Continuous penetration testing must become standard practice for organisations, according to Tamer Odeh, Middle East and Africa Regional Lead at cybersecurity firm Horizon3.ai. Companies that rely solely on annual or infrequent security assessments risk creating significant visibility gaps in their IT defenses as cyber threats rapidly evolve.
Odeh’s remarks are based on findings from the Horizon3.ai Cybersecurity Survey 2025/26, which revealed that while the vast majority of organisations perform some form of penetration testing, only a small fraction utilize automated tools or platforms. The survey indicates a widespread reliance on infrequent testing, leaving many vulnerable.
Continuous Penetration Testing for Modern Threats
The Horizon3.ai survey found that 80 percent of organisations conduct penetration testing. However, a significant majority of these, 49 percent, test their systems only once a year or even less frequently. This leaves considerable windows of opportunity for malicious actors. Additionally, only 21 percent of organizations are employing automated tools or platforms for these tests.
Odeh stressed the necessity of proactive testing, stating, “You only know how resilient an IT network really is to cyberattacks if you actively put it to the test. Only penetration tests can determine whether an organisation is actually protected against cyber attacks.” He advocates for continuous, automated testing of critical systems to provide consistent progress visibility rather than sporadic snapshots.
The Evolving Threat Landscape
The survey, which polled 150 organizations across various sectors, highlights the prevalence of cyber threats. Two-thirds of respondents reported experiencing a cyber breach or attack in the past two years. Of these, over half experienced multiple incidents, with 38 percent reporting three or more attacks.
Odeh warned that many organizations have a false sense of security, overestimating the effectiveness of their existing security tools without validating them against real-world attack scenarios. He pointed out that reliance on numerous defense tools does not guarantee protection if their actual efficacy remains unverified.
Automated Testing and Real-World Validation
Horizon3.ai’s Offensive Security Platform aims to address these challenges by simulating attacker techniques in production environments. This approach helps identify exploitable vulnerabilities and provides evidence-based risk assessment, rather than assumptions. The platform is designed to complement, not replace, human expertise by handling repetitive tasks and enabling consistent, large-scale risk assessments.
“Automation doesn’t completely replace experts,” Odeh clarified. “Instead, it removes repetitive manual tasks and ensures autonomous risk assessments can be launched consistently and at scale, showing what attackers could actually exploit.” This continuous validation allows organizations to track improvements and ensure that remediation efforts remain effective over time.
The increasing attack surface due to remote work, IoT devices, and mobile access necessitates a security strategy that assumes breaches can occur. Odeh emphasized that even seemingly secure network segments like a demilitarized zone (DMZ) should be treated with caution, requiring strict access controls, continuous monitoring, and clear separation from core systems.
The findings suggest a critical need for organizations to transition from ad hoc penetration testing to a continuous, automated, and proactive security posture. This shift is crucial for protecting systems against evolving threats, optimizing security investments, and meeting compliance requirements.
Looking ahead, organizations are urged to adopt continuous validation into their routine operations. The effectiveness of such strategies will be critical in navigating an increasingly complex and rapidly changing threat landscape, a dynamic that is outpacing traditional defense mechanisms.