A few years ago, a pen test for most businesses meant scanning the perimeter network, checking for open ports, and maybe probing a few web apps. That was the scope. But threats are continually increasing, and the way pen testers work has had to keep up. Attackers stopped going through the front door and started using stolen logins, misconfigured cloud accounts, and trusted suppliers instead.
Here's where it gets interesting, because those shifts have changed what a proper pen test actually needs to cover.
In this ZandaX article, we show the kind of changes that have occurred and how you can keep up to date with events.
When Network Testing Was the Whole Game
For a long time, pen testing was largely synonymous with external network testing. The assumption was simple: secure the perimeter and you were in good shape. Internal testing followed the same logic - find open services, enumerate them, probe for known vulnerabilities.
This model worked when everything lived on-premises. Most organisations had a clear boundary between inside and outside. You could draw a line around it and test it systematically.
Why Cloud Infrastructure Raised the Bar
Once organisations began moving to AWS, Azure, and Google Cloud, that clear boundary disappeared. Misconfigured storage buckets, overly permissive IAM roles, and publicly exposed cloud services became genuine attack vectors. None of these show up in a traditional network scan.
This change in attack surface raised expectations for what a capable tester should be able to assess.
CREST-accredited penetration testing became a meaningful quality signal. It tells you the provider has demonstrated the technical competence to handle complex, modern environments, not just traditional network infrastructure.
Identity Has Become a Primary Attack Vector
One of the most significant changes in the past five years is how central identity has become to attacks. In many high-profile breaches, the initial access wasn't through a software vulnerability. It was a stolen credential, a misconfigured SSO integration, or a hijacked session token. According to Verizon's 2025 Data Breach Investigations Report, stolen credentials were the leading initial access vector, accounting for more than one in five confirmed breaches.
Pen testers have had to adapt accordingly. Testing Active Directory misconfigurations, Kerberoasting paths, and Microsoft Entra ID privilege escalation has become standard in a mature assessment. Five years ago, these were relatively niche skills. Now, leaving them out of scope is a serious blind spot.
How Supply Chain Risk Changed What Gets Tested
The SolarWinds incident, publicly disclosed in December 2020 after attackers had quietly compromised the company's systems from late 2019, forced many organisations to think differently about their exposure. If a trusted software vendor can be weaponised against you, your own internal defences matter less than you might think.
Supply chain testing is now firmly in scope for more assessments. Testers are looking at:
- Third-party integrations and API connections
- Software build pipelines and CI/CD configurations
- Developer access controls and secrets management
This requires a different set of skills from network enumeration, and not every provider is equipped for it.
How AI Changed Both Sides of the Test
The arrival of generative AI has changed the work in two directions at once. Attackers now use it to write convincing phishing emails at scale, generate malware variants that slip past signature-based detection, and speed up the reconnaissance that used to take days. A tester who ignores this is working from an out-of-date picture of how breaches actually start.
If you'd like to learn more about what we provide, why not take a look at how we can help?
Boost your skills with our market-leading online courses at super-low prices.
On the testing side, AI and automation have become part of the toolkit too. Automated scanning handles the repetitive enumeration work, which frees up testers to focus on the chained, creative attacks that tools can't replicate. The skill now sits in interpreting results and thinking like an attacker, not in running the scan itself.
What hasn't changed is the need for a human in the loop. Automated tools are good at breadth, but they miss the logic flaws and the "if I combine these three minor issues" thinking that leads to a real compromise. A good modern assessment uses automation to cover ground quickly, then relies on experienced testers to find the things that matter.
Why Annual Testing Stopped Being Enough
For years, a pen test was an annual event, often booked to satisfy a compliance requirement and then forgotten until the following year. That rhythm made sense when environments stayed mostly static between tests. But it doesn't hold up now.
Cloud environments change daily. New code ships, infrastructure gets spun up, permissions get adjusted, and any of these changes can open a gap that a test from ten months ago would never have caught. A point-in-time snapshot tells you about your security on one specific day, and not much about the days after it.
This is why more organisations have moved towards continuous or periodic testing instead of the single yearly exercise. Penetration testing as a service has grown for the same reason, giving businesses regular assessments that keep pace with how often their systems actually change.
What to Think About When Scoping a Test Today
All of this lands on one practical point: scoping the test properly matters more than the test itself. Get the scope wrong and you can pass with flying colours while leaving the exact routes attackers use completely untouched. A clean report on your external network means very little if that's all anyone looked at.
Before you book anything, map out where your risk actually sits. Most businesses now have more of it outside the traditional network than in it:
- Cloud accounts and storage, and who can access them
- SaaS tools that hold your data
- Identity and login systems, including SSO
- Third-party software and integrations in your supply chain
Walk through that list with any provider you're considering and see how they respond. A capable tester will want to talk about all of it, not steer you straight back to a standard network scan because that's what they're set up to do.
Final Notes
Pen testing has grown up over the last few years because the attacks have done the same. Stolen logins, misconfigured cloud accounts, and compromised suppliers are now ordinary ways into a business, and none of them show up on a perimeter scan. A test that only looks at the network is checking the one door attackers have mostly stopped using.
So the real question you should put to any provider is simple. Can they assess the full picture, including your cloud, your identity systems, and your supply chain, instead of just the parts that were the whole story a while ago? If the answer is yes, you'll get a far truer sense of where you actually stand … and feel safer for it.
