Back to Blog

The question comes up every time we finish an engagement. The report gets delivered, the executive summary gets read, and then someone asks: so when do we do this again? It's the right question to ask, and the answer is more specific than most security vendors let on.

Penetration test frequency isn't one-size-fits-all. The right cadence depends on your industry, your compliance obligations, how fast your environment changes, and what happened the last time you were tested. But there is a clear baseline, and from that baseline you can build a testing program that actually protects your business instead of just satisfying a checkbox.

The Short Answer

1x/yr
minimum for most businesses
2x/yr
for PCI DSS and high-risk HIPAA environments
+1
after any major infrastructure change

Annual testing is the floor. It satisfies most compliance frameworks, meets the majority of cyber insurance requirements, and gives you a structured cycle for finding and fixing vulnerabilities before an attacker finds them first. If you're not testing at least once a year, you're flying blind.

That said, annual testing alone is not enough for every organization. The rest of this guide explains who needs more, why, and how to build a practical program without breaking your budget.

Why Annual Is the Right Starting Point

Your network is not a static thing. Every new employee brings new devices. Every software update changes the attack surface. Every time IT provisions a new server, adjusts a firewall rule, or adds a vendor integration, something shifts. The network you tested in January looks meaningfully different by November.

Annual testing creates a forcing function. It gives your IT team a regular deadline that keeps security hygiene from slipping. It gives you documentation that your insurance carrier, your auditors, and your clients can point to. And it gives you year-over-year data — something that a one-time test can never provide.

We've worked with companies that went two or three years between assessments. Without exception, the findings were significantly worse than they expected — not because their IT team wasn't working hard, but because unchecked configuration drift, accumulated permissions, and deferred patches compound quietly until someone puts external eyes on the environment.

Annual testing isn't about finding the same problems every year. It's about proving you fixed last year's problems and catching what changed in the meantime.

When You Need to Test More Frequently

You're subject to PCI DSS

PCI DSS Requirement 11.4
Annual + After Significant Changes

PCI DSS requires both internal and external penetration testing at least annually, covering the cardholder data environment and systems that could impact it. But the clause that catches most businesses off guard is the "after significant changes" requirement. Any major infrastructure change affecting your CDE — new network segments, new applications, cloud migrations, major OS upgrades — triggers an additional test regardless of when your last annual assessment happened.

In practice, companies actively processing card data should plan for two full assessments per year. The annual test covers your baseline. A mid-year review catches the changes that accumulated since then and ensures your segmentation controls are still working the way your QSA expects them to.

You handle protected health information (HIPAA)

HIPAA Security Rule
Risk Analysis Requires Regular Technical Evaluation

HIPAA doesn't name penetration testing explicitly, but the Security Rule requires covered entities and business associates to conduct a thorough assessment of potential risks and vulnerabilities to ePHI. Regulators and auditors have consistently interpreted this to include periodic technical testing. Annual is the minimum expectation. For organizations with large ePHI environments, complex vendor relationships, or recent audit findings, semi-annual testing is the defensible standard.

After a HIPAA breach, OCR investigations routinely find that organizations hadn't conducted a current risk analysis. A penetration test is the technical component that closes that gap. If patient data was accessible during testing — which we see more often than we should — that finding needs to be documented, remediated, and verified before you can claim your risk analysis is current.

Your environment just changed significantly

A penetration test is a point-in-time assessment. It answers one question: given what's in your environment right now, what can an attacker do? The moment your environment changes substantially, that answer is partially obsolete. Changes that should trigger an unscheduled test include:

You've had a security incident

If your organization experienced a breach, a ransomware incident, or a near-miss that forced an emergency response, a penetration test should be part of your recovery plan — separate from the forensic investigation. The forensic work tells you what happened. The post-incident pentest tells you whether your remediation actually closed the gaps and didn't create new ones in the process. These are different questions, and both need answers before you can honestly say you're back to baseline.

Your industry faces elevated targeting

Healthcare, financial services, legal, and manufacturing organizations face disproportionately high attack rates. Ransomware groups specifically target industries where operational disruption is immediately costly and where the pressure to pay is highest. If your industry is consistently appearing in breach reports, annual testing may not be enough to keep pace with the threat actors actively developing tools to compromise environments like yours.

How the Right Frequency Maps to Different Business Types

Business Type Recommended Frequency Primary Driver
General SMB (no regulated data) Annual Insurance, basic hygiene, board accountability
PCI DSS environment 2x/year + after changes Requirement 11.4 (annual + change-triggered)
HIPAA covered entity or BA Annual to 2x/year Risk analysis obligations, OCR expectations
SOC 2 Type II pursuit Annual CC7.1/CC7.2 security criteria, auditor requirement
CMMC Level 2+ Annual Periodic security assessment requirements
Post-incident recovery Immediately post-remediation Validate that the breach vector was closed
Post-major-change Within 90 days of change New attack surface, stale prior results

What Happens When You Test Too Infrequently

Some businesses treat a penetration test as a one-time event — something they do once to satisfy an insurance application or a vendor questionnaire, then file and forget. The practical consequences of that approach show up in three ways.

