Organisations shift to continuous testing in security

Cobalt has published Omdia research on how organisations are changing their offensive security strategies. The survey found that many security leaders now favour continuous testing over traditional point-in-time penetration tests.

The study surveyed 400 IT and cybersecurity professionals in North America responsible for developing and managing offensive security strategies. Its findings suggest security teams are adjusting their approach as artificial intelligence changes both how attackers operate and how defensive work is carried out.

More than half of respondents said older approaches are no longer keeping pace. Some 53% said traditional offensive security strategies provide a static view that is already obsolete by the time reports are delivered.

That view appears to be shaping buying and deployment decisions. The research found that 58% of organisations already use pentesting as a service, or PTaaS, making it the most widely adopted offensive security model in the survey.

Spending plans also point to a broader shift in priorities. According to the findings, 88% of respondents expect to increase spending on offensive security technologies over the next 12 months. Of those, 65% plan moderate increases and 23% significant increases.

Human oversight

Even as automation takes on a larger role, respondents said human input remains central. The survey found that 94% of organisations see keeping humans in the loop as important for offensive security programmes.

At the same time, many expect day-to-day work to change. Some 60% said analysts are likely to shift from carrying out offensive security tasks themselves to supervising autonomous workflows.

Together, those findings suggest companies are not simply replacing manual testing with automated tools. Instead, they are reshaping security teams around oversight, judgement and ongoing validation while software handles more repetitive work.

The results point to a move away from annual or periodic testing cycles. In practice, that means organisations want security checks that align more closely with fast software release schedules and shifting attack surfaces.

Gunter Ollmann, Chief Technology Officer at Cobalt, said the pace of attacks is forcing companies to revisit long-established methods. "Organisations are facing a new reality where attackers can move faster, automate more activity, and exploit vulnerabilities at unprecedented speed," Ollmann said. "The answer isn't removing humans from security programs. It's combining human expertise with AI-powered automation to create continuous offensive security programs that can identify, validate, prioritize, and remediate risk in real time. The future belongs to organizations that can scale expertise, not replace it."

Changing model

The findings add to a wider cybersecurity debate over whether periodic testing can still provide a useful picture of risk. Traditional penetration tests have long been used to identify weaknesses in systems, applications and networks, but critics argue the results can date quickly as code changes, cloud environments shift and new vulnerabilities emerge.

For companies with rapid development cycles, that problem becomes more pronounced. A report delivered after a fixed test may describe weaknesses that have already changed, been partly addressed or been overtaken by new risks elsewhere in the environment.

Against that backdrop, service models that support recurring or continuous testing have gained ground. PTaaS generally combines human testers with a platform for managing findings, retesting and collaboration with engineering or security teams.

The survey results suggest this model is now moving into the mainstream, at least among the professionals surveyed by Omdia. PTaaS being the most widely adopted model in the study indicates organisations are seeking approaches that fit ongoing operational processes rather than one-off reviews.

Cobalt also pointed to growing interest in closer links between offensive security work and remediation workflows. That reflects a broader industry shift from identifying flaws alone to showing whether teams can verify and address them in a shorter cycle.

Ollmann said that change is becoming embedded in how organisations think about the discipline. "The market is moving toward a model where offensive security becomes an ongoing business process instead of an annual event," Ollmann said. "Organisations want real-time collaboration, continuous validation, and actionable results that help them improve resilience. That's exactly the direction the industry is heading."