Continuous Monitoring
24/7 automated security monitoring
Why Continuous Monitoring?
Traditional security assessments have limitations:
| Traditional Approach | Continuous Monitoring |
|---|---|
| Annual pentests | Daily to weekly pentests |
| Point-in-time snapshot | Always-current coverage |
| Findings stale within weeks | Vulnerabilities caught quickly |
| Gaps between tests | Continuous protection |
Your team ships code weekly—why test for vulnerabilities annually?
How It Works
Scheduled Pentesting
Configure automated pentests that fit your workflow:
| Schedule | Best For |
|---|---|
| Daily | High-velocity teams, CI/CD environments |
| Weekly | Most teams, balanced coverage |
| Monthly | Smaller teams, focused security effort |
| Custom | Compliance requirements, specific timing |
Risk Score
Track your overall security posture with a single metric that reflects vulnerability severity and risk factors.
Baseline Risk Score
How It's Calculated
The risk score (0-100) is calculated from your vulnerability data:
Base Score:
| Severity | Points per Finding |
|---|---|
| Critical | 40 points |
| High | 20 points |
| Medium | 5 points |
| Low | 1 point |
| Info | 0 points |
Risk Multipliers:
Additional factors increase your score:
| Factor | Multiplier | When Applied |
|---|---|---|
| Exploitable | ×1.5 | Known exploit code exists |
| Public-Facing | ×1.3 | Affects externally accessible components |
| Authentication | ×1.4 | Involves auth/authorization issues |
Multipliers stack multiplicatively. Example: 2 Critical + 1 High with exploitable code:
- Base: (2 × 40) + (1 × 20) = 100
- With exploitable multiplier: 100 × 1.5 = 150 → capped at 100
Risk Levels
| Score | Level | Indicator |
|---|---|---|
| 80-100 | Critical | Immediate action required |
| 60-79 | High | Attention needed |
| 40-59 | Medium | Monitor closely |
| 20-39 | Low | Good standing |
| 0-19 | Minimal | Excellent |
Benchmarks
- Typical First Scan: 30 — Most applications start here
- Industry Average: 45 — Median across all organizations
Dashboard Metrics
Trend Analysis
The dashboard tracks your risk score over time, showing:
- Historical risk scores by date
- Trend direction (improving, stable, degrading)
- Score changes after each pentest
A trend is considered:
- Improving — Score dropped by 5+ points
- Stable — Score changed by less than 5 points
- Degrading — Score increased by 5+ points
Key Metrics
| Metric | What It Shows |
|---|---|
| Risk score | Overall security posture (0-100) |
| Vulnerability count | Total open issues over time |
| Severity distribution | Critical/High/Medium/Low breakdown |
| Mean Time to Remediate | Average fix time by severity |
| Pentest coverage | Percentage of assets tested recently |
Risk Indicators
Quick visibility into security status based on risk score:
| Indicator | Risk Level | Meaning |
|---|---|---|
| 🔴 | Critical (80-100) | Immediate action required |
| 🟠 | High (60-79) | Attention needed |
| 🟡 | Medium (40-59) | Monitor closely |
| 🟢 | Low/Minimal (0-39) | Good standing |
SOC 2 Compliance
Continuous monitoring satisfies SOC 2 requirements:
Trust Services Criteria CC4.1
"The entity continuously monitors the system..."
Demonstrated through:
- Scheduled automated pentesting
- Real-time vulnerability detection
- Documented testing frequency
Trust Services Criteria CC7.1
"The entity has implemented vulnerability management procedures..."
Demonstrated through:
- Prioritized vulnerability tracking
- Remediation timelines
- Evidence of fixes
See SOC 2 Reports for compliance documentation.
Next Steps
Last updated: February 1, 2026