Annual penetration testing doesn't just fail to keep pace with your attack surface. It operates on a calendar your adversaries can read. CovertSwarm COO Luke Potter on the reconnaissance signals that make your testing rhythm visible, and the logic that keeps security leaders locked into a model they know is broken.
Not because they’ve compromised your ticketing system. Because your testing cadence is easier to read than you think.
A competent threat actor targeting your organisation does not begin with exploitation. They begin with research.
They read job ads. “Annual security assessments.” “Supporting our yearly pen test programme.” They read compliance badges and renewal dates, procurement frameworks, tender cycles, consultant LinkedIn posts, and hiring language about remediating findings after the annual audit. None of this looks sensitive in isolation. To a patient adversary, it looks like a calendar.
The inference does not need to be perfect. If your formal offensive assessment ran in Q4, Q2 and Q3 become interesting. If supplier onboarding peaks after budget approval, that period becomes interesting. If a major product launch has just gone live, the weeks after the test — not the week of the test — become interesting. Your cadence tells them when you are least likely to be looking with the same intensity.
To a threat actor, a known quiet period is not empty space. It is an operational opportunity.
This is the window where the live environment stops resembling the assessed environment. Cloud accounts, code releases, suppliers, SaaS tools, identity permissions, helpdesk processes, M&A activity, contractors, brand campaigns: the attack surface does not stay still. A report dated four months ago may still be accurate as a record. It is not necessarily useful as assurance.
Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled year-on-year from 15% to 30%.
Mandiant’s M-Trends 2026, based on more than 500,000 hours of frontline investigations, found that global median dwell time rose to 14 days. It also found that the median time from initial access to hand-off collapsed from more than eight hours in 2022 to 22 seconds in 2025.
So the quiet period is not quiet. It is noisy with change. It is quiet only in the sense that no one you are paying is behaving like the threat.
AI has not automated the threat. It has accelerated and democratised it.
Reconnaissance is cheaper. Surface mapping is faster. Exploit chaining is moving toward machine speed. Phishing, vishing and identity abuse are becoming more scalable, more convincing and easier to iterate. The point is not that every adversary is now an autonomous AI agent. The point is that a capable adversary can now do more, sooner, with less friction.
That matters because annual testing is already a friction-heavy model. Scope has to be agreed. Dates arranged. Rules signed. Access provisioned. Findings validated. Reports written. Remediation scheduled. All of that may be necessary for governance. None of it changes the fact that adversaries are not waiting for your next slot in the testing calendar.
AI also exposes the weakness of the traditional output. If a tool can produce a longer vulnerability list at lower cost, then a longer list is no longer the source of value. The value is knowing which weakness can actually be chained into a breach against this organisation, this month, using the same mix of digital, social and physical attack paths a real adversary would use.
Every CISO reading this understands the problem. The honest question is not whether annual testing is insufficient. It is why organisations that know this keep buying the same outcome.
First, budget. Offensive testing often sits in a project, compliance or audit line, not as an operational control. It is scoped, delivered, closed and renewed. Moving to continuous adversarial assurance means reclassifying spend, changing contract models and having a harder conversation with finance and procurement. Renewing the known thing is easier than redesigning the thing, even when the known thing no longer matches the threat.
Second, the report. Annual testing produces an artefact. That artefact goes to the audit committee, lands in board packs, and proves that something happened. Continuous assurance produces a live view of changing risk. It is more useful operationally, but less familiar as governance theatre. The report becomes organisational currency. It is not valued because it proves safety. It is valued because it proves activity.
Third, vendor incentives. This is the part the offensive security industry has not been honest enough about.
The traditional penetration testing model rewards findings. A bigger list looks like more work. More work looks like more value. More value leads to renewal. The commercial model does not naturally reward sustained adversarial pressure, accumulated client context, or returning month after month to test what has changed.
It rewards closing the engagement.
That is not how attackers operate. A patient adversary does not forget what they learned last quarter. They remember your architecture. They remember your suppliers. They remember which controls almost worked, which processes bent under pressure, and which individuals or teams responded in predictable ways. Then they come back with that context and look for what has changed.
If your testing model does not compound knowledge in the same way, you are giving the real adversary a structural advantage.
This is uncomfortable to say, because it describes parts of our own industry. But it is true, and organisations still buying on that model deserve to hear it plainly.
If someone who knew exactly how your attack surface had changed in the last twelve months sat across from you and asked whether your current testing programme would have found what changed, could you answer yes without hesitation?
If there is any pause, the question is not which vendor runs a better annual test.
The question is why your offensive assurance still operates on a calendar your attacker can read.
Your defensive controls are continuous. Your attack surface changes continuously. Your adversaries operate continuously.
Why is your offence the only thing still waiting for next year?
If you want to understand what an attacker sees when they look at your organisation, we can show you.