Why the pentest industry needs to rebrand.

A caveat before the argument

The author has a stake in this conversation. Labs is an audit firm and competes for budget with pentest firms. The reader should weight what follows accordingly.

That said, the argument below has been made by several senior practitioners in the pentest industry itself, over the last three years, in private. It is not a Labs invention. It is a consolidated version of a critique that has been building inside the industry and is starting to surface publicly.

Where the category came from

Penetration testing as a commercial service emerged in the 1990s, in a network architecture where:

• Most assets the buyer cared about were inside a perimeter
• The perimeter was a real network boundary, with a finite number of ingress points
• Most adversaries used direct network exploitation as their primary technique
• The buyer's defensive posture was measured by what survived a direct attack

In that world, "hire a small team to act as adversaries and try to break in" was a coherent product. The product matched the threat model.

The architecture changed. The threat model changed. The product did not, to the extent it should have.

What changed

Three architectural shifts that decoupled the pentest product from the threat model:

1. The perimeter dissolved. Cloud, SaaS, third-party APIs, and remote work mean the "assets the buyer cares about" are no longer behind a network boundary. Many of them are not even on the buyer's infrastructure. A pentest that focuses on "what can the team break into from outside" addresses a shrinking fraction of the surface.

2. Adversaries became patient. Modern adversaries rarely break in. They wait for credentials to leak, dependencies to be compromised, supply-chain artefacts to be exposed, or employees to be phished. The high-value adversary technique is not exploitation; it is acquisition. The pentest is calibrated for the wrong adversary stance.

3. Compliance regimes evolved. NIS2, DORA, the updated SOC2 expectations, the cyber-insurance underwriting standards — these increasingly ask for evidence of current surface posture, not evidence of historical pentest survival. The deliverable shape that satisfies these regimes is an attestation about the current state of the public surface. A pentest report does not satisfy that requirement.

What the pentest product still does well

The category is not obsolete. Three contexts where a pentest is the right purchase:

1. Authorised offensive validation of a specific control. The buyer has deployed a new authentication flow, a new firewall rule, a new segmentation boundary. The buyer wants to know whether a determined adversary can defeat the specific control. A scoped pentest is the right product.

2. Compliance regimes that explicitly require pentest evidence. Some regulated industries — PCI-DSS in particular — still mandate pentest evidence in specific forms. The buyer must produce the artefact. The pentest produces it.

3. Red-team simulation with assumed-breach scenarios. The buyer wants to know how the security team responds when the breach is already inside. A red-team simulation tests the response, not the prevention.

These are all real categories. They are smaller than the current pentest market, in our estimation. The mismatch between market size and use-case fit is the rebrand opportunity.

What the market actually needs more of

In the same architectural era, the underserved categories are:

1. External attack-surface audit. Continuous or periodic inspection of the buyer's public footprint — registries, repositories, indices, artefact storage — for current exposures. This is the surface a modern adversary actually reads first.

2. Supply-chain audit. Inspection of the buyer's dependency graph for the canaries that lead to package compromise: maintainer transfers, install-script changes, namespace squatting, derivative credentials.

3. AI-assisted code audit. Specific inspection of code produced by AI-assisted workflows for the default patterns those workflows reproduce. This is a 2026 category that did not exist in 2023.

4. Post-incident impact audit. After a known credential leak or supply-chain incident, an audit that walks the surface to bound the actual impact, separate from the incident-response work.

All four are categories Labs operates in. None are pentests. All would benefit from a market that distinguished them clearly.

What "rebrand" means concretely

The pentest industry rebranding does not mean every pentest firm becomes an audit firm. It means the language stops conflating two products that serve different threat models.

A buyer asking the market for "a pentest" in 2026 receives proposals that range from:

• A two-week external network scan with manual validation of findings
• A red-team simulation with social-engineering and physical components
• A continuous attack-surface monitoring platform
• A founder-led audit engagement with a signed attestation

These are four products. The market currently labels all four "pentest" some of the time. The buyer cannot procure correctly when the category is overloaded.

A useful rebrand would distinguish:

• External attack-surface audit (what Labs sells) — outside-in, non-probing, signed attestation
• Continuous monitoring (what bleedwatch.com sells) — outside-in, automated, real-time
• Pentest (what specialist firms sell) — scoped, authorised, probing, control-validation
• Red-team simulation (what fewer firms sell well) — adversary emulation with end-to-end response testing
• Bug bounty (a different procurement category) — crowd-sourced, time-unbounded, reward-driven

Each of these is a legitimate category. None replaces the others. The procurement function deserves the vocabulary to ask for what they need.

Why this matters for the buyer right now

A CISO planning a 2026 cybersecurity audit budget who has only one line item labelled "pentest" is asking the market the wrong question. The right questions, in order:

• "What are my surface audit needs, and have I budgeted for them as a distinct line?"
• "What are my probing-test needs (compliance, control validation), and which provider is appropriate?"
• "Do I need continuous monitoring after the audit, or is point-in-time evidence sufficient?"
• "What does my regulator or insurer specifically require as artefact, in each of these categories?"

The answers should produce a portfolio. The portfolio will contain a pentest line for some buyers and not for others. The audit line will exist for most. The continuous-monitoring line will exist for regulated ones.

A buyer whose portfolio currently contains only the pentest line is, in 2026, almost certainly underprocured on audit. That is the actionable observation. The treatment is a 3-day Discovery Brief that proves the gap concretely.

A note on tone

This essay is more polemic than most Labs research. The reason is that the misalignment between pentest market and threat model produces wasted budget and false reassurance, both of which Labs encounters during scoping conversations regularly. Buyers walk in saying "we just did a pentest, we should be fine for this year." The diagnostic five minutes later finds exposure the pentest could not have surfaced because it was outside the pentest's scope by construction.

The buyer is not wrong to have done the pentest. The buyer is wrong to think the pentest covered what it did not. That is the conversation this essay is for.