Penetration testing should be performed on a regular basis (at least once a year) to ensure more consistent IT and network security management by revealing how newly discovered threats (0-days, 1-days) or emerging vulnerabilities might be exploited by malicious hackers.
In addition to regularly scheduled analysis and assessments required by regulations such as GDPR, PCI-DSS tests should also be run whenever:
- New network infrastructure or applications are added
- Significant upgrades or modifications are applied to infrastructure or applications
- New office locations are established
- Security patches are applied
- End user policies are modified.