Introduction
Annual Vulnerability Assessment and Penetration Testing has never been more widely purchased, and never less able to do the job it is bought for. It was designed for a slower world, one in which exploits took weeks to mature and attack surfaces barely moved between tests, and in that world, it worked. That world has gone. Attackers now move laterally within half an hour of gaining access, exploitation frequently arrives before the patch, and the environment you tested in January is not the environment you are running in June.
This article makes no case for abandoning annual VAPT. It remains a valid compliance artefact and a useful point-in-time view. The case it makes is narrower and more uncomfortable, which is that annual VAPT was always a compliance instrument first, that treating it as a defensive strategy has become a measurable risk, and that what replaces it is not a better test but a continuous discipline built around validation. What follows sets out the mismatch, the myths sustaining it, and a practical sequence for closing the gap this quarter.
What is annual VAPT, and is it still enough?
Annual VAPT, or Vulnerability Assessment and Penetration Testing, is a scheduled security test run once a year against a defined scope, producing a point-in-time report of findings ranked by severity. It remains a valid compliance artefact under PCI DSS, ISO 27001 and SOC 2.
It is no longer sufficient alone. It assesses a fixed scope on a fixed date, while cloud estates, APIs and AI integrations change weekly. The gap between test cycles is now an exposure window, not a scheduling detail.
How fast do attackers actually move in 2026?
Faster than any annual cycle can track. According to CrowdStrike's 2026 Global Threat Report, average eCrime breakout time, the gap between first compromise and first lateral movement, fell to 29 minutes during 2025, down from 48 minutes in 2024 and 98 minutes in 2021. The fastest observed breakout took 27 seconds, and in one intrusion data exfiltration began within four minutes of access.
Hold that against your testing calendar. Your annual VAPT finished in January, and the next begins in January again. In between, every API endpoint shipped and every cloud instance spun up creates exposure that will not be examined for up to 362 days. This is not a compliance gap. It is a structural mismatch between the speed at which you test and the speed at which you are attacked.

Why the annual model worked, and why it stopped?
The annual model emerged when attack surfaces were stable. Exploits took weeks to mature and patch cycles ran monthly, so testing once a year was a fair approximation. Regulators codified that cadence, and annual testing became the default, then the assumption, then the standard nobody questioned. Three things then changed at once, and none have reversed.
- Development cadence accelerated. Most enterprises ship code several times a week, and AI tooling is now embedded into customer platforms and development workflows, creating attack surface that did not exist at the last assessment. The OWASP Top 10 for LLM Applications exists because that surface is real.
- Exploit timelines collapsed, and in many cases passed zero. Mandiant estimates a mean time to exploit of roughly negative seven days for 2025, meaning exploitation routinely arrives before the patch. CrowdStrike found 42 percent of exploited vulnerabilities were attacked before disclosure.
- The threat model shifted from vulnerabilities to chains. A low-severity misconfiguration, plus an over-permissioned service account, plus a flat network segment. No single link tops your annual report, yet together they take the environment apart in an afternoon. This is what MITRE ATT&CK maps, and what single-application testing cannot see.
The annual VAPT was never built for this. It was not a bad design, but a different design, for a different era.
Is annual VAPT just a compliance exercise?
Largely, yes, and that is why it survived. A dated PDF is something an auditor can file, whereas continuous risk reduction is not, so the industry optimised for the artefact rather than the outcome. The result is the most damaging habit in enterprise security, treating tested and secure as though they were the same word.
This is not permission to skip your obligations. PCI DSS 4.0 still requires periodic testing, and testing after significant change, a clause most organisations ignore. But satisfying an auditor is not satisfying an attacker, and plenty of breached organisations held clean reports on the day they were compromised.
Regulation is moving toward continuous validation, explicitly so in DORA's threat-led penetration testing provisions. Expect three audit questions no annual report answers well.
- Show me your continuous testing posture, not just your annual document.
- Show me your patch and retest SLA on critical findings, in hours.
- Show me a chain-objective red-team result, not a single-application test.
Each tends to produce a silence, and auditors are trained to read silence.
Five myths keeping annual VAPT alive
1. AI can hack anything autonomously - Frontier models have shown real capability in vulnerability discovery, and CrowdStrike reports AI-enabled adversary activity rose 89 percent. Even so, they are not autonomous attackers, and still need operator goals, access and infrastructure. Their advantage is speed, scale and the chaining of ordinary flaws, more mundane and more dangerous than the science-fiction version.
2. Without frontier AI access, we cannot defend ourselves - Exclusion from frontier defensive programmes is a real disadvantage, but not a death sentence. The disciplines that decide outcomes, continuous testing, attack-surface compression, AI-augmented monitoring and vendor-risk hygiene, work regardless of which models you access. This myth excuses inaction.
3. Annual VAPT plus a SIEM is enough - It is not, and has not been for some time. Continuous testing integrated into development cycles is now the standard for critical systems. Anyone telling you otherwise is selling you the old contract.
4. AI in the SOC means fewer analysts - AI reduces alert fatigue and speeds triage, but does not sustainably cut headcount. The analysts you have will simply do better work. Vendors promising autonomous-SOC headcount cuts are pricing for a malpractice claim you have not yet had cause to file.
5. This will blow over - It will not. The capability frontier moves forward, and the disciplines you build now compound for years. Comfort is the most expensive feeling in cybersecurity, and almost always costs more than discomfort.
What is CTEM, and why does validation matter?
Continuous Threat Exposure Management, or CTEM, is the operating model Gartner defined to replace periodic assessment. It runs in five stages: scoping, discovery, prioritisation, validation and mobilisation. Unlike a scan or a pentest, it treats exposure reduction as a cycle, not an event.
Validation changes the economics, and it is the stage most programmes skip. It means proving, through breach and attack simulation or automated exploitation, that a finding is genuinely exploitable in your environment. Vendor analyses consistently report that most findings rated high or critical fall away once tested this way, with one widely cited figure putting the drop at 63 percent down to roughly 10 percent.
Read that as a budget line, not a statistic. Much of your remediation team's year is spent on findings that could never have harmed you, while the chain that could have taken you down sits unranked, because no link scored as critical.
One warning. A CTEM programme that runs once a year is not CTEM. It is an annual pentest with a better slide deck.

