Question 1

What is continuous pentesting?

Accepted Answer

Continuous pentesting gives you ongoing access to a cybersecurity specialist who works as part of your team. Testing, validating and answering security questions. Aligned with your workflow and available throughout your development process.

Question 2

How is this different from a pentest?

Accepted Answer

A pentest is a point-in-time assessment with a defined scope and a clear end date. Continuous pentesting is ongoing. A specialist embedded in your team who tests as you build, not after you ship. Both serve a different purpose and are often used together.

Question 3

How many hours do we need?

Accepted Answer

That depends on your environment, development speed and what you want to test. Smaller teams often start with 16 hours per month for focused validation. Larger teams or complex environments typically need more capacity. We define the right level together based on your situation.

Question 4

How are the hours used?

Accepted Answer

Hours can be used for testing new features, reviewing code, validating fixes, answering security questions or a combination of all of these. The exact use depends on your priorities and can be adjusted over time.

Question 5

Do we work with a fixed specialist?

Accepted Answer

You work with a cybersecurity specialist who gets to know your codebase, your workflow and your environment. When specific expertise is needed, specialists can rotate, so you always have the right person for the job.

Question 6

Do you sign an NDA?

Accepted Answer

Yes. A signed NDA is in place before any engagement begins. Everything we find, see or access stays confidential — stored exclusively in the PenPortal and never shared outside your organisation.

Question 7

What happens to our code and findings?

Accepted Answer

Your code stays yours. Our specialist works within your environment — reviewing and testing, never extracting or storing code externally. All findings are documented exclusively in the PenPortal, not in shared drives or external tools. A signed NDA ensures everything stays confidential.

Question 8

How does this fit into our development process?

Accepted Answer

That's up to you. We align with how your team works, whether that's agile, scrum or something else. Security questions can be answered during development, features can be tested before they go live and fixes can be validated as they happen. Security becomes part of the process, not a separate step.

Question 9

How quickly can we get started?

Accepted Answer

After an initial conversation to align on scope and hours, we can typically get started within a week. We sign an NDA before anything begins and make sure the right specialist is matched to your environment.

Question 10

Can findings be retested?

Accepted Answer

Yes. Once a fix is deployed, your team can request a retest directly in the PenPortal. We verify whether the issue is actually resolved, not just patched on the surface.

Question 11

Do we receive reports?

Accepted Answer

All findings are documented in the PenPortal with context and evidence. Reports can be generated when needed, for internal use, compliance requirements or management reporting.

Question 12

Is this suitable for compliance requirements?

Accepted Answer

Continuous pentesting can support compliance by providing ongoing validation and documented findings. In many cases, it is combined with a periodic pentest to meet specific requirements such as ISO certification or NIS2.

Question 13

Can we start small and scale later?

Accepted Answer

Yes. The number of hours can be adjusted over time, up or down. You can start with a focused scope and increase capacity as your team grows or your development pace increases.

Pentesting that moves with your team

Your team. Plus one.

What changes when security is part of your team

How it works

Your data stays yours

The right expertise, always available

Find the right level for your team

Your code evolves.
Your security should too.