Scheduling & Continuous Security
Why Scheduled Pentesting Matters
Security is not a one-time event. Your application changes with every deployment. New dependencies are added. Configurations drift. Third-party services update their APIs. A target that was secure last month may have new vulnerabilities today — not because you introduced them, but because the threat landscape evolves.
Scheduled pentesting provides continuous security assurance by running pentests at regular intervals, independent of your deployment pipeline. While CI/CD integration catches vulnerabilities introduced by code changes, scheduling catches vulnerabilities introduced by environmental changes, dependency updates, and newly disclosed CVEs.
Configuring Scheduled Pentests
TurboPentest's scheduling feature lets you define recurring pentests with full control over timing, tier, and notification preferences.
Creating a Schedule
Navigate to Schedules in the TurboPentest dashboard, or use the API:
Cron Expressions
Schedules use standard cron syntax (minute, hour, day-of-month, month, day-of-week). Common patterns:
| Pattern | Schedule |
|---|---|
0 2 * * 1 | Every Monday at 2:00 AM |
0 3 * * * | Every day at 3:00 AM |
0 0 1 * * | First day of every month at midnight |
0 4 * * 1,4 | Monday and Thursday at 4:00 AM |
0 2 1,15 * * | 1st and 15th of every month at 2:00 AM |
All times are interpreted in the configured timezone. Schedule pentests during low-traffic hours to minimize any impact on your application.
Recommended Cadences
Different targets warrant different scanning frequencies:
Weekly (production web applications): Your primary customer-facing applications should be scanned weekly. This catches newly disclosed vulnerabilities, configuration drift, and dependency updates.
Daily (staging/pre-production): If your team deploys frequently, daily scans of staging ensure issues are caught before they reach production.
Monthly (internal tools): Lower-risk internal applications can be scanned monthly unless they process sensitive data.
Bi-weekly (APIs and microservices): API surfaces that change frequently benefit from bi-weekly scans to catch breaking security changes.
Tier Selection for Schedules
Not every scheduled scan needs to be the most thorough tier. A balanced approach:
- Weekly scans:
standardtier — good coverage at reasonable cost - Monthly deep dive:
deeptier — comprehensive analysis once a month - Post-incident:
blitztier — maximum coverage after a security event - Daily monitoring:
recontier — fast surface-level checks for major regressions
Finding Continuity Across Scheduled Pentests
The real power of scheduling emerges through finding continuity tracking. When pentests run against the same target repeatedly, TurboPentest automatically compares results to previous runs using vulnerability fingerprinting.
Status Tracking
Each finding is classified relative to the previous pentest:
- New — First time this vulnerability has been observed
- Persistent — The vulnerability was found in the previous pentest and remains unfixed
- Fixed — The vulnerability was present in the previous pentest but is no longer detected
- Regression — The vulnerability was previously fixed but has reappeared
Trend Dashboards
Scheduled pentests feed into trend dashboards that show:
- Finding count over time — Is your total vulnerability count trending up or down?
- Mean time to remediate (MTTR) — How long does it take your team to fix findings, broken down by severity?
- Fix rate — What percentage of findings are resolved between consecutive pentests?
- Regression rate — How often do fixed vulnerabilities reappear?
These metrics are essential for demonstrating security posture improvement to stakeholders, auditors, and compliance frameworks.
Compliance Alignment
Many compliance frameworks require evidence of continuous security testing:
- SOC 2 — Demonstrate ongoing vulnerability management and remediation
- ISO 27001 — Show regular security assessments with tracked improvements
- PCI DSS — Quarterly external and internal vulnerability scans
- HIPAA — Regular technical vulnerability assessment
Scheduled pentests with finding continuity tracking provide this evidence automatically. Export trend reports as PDF for audit submissions.
Managing Schedules
Pausing and Resuming
Schedules can be paused without deletion. This is useful during:
- Major infrastructure migrations
- Planned downtime windows
- Credit conservation periods
Paused schedules retain their configuration and history. Resume at any time to continue the cadence.
Credit Budgets
Set a monthly credit budget for each schedule. If the budget is exhausted, the schedule pauses automatically and sends a notification. This prevents unexpected credit consumption from high-frequency schedules.
Schedule Groups
Organize multiple schedules into groups for managing related targets:
- Production Group — All production services scanned weekly
- Staging Group — All staging environments scanned daily
- API Group — All public API endpoints scanned bi-weekly
Groups allow bulk operations: pause all, resume all, or change tier for all schedules in the group.
Best Practices
Start with weekly standard scans. This provides a good baseline for continuity tracking without excessive cost. Adjust frequency and tier based on your risk profile.
Schedule during off-peak hours. Run pentests when traffic is lowest to minimize any application impact.
Monitor MTTR trends. Mean time to remediate is the most actionable metric from scheduled pentesting. Set team goals to reduce it.
Use budgets to control costs. Set monthly credit limits per schedule to avoid surprise consumption.
Review regressions immediately. A regression (previously fixed vulnerability reappearing) often indicates a deployment that reverted a fix or a configuration change that re-exposed an old issue.