Blog & Articles

Penetration Test Frequency: When Annual Testing Isn’t Enough

by Rebecca Sutton
by Rebecca Sutton

Most UK organisations pen test once a year. The timing is usually driven by an audit, a contract requirement or a customer security questionnaire rather than a deliberate risk decision. That’s understandable, but it means many businesses are unknowingly accepting significant gaps between tests. Getting your penetration test frequency right means working backwards from your actual risk, not forwards from what’s easiest to schedule.

For some businesses, annual testing is genuinely adequate. For others, it leaves months of exposed attack surface between a significant infrastructure change and the next formal assessment. The difference lies in three things: how fast your systems change, what your compliance obligations require, and how sensitive the data you hold actually is.

Where the Annual Default Came From

The once-a-year norm has regulatory roots. PCI DSS, which governs how organisations process card payments, mandates at least one penetration test per year for cardholder data environments. ISO 27001 requires regular assessments without specifying a frequency; certified organisations typically test annually as the accepted standard. Cyber Essentials Plus, the UK government’s baseline security certification, requires annual renewal with hands-on technical verification.

So the minimum across most major frameworks converged on one test per year, and that became the default. The problem is that most businesses treat the minimum as the target.

The NCSC makes the limitation clear: “It’s not uncommon for a year or more to elapse between penetration tests. Vulnerabilities could exist for long periods of time without you knowing about them.” A penetration test tells you where you stood on the day the tester arrived. It says nothing about what you changed in the ten months that followed.

When Annual Testing Falls Short

Annual testing creates a meaningful vulnerability window whenever your environment moves faster than your testing schedule. Choosing a higher penetration test frequency is how you close that gap. Consider a business that migrates a core application to cloud, adds a new customer API and onboards a third-party payment integration, all in a twelve-month period. Each of these changes alters the attack surface. None of them is covered by the previous year’s penetration test. If the annual test was in January and all three changes landed between February and November, the business is running on a verified baseline that bears little resemblance to its actual environment.

This is not a theoretical concern. Web application and API vulnerabilities are consistently the most common and critical findings in external penetration tests. New integrations frequently introduce authentication flaws, exposed endpoints and misconfigured access controls that established tests won’t cover.

Five Factors That Shape Your Penetration Test Frequency

Your sector and the sensitivity of your data

Financial services, healthcare and legal organisations hold high-value, consistently targeted data. The threat model for a law firm processing client financial instructions is materially different from that of a small consultancy with a brochure website. Quarterly testing is a reasonable benchmark for high-risk sectors. Annual testing works for lower-risk environments where the data held is less sensitive and the threat exposure is lower.

How frequently your systems change

Rate of change is probably the single most important factor in setting testing frequency. A business with a stable internal network, one customer-facing website updated quarterly and no significant cloud footprint can defend an annual test. A business that ships code weekly, integrates new third-party platforms regularly or manages a large and expanding cloud footprint should test far more often. Each significant change resets your risk picture.

Your specific compliance obligations

Several frameworks set explicit floors:

  • PCI DSS Requirement 11.4: Annual testing of the cardholder data environment, plus segmentation testing every six months where network segmentation reduces compliance scope. Additional testing is also required after significant changes to in-scope systems.
  • ISO 27001: Annual testing is standard practice for certified organisations, with additional tests expected following material changes.
  • NHS DSPT and DTAC: Annual testing is the minimum for NHS digital systems and health technology vendors.
  • FCA-regulated firms: Regular penetration testing is expected alongside CBEST and STAR intelligence-led assessments, which run on separate two-to-three-year cycles.

GDPR and the UK Data Protection Act do not specify a frequency, but both require appropriate technical security measures. Annual testing satisfies this for most businesses; processing special category data at scale raises the expectation.

Previous security incidents

Any organisation that has been breached should retest once the incident is contained and remediated. The post-incident test is not optional. It’s the only way to confirm that the vulnerability was actually fixed and that the attacker left no persistence in the environment. Skipping this step is a common and consequential mistake.

Your cyber insurance policy

Many UK cyber insurers now require evidence of penetration testing as a condition of cover. Annual testing is the most common stated requirement. Some policies also include conditions around testing after major infrastructure changes. Read the policy, not the summary. Coverage gaps discovered after a breach are expensive.

