For years, the pentest (short for penetration test) has been a cornerstone of enterprise security. By simulating an authorized cyberattack, pentests aim to surface unseen vulnerabilities before a real attacker does.
But the threat landscape has evolved—and fast. According to TechTarget, more than 30,000 new vulnerabilities were disclosed last year alone, marking a 17% year-over-year increase. Zero-days are discovered daily. The speed and scale of modern threats are leaving many traditional pentesting approaches behind.
Cobalt’s 2025 State of Pentesting Report revealed that only 8% of organizations conduct pentests continuously. That means for the vast majority, days—or even months—can pass between assessments, during which attackers may find and exploit unknown vulnerabilities. Pentesting still matters—but how it's implemented needs a serious update.
Why pentests still matter
Despite its limitations, the pentest remains an essential security measure. No matter how mature an organization’s security posture may be, new tools, services, and updates constantly introduce fresh risk.
Pentesting is one of the few ways to uncover the blind spots in a depth that other tools can’t. It replicates real-world attacker behavior—exposing flaws your internal team may not see. These tests demonstrate exploitability and show how an attacker could chain issues together to breach critical systems.
The benefits don’t end at discovery. Most pentest engagements include detailed analysis of the scoped issue and remediation guidance, helping teams strengthen defenses and refine incident response plans. And the insights are broad—2024’s most common findings included server misconfigurations, missing access controls, and insufficient security configurability. Nearly 44% of pentests uncover between one and five actionable findings.
The limitations of manual pentesting
Pentesting, however, is not without its challenges.
First, the cost. External pentest engagements can range from a few hundred to over $100,000, with Cybercrime Magazine estimating the average at $18,000. Even in-house pentesting incurs significant resource costs.
Second, the disruption. Manual pentests often interfere with production environments and require coordination across teams. To reduce impact, they’re frequently run outside of business hours—adding burden to teams and failing to capture how an attack might unfold during normal operations.
Another key limitation of traditional pentests is scope. Most penetration tests are tightly defined engagements—targeting only specific segments of an organization’s infrastructure. These scoped assessments often exclude entire departments, business units, cloud environments, or third-party integrations.
But the biggest issue is timing. A pentest provides only a snapshot. Run them too often, and you overload your team. Wait too long, and you risk leaving exploitable vulnerabilities untouched. That helps explain the wide variance in frequency: 18% of organizations test monthly, 1% every two years, and a concerning 13% don’t run pentests at all, per Core Security’s 2023 report.
Should you still be pentesting in 2025?
Yes, but as part of a balanced security posture.
The value of a pentest lies in how it's executed and how frequently. Manual, standalone pentests are no longer enough to protect against continuous, AI-accelerated threats.
Instead, organizations should modernize their pentesting strategy by incorporating automation. Automated pentests run in the background, detect issues in real-time, and enable faster remediation. They reduce the operational burden on security teams, freeing them to focus on strategic initiatives rather than repetitive testing cycles.
By bridging assessment gaps, automated pentesting offers a practical way to match the pace of development without sacrificing coverage or speed.
How to upgrade your pentesting strategy for 2025
Pentesting must now operate as part of a larger, integrated offensive security strategy. In today’s ecosystem, threats are continuous, opportunistic, and increasingly automated. Your testing program must be, too.
Consider complementing your pentest program with:
- Attack Surface Management (ASM) to continuously discover exposed assets
- Bug bounty programs for broader, crowdsourced testing
- Continuous Threat Exposure Management (CTEM) for full-cycle validation and prioritization
- Third-party and AI risk assessments, especially as your digital footprint grows
Why is this shift necessary? Because attackers aren’t waiting. Research shows that threat actors begin scanning for new vulnerabilities within 15 minutes of public disclosure. Security can no longer be scheduled—it must be continuous and adaptive.
Rebuilding the pentest
Don’t retire the pentest. Rebuild the pentest.
Manual pentests still have value—but they must be part of a broader, automated, continuous defense strategy. In 2025, modern security means validating exposures at scale, in real time, and with the attacker’s mindset in mind.
Automated pentesting isn’t the end of the pentest. It’s its evolution.
