Pentesting 101 – When to buy pentests and how often?

Fabiola Munguia
March 10, 2021

When do I need penetration testing?

It is ideal to test any system or software before it is put into production, once the system is no longer in a state of constant change. Typically, pentests are bought when:

  • a new business-critical feature is developed and about to be implemented​​
  • when launching a new product​
  • before systems or software goes into production

How often should I perform penetration testing?

As time goes on, new software is deployed and changes are made, and they need to be tested or retested. Here are the factors that influence the frequency of necessary testing:

Company size:

The bigger the company, the more attention it gets from the hackers, the more often systems are to be pentested.


Pentests are not cheap. Companies with small budget will do pentests once per year. A greater budget will allow to test more often.

Regulations of country/industry:

In some countries like USA pentests are required by law:

  • Medical Device Manufacturing
  • Healthcare Delivery - HIPAA Evaluation Standard § 164.308(a)(8)
  • Payment Card Industry Data Security Standard – PCI DSS – regular network monitoring and testing: vulnerability scans and penetration tests are required every six months
  • Technology service organizations – CPA SOC 2: requires penetration testing to verify control implementation effectiveness every six months for the status “compliant” or quarterly pentest for the status “secure”
  • Financial Industry Regulatory Authority (FINRA) - Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)) requires members to appropriate the elements of a strong penetration testing program through regularly rotating contracts with third-party cybersecurity agencies that take a risk-based approach to determining vulnerability and evaluating security

In EU these practices are not heavily regulated. GDPR §32 describes that companies have to check their security but do not give a strong mandate on HOW TO do it (…implement technical measures to ensure data security…). Though, the new regulations are expected to come at any moment.

Image source:

written by
Fabiola Munguia
Co-Founder of requestee and creative thinker.

Compare and find the pentesting company you trust

No credit card required.
Oops! Something went wrong while submitting the form.