Events That Override the Schedule

A planned frequency covers planned operations. These situations call for an immediate additional test regardless of when the last one ran:

  • Launching a new web application or API. Test it before or shortly after it goes live. Web applications and APIs are the most consistently productive areas for external testers.
  • Major infrastructure changes. Cloud migration, new network segments, significant perimeter changes, or a major expansion of remote access change what an attacker can reach.
  • Acquisitions. You inherit the security posture of any business you acquire. Test acquired systems before integrating them with your main environment.
  • Security incidents. After an attack or a serious near-miss, once contained, a full test verifies your remediation and checks for persistence.
  • Significant access control changes. Major changes to identity management, authentication systems or privilege structures are worth verifying through testing.

Penetration Test Frequency by Organisation Type

Profile Recommended penetration test frequency
Small business, stable environment, no regulated data Annual
Growing SME, moderate risk, regular changes Semi-annual
Regulated sector or frequent deployments Quarterly
Continuous development or large attack surface Quarterly minimum, automated testing between
Major financial institution or healthcare provider Quarterly or continuous

These are starting points. Your compliance obligations set a floor for your penetration test frequency; your risk profile and the pace at which your environment changes should push you above it.

The Cost Argument for Testing More Often

More frequent testing costs more. But the comparison matters. IBM’s 2024 Cost of a Data Breach Report recorded an average global breach cost of $4.88 million. A second penetration test adds a modest cost to your security programme. Each test shortens the window between when a vulnerability is introduced and when it’s discovered and fixed. Extend that window and you extend your exposure.

The stronger argument is not about breach costs, though. It is about what a penetration test actually does: it tells you whether your controls work. If your controls changed significantly since the last test, you do not know whether they work. Getting your penetration test frequency right is how you keep that answer current. For organisations in high-risk sectors or those changing rapidly, operating without that answer is not a reasonable position.

If your business is outgrowing an annual testing cycle but you’re not sure where to start, Aardwolf Security offers scoped penetration testing designed around your environment and budget. We can help you identify the assets that carry the most risk and build a testing programme that keeps your coverage current. Talk to us about what a sensible frequency looks like for your organisation.

Frequently Asked Questions

Is annual testing enough for Cyber Essentials Plus?

Cyber Essentials Plus requires annual certification renewal, which includes hands-on technical verification of the five baseline control areas. That satisfies the certification. But Cyber Essentials Plus covers a defined set of basic controls; it does not substitute for a comprehensive penetration test of your full environment, and it was never designed to. Organisations serious about their security posture treat both as separate, complementary requirements.

If we can’t afford quarterly testing, how should we prioritise our penetration test frequency?

Test your highest-risk assets most frequently. A focused, scoped engagement on your internet-facing applications and any environment that handles regulated data delivers targeted value. Annual full-scope assessments combined with focused tests after significant changes often give better value than a broader but shallower quarterly sweep. Scope decisions matter as much as frequency decisions.

Can we do internal security testing between formal penetration tests?

Yes, and you should. Internal vulnerability scanning, code review and configuration audits all catch issues between formal tests. But they are not substitutes. A skilled penetration tester finds vulnerabilities that scanners miss, chains findings across systems, tests authentication and authorisation logic, and exercises privilege escalation paths. Treat internal testing as a complement to formal assessments, not a replacement.

What happens if we skip a test due to budget constraints?

The gap isn’t just a missed audit point. Any vulnerability introduced after your last test remains unknown and unaddressed until your next one. For compliance reasons, a missed test can also affect your certification status or your cyber insurance cover. Where budget is genuinely tight, narrow the scope rather than defer the test entirely.

How do we justify increasing our penetration test frequency to senior management?

Frame it as an exposure window rather than a cost per test. If your systems changed significantly since the last test, you are operating with an unverified security baseline. Senior management generally responds to that framing more clearly than to abstract comparisons of testing budgets with breach statistics.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

Internal vs External Penetration Testing: What Each Covers and When You Need Both

Cyber Essentials and Penetration Testing: What Your Business Actually Needs

What Is a Vulnerability Assessment? A Plain English Guide

Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Penetration Test Cost UK: Why the Cheapest Quote Usually Costs More

Which Type of Penetration Test Does Your Business Actually Need?

What to Budget for a Penetration Test in the UK: A Buyer’s Guide

What Is Penetration Testing? How It Works and Why It Matters

Claude Fable 5: Why Anthropic Put Its Most Powerful AI Behind Guardrails

Fast16 Malware: The Pre-Stuxnet Tool Built to Sabotage Nuclear Weapon Simulations