What replaces annual VAPT?
Supplementation, not abolition. Annual testing still supports compliance and reassures boards and customers. It simply cannot stand alone. Five components belong around it.
| Component | Cadence | What it catches |
|---|---|---|
| Continuous external attack-surface monitoring | Always on | Shadow IT, M&A debris, forgotten subdomains, exposed dev infrastructure |
| Exploitability-based prioritisation (EPSS, CISA KEV, context) | Continuous | The few findings that matter, out of the dozens you have |
| Chain-objective red teaming and breach and attack simulation | Monthly | Multi-stage ATT&CK paths single-application testing cannot see |
| Deep-dive manual penetration testing | Quarterly | Business-logic flaws and novel abuse only expert humans find |
| Pipeline-integrated code analysis | Every commit | Exposure at the moment it is introduced, not 362 days later |
The annual VAPT becomes one document inside a continuous programme, not the programme itself. Buy expert humans for depth, automation for coverage, and stop paying humans to do coverage badly once a year. Anchor it to NIST CSF 2.0 or ISO 27001.

How do we start? A checklist for this quarter
Items one to four run in sequence. The rest can run in parallel once the fourth completes.
| # | Item | Effort | Start |
|---|---|---|---|
| 1 | Read the relevant regulatory advisories in full | 1 week | Now |
| 2 | Run an external attack-surface management sprint | 2 weeks | Now |
| 3 | Tighten patch and retest SLA to 24 hours on critical | Ongoing | Week 2 |
| 4 | Refresh the asset register and reconcile the CMDB | 2 weeks | Week 2 |
| 5 | Schedule a chain-objective red-team engagement | 6 to 12 weeks | Week 3 |
| 6 | Stand up AI-augmented SOC capability | 8 to 12 weeks | Week 3 |
| 7 | Run a board-level tabletop exercise | 1 week | Week 4 |
| 8 | Refresh vendor and procurement workflow | 6 to 8 weeks | Week 4 |
| 9 | Document IR runbook with regulatory overlap mapping | 3 to 4 weeks | Week 5 |
| 10 | Move board reporting to hours-to-patch | Ongoing | Continuous |
If budget is tight, prioritise the first six. Item two returns the most, because you cannot defend, patch or validate what you do not know you own, and almost every organisation running discovery properly finds assets it had no record of.
Item ten matters most. Finding counts describe activity, and boards have funded activity for twenty years without buying risk reduction. Report mean time to remediate internet-facing critical, average exposure window, and validated exploitability rate instead.
Does continuous testing cost more than annual VAPT?
Less than the headline suggests, and there are three answers worth having ready.
- Much of it is reallocation, not increase, since you already pay for scanners, an annual test, and a vulnerability management tool nobody entirely trusts.
- Validation returns engineering capacity. If it collapses your critical backlog by anything close to the proportions above, you have handed most of a year back to your remediation team, and productivity arguments get funded faster than fear.
- The honest comparison is risk-adjusted: continuous testing plus the risk it removes, against annual testing plus the expected cost of the breach it fails to prevent.
Conclusion
Annual VAPT was never a security strategy. It was a security event, one the industry scheduled, survived and mistook for a posture. It endured because it was auditable and comforting, and failed because attackers do not work to your calendar.
Breakout time now averages 29 minutes. Most testing cycles still run at 365 days. Nearly everything worth saying follows from that arithmetic.
Keep the annual VAPT. Simply stop treating it as the defence.
Frequently asked questions
1. Is annual VAPT now useless?
No. It remains a required artefact for several regulatory filings and gives a genuine point-in-time view. It simply cannot stand alone.
2. How often should penetration testing be done?
Manual deep-dive testing quarterly, chain-objective red teaming monthly, automated discovery and validation continuously. The annual test stays for compliance.
3. What is a chain-objective red-team engagement?
A single-application test looks at one system in isolation. A chain-objective engagement scopes an attack goal spanning customer-facing, integration and operations layers, the way a real attacker moves, and tests whether ordinary flaws chain into a breach.
4. Does CTEM replace penetration testing?
No, it repositions it. Continuous validation covers breadth. Manual testing covers depth, meaning business-logic flaws and novel abuse automation misses.
5. Can a smaller team run this?
Yes, through a single managed retainer covering continuous monitoring, monthly scenarios, quarterly deep-dives and the annual audit. Simpler than four vendor relationships, and often cheaper.