How Often Should You Run a Penetration Test on a SaaS Product?
## The short answer
Most SaaS teams should commission a full, human-led penetration test at least once a year, and additionally after any significant change to the application, its architecture or its infrastructure. Between those tests, automated scanning should run continuously. Annual-plus-on-change is a sensible default, but the right cadence depends on how fast you ship, how sensitive your data is, and what your customers or regulators expect.
## Why "once a year" is only a baseline
An annual test made sense when software changed slowly. Modern SaaS products often deploy many times a week, which means a point-in-time test can be out of date within days. The annual penetration test still matters as a deep, expert review, but it cannot be your only line of defence. Think of it as a thorough MOT for the car you also check between services, not the only time anyone looks under the bonnet.
The practical model most teams settle on has three tiers:
1. **Continuous automated scanning** on every change: dependency checks, static analysis and lightweight dynamic scans.
2. **Targeted testing on significant change:** a focused manual test when something material shifts.
3. **Periodic full penetration test:** a broad, expert-led assessment of the whole application, at least annually.
## What counts as a "significant change"
This is where teams most often under-test. A new feature flag is not a trigger; a new attack surface is. Re-test when you:
- Add or substantially change authentication or authorisation.
- Introduce a new way for data to enter or leave the system, such as a new API, file upload or integration.
- Handle a new category of sensitive data.
- Make a major architectural change, for example moving a service or changing your cloud setup.
- Acquire or merge in another codebase.
- Expose something previously internal to the public internet.
If a change alters who can reach what, treat it as worth testing.
## Factors that push the cadence up
Some products need more frequent testing than the annual baseline:
- **Highly sensitive data:** payment, health or other regulated data raises both the stakes and the expectations.
- **High deployment frequency:** the faster you ship, the more drift accumulates between tests.
- **Customer and contractual demands:** enterprise buyers increasingly require evidence of regular testing before they sign.
- **A history of incidents:** past problems justify closer scrutiny.
- **Compliance obligations:** some standards effectively mandate at least annual testing plus testing after major change.
## Factors that let you lean on the baseline
Conversely, a small product with limited sensitive data, infrequent releases and strong automated coverage may reasonably stick closer to the annual minimum, provided the continuous scanning layer is genuinely working.
## Don't confuse a scan with a penetration test
A common and costly mistake is treating an automated scan as equivalent to a penetration test. They are different things:
- A **scan** is automated, fast, repeatable and good at known patterns. Run it constantly.
- A **penetration test** is human-led, creative and able to chain together several small weaknesses into a real attack, including business-logic flaws no scanner understands. Run it periodically.
You need both. Continuous scanning keeps the baseline clean; the periodic human test finds what automation cannot.
## Making each test count
Frequency is wasted if the tests are shallow or the findings are ignored. To get value:
1. **Define scope clearly,** so testers focus on what matters most.
2. **Give testers proper access,** including authenticated accounts at different permission levels, so they can probe access control.
3. **Fix and re-test.** A finding isn't closed until a follow-up confirms the fix works.
4. **Track findings over time** to spot recurring weaknesses in your development process.
Building enterprise-grade products means designing for this rhythm from the start. At neart.ai security testing is treated as a continuous habit punctuated by deeper periodic review, not a single annual event.
## Practical takeaway
Use a three-tier rhythm: continuous automated scanning on every change, focused testing whenever a significant change alters your attack surface, and a full human-led penetration test at least once a year. Push the cadence higher if you handle sensitive data, ship frequently or face customer and regulatory expectations. Never treat an automated scan as a substitute for a penetration test, and always fix and re-test findings. Cadence matters, but only if every test is properly scoped and acted upon.