There's a real difference between running a pentest and being tested all the time. The first gives you a photo — sharp the day it ends, faded a few weeks later. The second gives you the film. And the film is where the interesting stuff shows up.
For a while now we've been running that film — Continuous Pentest (PTaaS) through Deep Argus — without ever hitting pause. We decided to open up the numbers. No targets, no clients, no tool names: just what matters to people who own security decisions.
First, a deal: everything here already passed the filter. Every finding goes through a step that tries to knock down its own discovery — if it's noise, a false positive, or scanner drama, it's gone before it reaches you. What's left is real risk. That's the number we respect.
The scale, no fluff
That's 456 cycles of continuous testing and 1,067 confirmed vulnerabilities. This didn't come from one heroic week-long sprint — it came from a cadence that simply doesn't stop. Where an annual test hands you a PDF and silence until next year, the continuous engine keeps turning while your systems change.
Where the danger lives
Counting vulnerabilities is easy. What changes the game is knowing which ones keep you up at night. Here's the picture by severity:
That's 276 actionable exposures — and nearly one in three is high or critical. Not cosmetic alarms: 13 critical doors and 66 high-impact flaws found before an outsider found them. Each one is an incident that never happened.
And maybe the most important part: they keep showing up cycle after cycle, as releases ship and the surface shifts. It's exactly in those gaps — the ones an annual pentest never sees — that the continuous model wins the day.
What shows up most (and why)
When you look at the type of flaw that appears most, a pattern gets obvious — and it's reassuring, really: what hurts most isn't exotic at all.
In plain English: misconfiguration, data exposed for no reason, logins you can work around, and reaching what you shouldn't reach. These are exactly the flaws that pile up between point-in-time tests — and that only a continuous cadence keeps on a leash. The rarer techniques (SSRF, injections, subdomain takeover, leaked secrets) show up less, but they're precisely the ones automated scanning misses and human depth catches.
The number we're proudest of
It's not the total findings. It's the discipline of validating before reporting. When every item on your team's desk is real, exploitable risk, the time wasted chasing false positives disappears — and the time to close what actually opens a door appears.
That's what Deep Argus delivers as Continuous Pentest (PTaaS): discovery that never pauses, exploitation that's actually validated, and a risk picture that follows your surface as it changes — all year, not once a year.
276 actionable exposures. 79 high or critical. 456 cycles. Zero pause.
Curious what those numbers look like on your attack surface? Request a PoC and we'll get the engine running.