How often should companies conduct penetration tests?


In times in which there is seemingly a new scandal about IT security incidents every week, many IT managers ask themselves how often they should put their systems to the test. After all, you have to know where your weaknesses lie to always be one step ahead of attackers. Penetration testing is a proven way of identifying and eliminating critical vulnerabilities before they become a problem. In this blog post, I would like to give you some guidance on how often and when you should commission penetration tests.

An individual penetration testing program is necessary

There is no one single answer as to how often companies should have penetration tests performed. In my opinion, it makes the most sense to develop a penetration testing program that is tailored to your own IT security needs. Your individual penetration testing program should answer the following questions:

  • What types of penetration tests are required? (Internal/external infrastructure pentest, web application pentest, IoT devices pentest, etc.)
  • How extensive do these pentests have to be and, if possible, should vulnerability scanning be carried out as a complementary process?
  • In which frequency must pentests be performed? E.g. annually/semi-annually
  • In which situations should extraordinary pentests be performed?

Depending on a variety of individual factors, your penetration testing program will be extensive or rather narrow. Factors that influence the scope of your penetration testing program include

  • size of the network and the company
  • criticality of the data, applications and systems in your IT landscape
  • threat level in the company’s sector (financial services, health care, …)
  • Existing compliance or audit mandates (ISO 27001, PCI DSS, …)
  • Your available IT security budget

An annual external pentest as a starting point for your penetration testing program

An external infrastructure penetration test performed once a year should always be part of your penetration testing program. Thereby, all systems accessible via the internet, such as firewalls, VPN, DNS, e-mail systems and file servers are checked for vulnerabilities. In addition, for larger companies (from approx. 100 employees), the internal systems should also be checked (so-called internal infrastructure penetration test). The larger the company, the more important it becomes to check internal systems because with the size of the company, threats from the inside become increasingly probable.

Situations that require unplanned penetration testing

There are some special situations that require an unscheduled penetration test. These include:

  • Making major changes in your network (but be careful: only when the changes are completed), otherwise security vulnerabilities may reappear immediately after the pentest
  • The occurrence of an IT security incident
  • The deployment of new system applications


How often, how extensively and at what time a company should have penetration tests performed depends on many individual factors. A well-thought-out penetration testing program, which is regularly adapted to the company’s situation, is the key to maintaining an appropriately high level of security at all times. An annual external infrastructure penetration test should always be part of your program.

Picture of Dennis Kionga

Dennis Kionga


Dennis is managing director at Cloud Cape, an IT services company that implements and operates future-proof IT security and cloud solutions. Previously, he worked as Business Development Manager in the Lufthansa Group, where he took responsibility for the global sales of outsourcing solutions for airlines. He completed his studies at the University of Mannheim and earned a Master of Laws (LL.M.) and a postgraduate certificate in project management from the University of Cape Town. During his career he had longer stays abroad in Portugal, the Czech Republic and South Africa.


Penetration Testing

Picture of Dennis Kionga

Dennis Kionga


Über Cloud Cape

We help companies create transparency in their own IT landscape and accompany them on the path to secure digital transformation. As a ‘cloud-first’ company, we specialize in cloud solutions and cloud security.

Follow us