Trustcast - Why one-time Pen testing isn’t enough

Sign up to the newsletter and get notified when new episodes are out.

In this episode of the Trustcast, we discuss this topic with Dave van der Zee, who shares insights from his experience working across multiple organizations as a security consultant. Today, organizations that treat penetration testing (pen testing) as a yearly checkbox are exposing themselves to significant and ongoing risks.

One of the most important takeaways is that every company operates at a different level of security maturity. Some organizations rely on annual pen tests, fixing only the most critical vulnerabilities and assuming they are safe until the next cycle. However, this approach ignores a crucial reality: IT environments constantly change. New features, updates, and configuration changes can introduce vulnerabilities at any time. 

A common misconception among management teams is that resolving high-risk findings from a pen test is sufficient. In reality, vulnerabilities evolve. What was once considered low risk can become critical when combined with other weaknesses. For example, a minor misconfiguration might seem harmless on its own, but when paired with another vulnerability, it can grant attackers full system access.

This highlights a key principle: security risks don’t exist in isolation. They interact, stack, and change over time.

From reactive to continuous security

The podcast emphasizes the value of continuous testing and monitoring. Instead of dealing with a large backlog of vulnerabilities once a year, organizations benefit from addressing smaller issues on an ongoing basis. This creates a more manageable workflow and allows teams to prioritize effectively.

Continuous testing also helps organizations build a security-aware culture. Teams become accustomed to identifying, assessing, and resolving vulnerabilities as part of their daily operations, rather than reacting under pressure.

Despite advanced tools and frameworks, many breaches still stem from simple issues such as weak passwords or phishing attacks. Hackers often don’t target a specific company, they scan for easy entry points. Reused or compromised passwords remain one of the most common attack vectors.

The advice is clear: use unique, long passwords for every account, supported by password managers and multi-factor authentication. Convenience should never come at the cost of security.

Not every organization needs the same level of testing. The frequency and depth of security efforts should align with business risk and impact. A large e-commerce platform losing uptime faces very different consequences than a small internal system.

Security is always a balance between:

• Risk exposure 
• Operational impact 
• Cost and resources 

Effective security is about people, not just tools. The most efficient organizations enable direct collaboration between pentesters, engineers, and security teams. Removing unnecessary layers speeds up remediation and ensures vulnerabilities are addressed quickly and accurately.