Ahead of Cyber Security & Cloud Expo, Outpost24 explains why integrating pen testing and threat intel is vital for DevOps.
Security teams frequently manage pen testing and threat intelligence as distinct, unconnected workstreams. This separation creates a structural weakness that adversaries are increasingly exploiting.
Marcelo Castro Escalada, Senior Product Manager at Outpost24, warns the traditional model is no longer sufficient. For engineering leads and technical architects, the friction between maintaining delivery velocity and enforcing security governance is a constant battle. The standard cadence (build, pause for assessment, patch, release) struggles to keep pace with an adversary landscape that operates continuously.
“The key blind spot this creates is that organisations assess security in static, point-in-time silos, while modern attackers operate in a continuous, adaptive, and externally-driven way,” says Marcelo.
Current frameworks typically treat these functions as isolated inputs. Pen testing validates a scoped environment at a specific moment, often lacking real-time context. Threat intelligence offers data on adversary tactics but is rarely translated into concrete testing parameters. Meanwhile, External Attack Surface Management (EASM) identifies internet-facing assets but often lacks the context to validate exploitability.
These disconnects result in an aggregate view that fails to match the reality of a targeted attack. Marcelo advocates for integrating these disciplines to shift the security programme from isolated exercises to a continuous exposure management model. In this structure, external assets are prioritised based on active threat intelligence and validated through adversary-aligned testing.
“This directly addresses the gap between how defenders traditionally operate and how attackers exploit organisations today,” Marcelo notes.
The governance trap
For DevOps teams, new security methodologies often signal increased friction such as more gates, manual approvals, and slowed deployment frequency.
Marcelo argues that tightening control is the wrong instinct. “Enforcing stricter deployment governance is not the solution to accelerating development cycles—that approach reflects an outdated, gate-based security model,” he explains.
The objective is to embed security capabilities that function at the same velocity as DevOps. “Security should not act as a stopper, but as an embedded capability that operates at the same velocity as DevOps,” Marcelo states.
This requires integrating security throughout the development lifecycle via a Secure SDLC. By automating controls and continuously validating risk within CI/CD pipelines, teams can reduce remediation costs and ship faster without accumulating hidden debt.
Synergies between EASM, Pen Testing as a Service (PTaaS), and threat intelligence extend this model beyond in-house development, providing visibility into exposed assets without introducing manual bottlenecks.
Third-party integration risks
The attack surface has expanded beyond internal code to include the mesh of services that code connects to. Data from Outpost24 identifies third-party integrations as the most immediate risk to enterprise environments.
“In many cases observed throughout 2025, the initial access vector was leaked or stolen credentials, but the real impact occurred after access was gained, when threat actors abused poorly monitored third-party integrations to move laterally, escalate privileges, or access sensitive data,” says Marcelo.
Attackers are combining common techniques – such as credential compromise and trusted integrations – to exploit gaps in governance rather than purely technical vulnerabilities. For engineers, it is important to distinguish between malice and oversight.
“In most cases, unmonitored assets result from well-intentioned tools or deployments that were simply forgotten, rather than malicious evasion,” Marcelo says. This distinction dictates the response: forgotten assets require better discovery and tooling, whereas malicious evasion demands active threat detection.
Structuring for collaboration
Moving to this unified model requires organisational alignment. “Organisations need to align their Threat Intelligence, EASM, and AppSec teams around shared objectives, metrics, and workflows, rather than letting each operate in isolation,” Marcelo advises.
This often necessitates cross-functional pods or liaison roles to formalise information sharing. Innovating by combining methodologies can introduce complexity, so teams should validate new integrations in limited-scope pilots before broader rollout.
“Implementing the right process around the tools is as important as the tools you implement,” Marcelo states.
Effectiveness in this integrated model is measured differently than in siloed compliance checks. Marcelo points to three primary KPIs for maturity:
- External Exposure Reduction Rate (EERR) tracks how effectively the organisation reduces its real, externally exploitable attack surface.
- Mean Time to Remediate Exploitable Findings (MTTR-EF) measures the speed at which the organisation closes validated, attacker-relevant weaknesses.
- Threat Intelligence Actionability Ratio (TIAR) assesses “how much threat intelligence actually drives defensive or preventive action, versus just being consumed passively.”
“In this model, security scales with delivery speed rather than constraining it, and is rightly treated as a long-term investment in resilience rather than a tax on innovation,” Marcelo concludes.
Outpost24 is a key sponsor of this year’s Cyber Security & Cloud Expo Global. Hear more directly from the company’s experts, including Marcelo Castro Escalada, during the event in London on 4-5 February 2026. Be sure to check out Marcelo’s day one presentation titled ‘Pulled Pork and Watermelon – How to Leverage Unlikely Synergies in Modern Cybersecurity’ and swing by Outpost24’s booth at stand #75.
See also: White House rescinds software security compliance mandates
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
