Gartner: The Future of Pen Testing Is Continuous Offensive Security Testing
Gartner declares continuity is the new mandate for security testing: to keep pace with how fast systems evolve, and how quickly attackers adapt.
Gartner just published two research papers that confirm what we’ve been building toward: point-in-time penetration testing can no longer keep pace with modern environments and threats. The future of offensive security is continuous and risk-aware – not testing when schedules permit or budget allows, but when real application change happens.
Novee was named in Gartner’s vendor matrix, and we think that’s just the starting point.
What Gartner Says
In The Future of Pen Testing Is Continuous Offensive Security Testing (Dhivya Poole, Carlos De Sola Caraballo, Mitchell Schneider, 6 March 2026, ID G00845606), Gartner introduces Continuous Offensive Security Testing (COST): a trigger-driven, intelligence-led model that replaces calendar-based pentesting with validation that activates when material risk changes. COST unifies penetration testing, red teaming, bug bounty, and control validation into a single continuously operating capability, blending automation, AI, and human expertise.
According to Gartner, by 2028, over 60% of enterprise pen test programs will operate as continuous validation embedded within DevSecOps pipelines, replacing annual assessments as the primary proof of resilience.
Modern software environments are in constant motion: new code ships daily, APIs multiply, infrastructure scales automatically, and AI-assisted development accelerates release cycles even further. Every change alters the attack surface. Meanwhile, attackers are increasingly operating with automation and AI, probing systems at a scale and speed that human-driven testing simply cannot match.
The criteria for success must change: from a “test complete” checkbox, to measurable reductions in exposure windows, faster risk validation speed, and improved response readiness.
Gartner: Here’s How to implement Continuous Offensive Security Testing
In a companion paper, Gartner lays out a four-phase journey: Design, Build, Run, and Improve.
Organizations start by replacing calendar-based scoping with risk-tiered triggers (high, medium, low) that determine both the urgency and method of testing. They then build a sensing layer that detects material changes in real time, integrate testing into CI/CD and SecOps workflows, execute adaptive testing cycles, and continuously measure meaningful outcomes like exposure window reduction and mean time to mitigate.
The key shift: findings must drive remediation, not just reports. Testing flows directly into ticketing, fix verification, and revalidation – a closed loop from attack to fix to proof.
Continuous Offensive Security Testing: Novee Was Built for This
COST is exactly the model we built Novee to deliver. Our AI penetration testing platform runs continuous offensive testing that closes exposure windows as risk is introduced: AI agents explore the attack surface, map applications, probe for weaknesses when the environment changes, and compound knowledge across assessments. Rather than restarting from scratch each engagement, testing depth grows with every cycle. And Novee runs automatically, testing changed endpoints when any new code deployments without blocking CI/CD pipelines.
Novee’s agents mirror how elite human operators work: discovering assets, generating attack hypotheses, executing exploits, and adapting based on system feedback. When vulnerabilities are confirmed, the platform generates validated proof-of-concept exploits with environment-specific remediation guidance and integrates directly into engineering workflows, closing the loop between discovery, fix, and verification.
Gartner named Novee in its sample vendor matrix for PTaaS. We think that’s just the starting point.
Get a demo to see how Novee delivers a single platform for offensive security.
