Sentinela.
← Back to blog

May 12, 2026 · 4 min · Carol

pentest audit security compliance ASM

Annual pentest vs continuous auditing: which one protects you more?

A pentest is a snapshot. Continuous auditing is a video feed. Here's when each makes sense, what they cost, and why most companies need both — in different proportions.

"We did a pentest last year."

That's what a fintech CISO told me when I asked about continuous auditing. Three months later, his customer discovered — via an external bug bounty report — an exposed /admin/export route. The pentest didn't catch it because the route didn't exist at audit time. It shipped in November.

Pentest and continuous auditing aren't the same thing. Treating them as synonyms costs you incidents.

The difference in one line

  • Pentest = a team of specialists tries to break into your system for 1–4 weeks, writes a report, leaves.
  • Continuous auditing = bots check your external surface every day, compare to the previous state, alert on what changed.

Pentest is a high-resolution photo. Continuous auditing is a low-resolution video. To identify someone, you need the photo. To know if someone got into the building, you need the video. You want both — but confusing one for the other is expensive.

What each one does well

Pentest

Strong at Why
Business logic flaws A bot can't reason "this user shouldn't see someone else's order"
Chaining vulnerabilities XSS + CSRF + IDOR combined for privilege escalation — only humans see that
Authenticated depth Pentester logs in, browses, abuses
Proof of impact Report accepted by external auditor, board, regulator
Point-in-time compliance PCI-DSS requires annual pentest

Continuous auditing

Strong at Why
Drift between pentests The forgotten .env in prod shows up 3 days after deploy, not 8 months later in the next pentest
Shifting surface New subdomains, expiring certs, missing headers, opened ports
Public CVEs New CVE drops → next day your exposed nginx version is flagged
Cost per check Cents per scan, scales automatically
Trend history "In January we were at C, today we're at B. What changed?"

Where each one fails

Pentest fails when:

  • The system changes weekly and the pentest was 6 months ago.
  • Scope was trimmed to fit the budget ("just the app, no infra").
  • The pentester is junior and runs Nessus in disguise.
  • The report becomes a shelf-PDF nobody read.

Continuous auditing fails when:

  • Used as a substitute for pentest on things that need human reasoning.
  • No one watches the alerts (becomes noise).
  • Scoped wrong (scans 1 domain when you have 80 subdomains).
  • Doesn't distinguish WP core noise from real findings in your code.

Cost comparison

For a typical mid-size stack:

Head-to-head · mid-size stack
Annual pentest point-in-time
Continuous auditing 24/7
Cost
$5k – 25k per engagement
$40 – 400 / month
Frequency
1×/year · PCI requires it
24/7
Time to result
2–6 weeks
minutes
Re-audit after fix
usually billed extra
automatic
Drift coverage
zero
total
Same defense, opposite cadence. Pentest covers the audit day; continuous covers every other day. The pair covers the year.

The cost of one medium-severity incident (regulatory fine + remediation + reputation) usually clears six figures. The combined investment doesn't reach 5% of that.

The practical rule (and why most companies get it wrong)

Most companies do an annual pentest because the auditor/PCI demands it, and have nothing between one pentest and the next. Eleven months a year, they're blind to what changes.

The honest rule:

  • Ship weekly or faster: continuous auditing isn't optional. Annual pentest covers depth; continuous covers drift.
  • Regulated (PCI, ISO 27001, GDPR with sensitive data): pentest is a formal requirement. Continuous auditing is what shrinks risk between pentests.
  • Small company, brochure site, little custom code: continuous auditing alone covers 80% of real risk (orphan subdomain, expiring cert, missing header, leaked secret in repo). Pentest can wait until you grow or take on sensitive data.

The inversion I see in the market: companies that only do an annual pentest and nothing in between. That protects the audit, not the business.

Where Sentinela fits (and where it doesn't)

Sentinela is the external continuous auditing layer. We run:

  • DNS, TLS, headers, open ports, server banner probes
  • Subdomain and orphan CNAME discovery
  • CVE matching against detected technologies
  • SAST + secret scanning on your repo when you connect it
  • A–F score refreshed every cycle, with history

What we're not:

  • A human pentest (no business-logic judgment, no chaining).
  • A substitute for a formal PCI/ISO report (we're complementary evidence, not primary).

The pairing I recommend to clients:

  1. Sentinela running 24/7 — catches 80% of what matters, when it matters.
  2. Annual pentest by a good firm with realistic scope (include the surface Sentinela mapped — saves pentester days on recon).
  3. Re-audit after fix — small, but critical.

To dig into the continuous side, ASM (Attack Surface Management) explained is worth a read.

The simple rule

A pentest without continuous auditing is like photographing your vault once a year and assuming nobody touched it between shots. It works until the day somebody did.

Keep reading

05/22/2026

How we compute risk in $/year (ALE) — formula, table and worked example

05/19/2026

ASM (Attack Surface Management): why you should look at your site like an attacker