As the volume and complexity of cyberthreats continue to grow, many organisations are now adopting Penetration Testing as a Service (PTaaS) – a model that supports more frequent, flexible and targeted testing, says IT security service provider Galix.

“The move towards PTaaS reflects broader shifts in enterprise IT and cybersecurity practices,” notes Galix managed security services operations manager Nemanja Krstić.

Following the Covid-19 pandemic, many organisations downsized their IT and security departments, which created operational challenges, particularly in maintaining infrastructure and safeguarding against increasingly sophisticated threats.

“A lot of IT and security teams went from being 20-strong, down to maybe five. That resulted in less emphasis on operations and less capacity for maintaining infrastructure and security on an ongoing basis,” explains Krstić.

PTaaS responds to this gap by combining automated vulnerability scanning with external expert analysis, offering scalable, repeatable penetration testing.

The model also enables organisations to conduct assessments more frequently without the same level of resource commitment required for traditional, manually driven penetration testing.

Krstić adds that “a penetration test of two weeks is quite a bit of time to keep resources away from other operational work . . . and not everyone on a security team has the calibre or experience of a dedicated penetration tester”.

Further, regulatory frameworks and standards have also evolved since the pandemic. Previously, many organisations were required to conduct one penetration test a year on high-value systems.

However, cybersecurity and data protection regulations increasingly recommend quarterly testing or even continuous assessments. This shift aligns with a broader recognition that static testing schedules are insufficient amid dynamic and persistent cyberthreats.

“A lot of standards have taken it up a notch. What used to be once a year became twice a year, and now it’s a quarterly requirement in many places,” says Krstić.

The growing number of exploitable vulnerabilities and rapid deployment of new technologies has also influenced the adoption of PTaaS.

Many IT teams operate on a fixed cycle, typically patching systems during scheduled maintenance windows. However, under this model, vulnerabilities emerge faster than they can be addressed.

Most teams work from a long list of vulnerabilities that they attend to every month and then move on. “The next scan reveals more vulnerabilities, and the process continues. Although the teams address the vulnerabilities, they often do not address the most important issues”, he adds.

PTaaS platforms not only identify these vulnerabilities but also provide contextual insights into their severity, potential exploitation paths and business impact. This enables security teams to prioritise remediation efforts more effectively.

“These services bring visibility and insight that internal teams might not have. Once you have that, you need to reorganise your operations accordingly.”

Following a framework is fine, but frameworks are a “ballpark”, while PTaaS shows where the actual priorities lie, Kristić adds.

Segmentation Testing

Another key feature of PTaaS is its ability to support network segmentation testing, a fundamental security control that restricts access between systems or data zones based on function or risk level. For instance, a segment that handles payment card industry- regulated credit card data should not be accessible from general office systems.

If one segment is not supposed to interact with another, then PTaaS can validate that those restrictions are in place. Should a user from a different zone log into a machine they should not access – even using legitimate credentials – that is a misconfiguration.

PTaaS can simulate real-world attack scenarios, including the use of compromised credentials found on the ‘dark web’. These tests demonstrate how an attacker might move laterally in a network after breaching one system.

“It’s not enough to separate machines. If I can use the same credentials in multiple zones, the segmentation fails. PTaaS picks that up,” adds Krstić.

The ability to test more frequently – sometimes even daily in critical areas – helps organisations respond more rapidly to new threats. This level of testing provides ongoing assurance that security controls are effective and aligned to evolving risks.

As machine learning and AI-driven attack strategies are on the rise, Krstić notes that threat actors are becoming more persistent and creative.

There is a continuous scavenging for credentials and actors are inventing new ways of using them. As a result, the frequency of businesses’ testing must also increase, he says.

PTaaS complements existing behavioural analytics tools by identifying unusual access patterns or policy violations. For instance, if a user in accounting is accessing IT system directories, this could signal credential misuse or insider threat activity.

From a strategic perspective, the integration of PTaaS into security operations enables organisations to move beyond compliance and towards a more resilient cybersecurity structure.

Continuous assessment, external expertise and automation enables PTaaS to help organisations stay ahead of threats and adapt more quickly to emerging risks.

“PTaaS gives you real-world data on how vulnerabilities can be exploited – what can happen, how it can happen, and what needs to be fixed first,” Krstić concludes.