Continuous Security Testing
Penetration Testing as a Service

What is PTaaS?
Penetration testing as a service, not a one-off engagement
Penetration Testing as a Service (PTaaS) delivers ongoing, manual penetration testing through a fixed monthly retainer rather than a one-off engagement. Instead of testing once and waiting a year, your attack surface is assessed continuously as your product, infrastructure, and team evolve.
PTaaS, sometimes called continuous security testing, is built for organisations where the gap between annual tests has become a meaningful risk. If your codebase ships weekly, your infrastructure changes regularly, or you need a continuous record of testing for compliance purposes, then an ongoing testing engagement provides the coverage that a point-in-time test cannot.
An organisation shipping features weekly can introduce dozens of new attack paths between annual tests: new endpoints that were never in scope, changed infrastructure, regressions in recently-updated code. Over a PTaaS engagement, testing keeps pace with those changes rather than capturing a snapshot of a system that may look quite different by the time the report is read.
Engagements start from £3,800 per month and are delivered by UK-based consultants working directly with you throughout. Nothing is outsourced or subcontracted.
Is PTaaS Right for You?
When to choose continuous testing over a point-in-time pentest
A one-off penetration test makes sense for a specific moment - a compliance deadline, a product launch, a board requirement. PTaaS is built for something different. Consider PTaaS if any of the following apply to your organisation.
Your product ships continuously
You've outgrown the annual pentest
You need predictable security spend
You want a security partner, not a supplier
You're preparing for or maintaining a certification
You're a DevSecOps team that needs security integrated into delivery
How PTaaS Works
How Exploitr's PTaaS is delivered
Scope Once
We work with you to define assets, environments, and rules of engagement upfront. You approve the scope and we operate within it for the duration of the subscription, so there are no repeat scoping calls or new contracts each time testing starts.
If your environment changes significantly, scope can be adjusted by agreement.
Continuous or Scheduled Delivery
Direct and schedule testing yourself, or allow our consultants to independently pursue the highest-risk attack paths within your approved scope.
We can align with your sprint or release cadence, test ahead of key deployments, or run on a continuous rolling basis between changes. The approach is agreed at the start and can be adjusted as your delivery rhythm evolves.
Immediate Finding Visibility
Findings are delivered as testing happens via our Attack Surface Center platform, not weeks later in a static PDF.
You see vulnerabilities as they are discovered, with severity ratings, reproduction steps, and remediation guidance available immediately. Your development team can begin remediation while testing is still in progress.
Track Remediation & Retest
Use our platform to track the status of every finding from discovery through to remediation. Fix an issue and request a retest directly within the platform, without starting a new engagement or re-scoping the work.
Retesting is included within your monthly subscription, so there are no additional charges to verify that a vulnerability has been resolved.
Ongoing Consultant Access
Your assigned consultant is your direct point of contact for the duration of the subscription, not an account manager or a rotating team.
Questions about findings, discussions about remediation approaches, and input on upcoming changes are handled directly by the consultant who has been testing your environment.
Over time, that familiarity with your architecture and risk profile produces better-quality findings than a tester seeing the environment for the first time.
Pricing
From £3,800/mo
for continuous penetration testing
Not sure what level of coverage your organisation needs? A 30-minute scoping call is free and gets you a fixed written quote.
No obligation · Strictly confidential · Quote within one business day
Pricing Examples
| PTaaS Standard: 4 testing days/month | From £3,800/mo |
| PTaaS Advanced: 8 testing days/month | From £6,800/mo |
| PTaaS Scale: 12 testing days/month | From £9,900/mo |
| PTaaS Dedicated: 20 testing days/month | From £16,000/mo |
All plans are fixed-price and all-inclusive. The difference between tiers is capacity - not tester seniority or testing depth.
Larger subscriptions benefit from preferential pricing because we can allocate consistent tester availability and reduce scheduling overhead.
What's Included
- A predictable monthly cost for penetration testing
- Findings delivered continuously via our platform or report
- Manual, consultant-led testing. Not automated scans
- Visibility of your attack surface via the Attack Surface Center
- No obligation quote, all enquiries are fully confidential
Common Questions
Penetration testing as a service - frequently asked questions
A testing day represents up to 8 hours of active manual penetration testing and reporting performed by an experienced tester. Testing time includes manual testing and exploitation, analysis and validation of findings, writing findings and remediation guidance, and coordination with the customer. It does not include sales or account management overhead.
Yes. All plans are all-inclusive. There are no additional charges for reporting, retesting, or reasonable clarification sessions.
PTaaS can be used to cover most of our testing services, including web application pentesting, external penetration testing, internal network penetration testing, and API pentesting.
Unused days expire at the end of each month. Capacity is reserved exclusively for you, ensuring availability when you need it.
Yes. Scope can be adjusted by agreement and you can upgrade your plan at any time. We require written authorisation for testing but will make this as easy as possible as part of our ongoing service.
We work best when considered an extension of your team. A common pattern is a pre-engagement meeting before a staging or production release, then testing begins when the environment is ready. We adapt to your sprint cadence, not the other way around.
A standard penetration test is a one-off engagement with a fixed scope and a single report. PTaaS replaces that with a monthly retainer providing ongoing testing capacity, continuous finding visibility through our platform, and a consultant who builds familiarity with your environment over time. The cost is predictable, coverage is continuous, and retesting is included.
PTaaS produces a continuous record of security testing activity throughout the year: dated test records, findings with severity ratings and remediation guidance, and retest confirmations as issues are resolved.
Frameworks such as ISO 27001 and SOC 2 expect ongoing evidence of security assurance rather than a single point-in-time report, and a twelve-month PTaaS testing log is straightforward to present to an auditor or assessor.
We can provide findings exports and reporting in formats suited to your audit requirements on request.
Ready for continuous security coverage?
Get a fixed-price quote within 24 hours. Our team will scope a PTaaS plan that fits your team's delivery rhythm and budget.
