This is a common question among larger organizations and organizations that are serious about improving their security, but is it excessive?
The answer is; it depends…
To one organization, it may be that a penetration test every month is sufficient as they have very mature security controls in place and the penetration testing is a great way to exercise their capabilities. But another organization may be overwhelmed by the results and not have enough time to remediate and fix the discovered vulnerabilities before the next test. A better (and more price efficient) method I recommend is quarterly penetration testing, but you have many options for monthly if you so choose.
I’ll name 3 options you can do instead of monthly penetration testing that will provide similar results:
- Monthly vulnerability scanning and bi-annual penetration testing. This option will allow you to track remediations every month and schedule a penetration test two times a year strategically spread out to whatever works for your organization.
- Quarterly vulnerability scanning and bi-annual penetration testing. This option will allow you to have more time to plan and more time to remediate discovered vulnerabilities, this is the most common approach I recommend.
- Quarterly penetration testing and quarterly vulnerability scanning. If you have the budget, this is a great way to lower your threat surface by revealing if and how a threat actor can break into your organization. It will also display the small misconfigurations that may not result in a malicious actor breaking into your organization, but may aid the attacker, or compromise the security of the organization.
Reach out to Black Hat Pen-Test to learn more about our penetration testing and vulnerability scanning recommendations for your organization.