Configuration drift goes undetected. Over 12 to 24 months without an assessment, environments accumulate changes that no single person tracks in full. Service accounts get created and never deprovisioned. An IT contractor opens a firewall rule for a project and doesn't close it when the project ends. A server gets added to the environment with default credentials because it was a "temporary" deployment that became permanent. None of these are negligence. They're the normal noise of a functioning business. A penetration test cuts through that noise.

New vulnerability classes emerge. The threat landscape from 18 months ago is meaningfully different from today's. Vulnerabilities disclosed in the past year, new attack techniques documented by threat researchers, and evolving attacker tradecraft all affect what a current test will find. A test from two years ago didn't check for vulnerability classes that didn't exist yet.

You lose the baseline. One of the most valuable outputs of regular penetration testing is the trend. Your first test might identify 20 vulnerabilities, four of them critical. Your second test should find fewer criticals. Your third should show faster remediation times and lower overall exposure. That trajectory is evidence that your security investments are working. Without the data, you're spending on security controls with no objective measure of their effectiveness.

Building Your Testing Calendar

Q1
Annual Penetration Test

Schedule your primary assessment early in the year. This creates a clean cycle with enough runway to remediate before insurance renewals and compliance audits, which tend to cluster in Q3 and Q4. For most SMBs, a combined internal and external network assessment is the right scope for the annual engagement.

Q2
Remediation and Retest

Work through the findings from Q1, prioritized by severity. Critical and high-severity findings should be addressed within 30 days of report delivery. The retest validates that the fixes work and produces the supplemental report your insurance carrier or auditor needs to see. Most reputable firms include a retest in their engagement price — if yours doesn't, that's worth negotiating.

Q3
Lightweight Mid-Year Review

This doesn't need to be a full engagement. A targeted vulnerability scan with manual validation of high-priority systems catches new exposures that emerged since Q1. It's a lower-cost checkpoint that keeps your security posture current without the full overhead of another scoped assessment.

Q4
Compliance and Renewal Package

Compile the year's testing evidence: the Q1 report, retest results, and remediation documentation. This package supports insurance renewals, SOC 2 audits, and board-level reporting. If any triggered events happened during the year — a major infrastructure change, an incident, a new acquisition — confirm that the appropriate additional testing is documented and complete before the year closes.

What About Penetration Testing as a Service?

Some vendors offer continuous or subscription-based penetration testing programs — monthly or quarterly assessments combined with automated scanning. For most SMBs with relatively stable environments, this is more than necessary. The incremental value above a structured annual program is marginal unless your environment changes frequently or you maintain a large portfolio of web applications with active development cycles.

Where continuous programs make sense: companies deploying software updates weekly, organizations with DevSecOps pipelines that need security validation embedded in the release process, or enterprises with enough infrastructure that a single annual assessment can't realistically cover the full scope. For a 50- to 200-person business with standard network infrastructure, annual testing plus a mid-year review is the right fit at a fraction of the cost.

The Insurance Dimension

Cyber insurance has shifted from a nice-to-have to a practical requirement for most businesses, and carriers have gotten significantly more specific about what they expect. Most now require annual penetration testing for policy renewal. Some require the actual report, not just a checkbox on an application.

The details matter. Carriers are increasingly specifying that both internal and external testing must be included. Some require testing completed within the prior six months, not twelve. Some want evidence that critical findings were remediated before renewal. And carriers that see consistent annual testing with documented improvement trends are more likely to offer favorable rates than those reviewing a one-time test from three years ago.

The relationship between penetration testing and insurance premiums is direct enough that for many businesses, the annual test pays for itself through the impact on renewal pricing. That's before accounting for the value of finding a critical vulnerability before an attacker does.

The Bottom Line on Penetration Test Frequency

Annual is the floor. It is not ambitious. It is the minimum responsible cadence for any business that takes its security posture seriously and wants to have evidence to back that up.

From that baseline: add a second assessment per year if you're subject to PCI DSS or carry significant HIPAA risk. Add an unscheduled test whenever a major infrastructure change introduces new attack surface. Add a post-incident test whenever a breach or near-miss demands validation that your remediation actually worked.

The companies that build a consistent testing program see compounding returns. Each engagement is more efficient because the testing firm knows the environment. Each report shows measurable improvement because the team knows the test is coming. And each year, you build a documented track record that makes conversations with insurers, auditors, and clients straightforward instead of uncomfortable.

If you're not sure where to start, the answer is simple: schedule an annual test, build from there, and don't wait for a breach to make the decision for you.

Ready to Set the Right Testing Cadence?

We'll help you scope the right engagement for your environment, build a testing calendar that fits your compliance requirements, and give you a straightforward quote with no surprises.

Schedule a Scoping Call