Not because Gartner has a phrase for it. Not because the market needed another acronym.
Because the traditional model leaves too much to assumption, and attackers have never been in the business of respecting assumptions.
There is a big difference between a security programme that looks active and one that is actually being validated against adversary behaviour.
The former produces paperwork.
The latter produces confidence.
Constant Cyber Attack was built for the second one.
And in a market still obsessed with counting findings, that difference matters more than ever.
Luke joined CovertSwarm in 2022, bringing an extensive background in offensive security and penetration testing. As COO, he owns product, delivery, and operations, with a singular focus on ensuring Constant Cyber Attack delivers relentless, meaningful pressure on clients’ defenses, cycle after cycle.
Annual Penetration Testing is no longer enough
The ‘annual penetration test’ has long been a cornerstone of cybersecurity defences for organisations of all sizes.
CovertSwarm appoints Luke Potter as Chief Operating Officer
CovertSwarm is modernising the penetration testing, red teaming, and bug bounty industries with its challenger ‘Constant Cyber Attack’ service offering and platform. Today, they announced the…
An introduction to Constant Cyber Attack