The annual penetration test was born in a world where software shipped quarterly and infrastructure changed slowly. A skilled tester would spend a week on-site, produce a report, and the organisation would spend the following months remediating. Rinse and repeat twelve months later.
That model has not kept pace with how applications are built and deployed today.
The speed problem
Modern development teams ship multiple times a day. Every deployment is a potential change to the attack surface - new endpoints, updated authentication flows, refactored business logic, third-party integrations. A point-in-time test conducted in January tells you very little about what your application looks like in June.
By the time a traditional engagement report lands in your inbox, the codebase it describes may have changed substantially. High-severity findings that were remediated in one PR can easily be reintroduced by another. The only way to stay ahead is to test continuously, or at least far more frequently than once a year.
The coverage problem
A week-long manual engagement typically achieves 60–70% application coverage. The tester prioritises the most critical areas, makes judgment calls about what to skip, and runs out of time before exploring every corner of the application. This is not a criticism of individual testers - it is a structural limitation of time-boxed manual work.
Authenticated flows are particularly underserved. Testing an application as a logged-in user with multiple role levels takes time to set up and execute thoroughly. In practice, many engagements spend the majority of their time on unauthenticated surfaces simply because the setup overhead leaves little time for anything else.
The consistency problem
Manual testing is inherently inconsistent. Two testers will make different decisions about where to focus, which payloads to try, and when to move on. This is not a flaw - human intuition and creativity are genuinely valuable in security testing. But it means that results vary significantly between engagements, making it difficult to measure improvement over time.
What a better model looks like
A better model combines the thoroughness of automated, systematic coverage with the depth and reasoning of skilled human analysis. Automated exploration handles the breadth problem - mapping the entire application surface, testing all endpoints consistently, and doing so on a cadence that matches your deployment frequency. Human experts handle scope definition, review of complex findings, and the judgment calls that require real-world context.
The goal is not to eliminate human testers - it is to multiply their impact by ensuring they spend their time on work that genuinely requires human expertise, rather than repetitive reconnaissance.