Global big tech companies already conduct constant vulnerability verification as a standard.

Since 2014, Google has operated a dedicated research group called Project Zero, dedicating researchers' time 100% to discovering vulnerabilities and structurally improving security. In 2024 alone, Google awarded nearly $12 million in rewards to over 600 researchers worldwide through its vulnerability reward program. It also operates separate bug bounty programs related to generative AI, receiving over 150 reports.

Microsoft has been running an AI red team since 2018. In 2025, through its bug bounty program, it awarded $17 million, working with external researchers to enhance vulnerability discovery. Through ‘Zero Day Quest’, it concentrated on finding high-risk vulnerabilities in cloud and AI fields, and the ‘Secure Future Initiative’ report disclosed that 180 new vulnerabilities were preemptively discovered and addressed in this process.

AI is further accelerating the speed of cyber attacks.

In its threat intelligence report in August 2025, Anthropic revealed that Claude Code is used to automate reconnaissance, credential collection, and network infiltration, and has been exploited in data exfiltration campaigns against several international organizations.

The report included cases of less skilled attackers developing and selling ransomware with AI assistance. An additional evaluation in January 2026 indicated that the current Claude model has reached a level capable of conducting multi-stage attacks using only standard open source tools on networks of dozens of devices.

AI is not magic that creates hacking anew but serves as an accelerator that lowers the thresholds and increases the speed of preparing for and executing attacks.

In such an environment, the defensive approach must change. Continuous penetration testing is not about shaking every system daily.

First, you must always keep high-risk targets such as systems exposed externally, critical data, authentication frameworks, and partner connection segments up-to-date. Over this, you must layer regular penetration tests, blind tests, red teams, and bug bounties.

And the most crucial final step is post-action re-verification. It shouldn't end with finding but should be a loop of finding, fixing, and re-confirming.

Of course, it's not feasible for every company to have a dedicated red team. To have an organization that continuously designs attack scenarios, finds vulnerabilities, and conducts re-verifications like Google or Microsoft, you need manpower, budget, and operational experience. Especially for companies with fewer dedicated security personnel, small and medium enterprises, and companies rapidly operating services, it's challenging to create such a system alone.

However, abandoning continuous verification is not an option. A practical alternative in such cases is utilizing external experts and Penetration Testing as a Service (PTaaS). Continuous penetration testing isn't complete with only people or tools.

(Image)

Automated tools excel at broad, frequent checks. They can quickly scan areas needing frequent checks, such as asset changes, external exposure status, basic vulnerabilities, and repetitive verification. Meanwhile, expert staff are strong at delving deep. They identify bypass routes from an attacker's viewpoint, verify actual penetration possibilities by linking multiple weaknesses, and find issues needing contextual understanding like business logic loopholes or authorization misuse. Simply put, tools look broadly, while experts look deeply. For a continuous verification system to function properly, both must work in tandem.

It's about performing penetration testing with expert help as needed and not ending with a single report but continuing with repeated checks and re-verification. Even companies unable to maintain a large internal red team can utilize external expertise to create an operating model close to a continuous verification system.

The key is not the organizational form but the continuity of verification. If internal capabilities are lacking, it's more realistic and effective to use experts and services to maintain an unbroken loop of inspection-action-re-verification.