In today’s rapidly evolving digital landscape, organisations are investing more than ever in cybersecurity measures to confront a sophisticated threat landscape. However, many still rely on outdated point-in-time assessments that fail to keep pace with the dynamic nature of their environments.
In this Com-X Connects interview with our Co-Founder, Qui Truong, and Director of Sales and Marketing, Nick Cross, we explore how traditional security testing approaches leave ‘blind spots’ open, and why moving toward continuous validation and remediation is crucial for reducing real risk in today’s era of ever increasing and automated attacks.
We dive deep into why old-school penetration tests and ceremonial annual audits simply aren’t enough, and how making security continuous can transform an organisation’s defensive posture and increase assurance to their resiliency from attacks
Understanding the Gap in Cybersecurity Confidence
Organisations are patching systems, monitoring threats and adhering to compliance obligations, yet many report a lack of daily confidence in their cybersecurity posture. Traditional vulnerability management approaches and annual testing are no longer sufficient in a world where environments change daily due to cloud updates, new applications and identity changes.
Compliance requirements saves a business from cybercriminals and from hefty fines and costly damage to its hard-earned reputation. A meticulously built and implemented compliance framework serves as a protective shield keeping risks at bay.
Compliance is not optional. Organisations who choose to ignore it, for convenience, may receive an ‘expensive’ wake-up call capable of putting them out of business.
Qui highlights the reactive nature of annual penetration tests. "These requirements are often outdated," he explains, emphasising that cybercriminals do not wait for annual assessments to launch their attacks. Instead, organisations must adopt a proactive approach to continuously validate their security posture to mitigate risks effectively.
“At the end of the day, they don’t conveniently carry out an attack straight after you’ve done a penetration test and remediated everything.”
According to Verizon’s 2025 Data Breach Investigations Report, 30 per cent of breaches were linked to third-party involvement, twice as much as last year, and driven in part by vulnerability exploitation and business interruptions. Furthermore, 54 per cent of perimeter-device vulnerabilities were fully remediated by organisations in the past year, while almost half remained unresolved.
That means the real question every security leader should be asking isn’t what we solved last July, but “are we exposed right now?”.
Continuous Vulnerability Management
The key to overcoming the identified gap lies in adopting a continuous business-aligned approach to vulnerability management. This shift allows organisations to have real-time visibility and assurance regarding their cybersecurity posture.
Qui emphasises this approach not only provides clarity but also reduces surprises, allowing technology teams to focus on their core responsibilities without adding unnecessary complexity.
Security tests shouldn’t just be ceremonial outcomes that sit on a shelf until next year – they should drive better business decisions. “Having a flow of data and trend analysis allows boards to make better decisions,” said Qui. “Where to spend money, what their exposure actually is. You’re looking for an operational cycle where you’re constantly mitigating risk.”
Verizon’s 2025 Report found 56 per cent of breaches took months or longer for the organisation to discover and 21 per cent of error-related breaches were due to misconfiguration. And according to Gartner cloud security research, 36 per cent of companies are found to be suffering a serious cloud security leak and 99 per cent of all firewall breaches are caused by misconfigurations.
Continuous data empowers leadership to prioritise what matters most – not just what’s easy to measure once a year.
What Happens When You Don’t
Real-time testing and validation are necessary – because configuration drift and human error happen every day.
“I’ve seen this so many times – an admin makes a change to a firewall rule, opens web access to make the change, and forgets to close it,” said Qui. “The rules are so complex, they’ve accidentally opened another hole.”
The Cost of Waiting
“If you’ve got to pull out your insurance policy and claim on it, the damage is done,” said Qui. “The real damage isn’t just the loss of data – it’s the loss of your reputation. And that damage is almost irreparable at times.”
This perspective reframes cybersecurity spending as risk reduction, not checkbox compliance.
Break It Down: Practical, Bite-Sized Security
“How do you eat an elephant? One bite at a time.”
Qui provided this metaphor as it reflects a modular approach to security risk, where organisations reduce exposure continuously rather than waiting to repair everything at once. This leads to a model that shifts from big, infrequent firefighting to bite-size cost models that deliver value in manageable chunks.
Final Takeaways
• Traditional annual testing will always leave significant blind spots
• Security programs must shift to ongoing validation and remediation
• Continuous insights enable better business decisions and prioritisation
• Smaller, bite-size testing and remediation cycles reduce cost and stress
• Immediate verification after fixes is critical to real security outcomes.
If your organisation is still treating security as a once-a-year event, it might be time to invert that approach – shifting from ceremonial compliance to continuous assurance.
Start a conversation with Com-X today and find out how this approach could improve your organisation’s secure posture.
Watch the full interview or listen to the discussion – because the threats your business faces aren’t waiting until next year and Com-X team are able to assist you to change increase your resiliency, today.
