Skip to main content
CybersecurityHacking

AI Drives Shift to Continuous Penetration Testing in Cloud Environments

Security professional stands in front of rows of server racks and workstations in a modern data center.
"AI is one of the biggest transformations ever in technology," said Shahar Peled, framing a shift that Evinova says has reshaped how it tests and validates security in cloud-native healthcare software.

Evinova moves from annual pen tests to continuous security validation

Evinova, a software-as-a-service unit of pharmaceutical giant AstraZeneca that supports clinical trials and patient engagement for customers including pharmaceutical manufacturers and contract research organizations across global markets, has abandoned traditional annual penetration testing in favor of ongoing validation. Adeeb Mahmood, Evinova’s head of cybersecurity, described the previous model as "your traditional annual point-in-time" assessment that focused on identity and data-security controls but left organizations exposed between tests.

Mahmood said the company now uses continuous, AI-powered testing supplied by Terra Security to align security validation with rapid software release cycles and the company’s "evolving attack surfaces." That change is intended to keep assessments concurrent with development and deployment rather than episodic snapshots.

Terra Security’s AI-native platform and the case for autonomous testing

Terra Security, led by CEO and co-founder Shahar Peled, provides an AI-native platform for autonomous, continuous penetration testing. Peled described the combination of AI and pen testing as a move "from defense to offense, moving from reactive to proactive." He said that integrating AI enables a red-teaming posture across internal and external networks and "every vector," positioning continuous testing as a persistent security validation layer rather than an intermittent compliance exercise.

The two executives discussed the transition in a video interview with ISMG, laying out how an AI-driven service can simulate offensive techniques at scale and on an ongoing basis — a capability Terra Security markets as autonomous and continuous.

How AI closed a visibility gap and changed engineering decisions at Evinova

Mahmood credited the AI-enabled approach with closing a visibility gap that previously hindered coordinated decision-making between engineering and security teams. He said continuous testing improved decision-making across those teams, implying that test results are now timely enough to inform development cycles and remediation priorities rather than arriving after the fact.

Those operational details sit alongside Evinova’s compliance posture: Mahmood leads a global cybersecurity program aligned to the NIST Cybersecurity Framework v2.0, with ISO 27001:2022 certification and continuous third-party audit and attestation across SOC2, MLPS, GDPR, GxP and FDA 21 CFR Part 11 requirements. Mahmood has led that program from inception and brings more than 16 years of cybersecurity experience, including roles at Siemens and 3M.

AI in the hands of adversaries: a conversation acknowledged, not solved

Both Mahmood and Peled acknowledged the dual-use nature of AI. The interview covered "AI in the hands of adversaries," recognizing that the same generative and automation capabilities underpinning continuous offensive testing can also empower threat actors. While the conversation did not quantify adversary capabilities, the hosts treated offensive AI as a factor that increases urgency for continuous validation rather than a reason to delay automation.

What this means for technologists and security teams, affected enterprises, and adversaries

  • Technologists and security teams: Mahmood’s account signals that engineering and security must integrate continuous testing outputs into development pipelines to keep pace with rapid releases. Teams should expect more frequent, actionable vulnerability data rather than once-a-year reports.
  • Affected enterprises and procurement leaders: Organizations that buy or operate clinical-trial and patient-engagement platforms will see a shift in procurement conversations toward continuous validation capabilities and sustained third-party attestation across standards named by Evinova (SOC2, MLPS, GDPR, GxP, FDA 21 CFR Part 11).
  • Adversaries: Both executives flagged AI-enabled offensive tooling as a risk vector; the industry response described in the interview is to adopt AI-enabled continuous pen testing to negate attacker advantages by validating defenses on the same cadence attackers can iterate.

Next steps and the remaining question

Mahmood and Peled framed AI-enabled continuous penetration testing as both a corrective for the limitations of point-in-time assessments and a proactive security posture that matches the tempo of modern software delivery. Terra Security positions its platform as autonomous and continuous; Evinova positions continuous validation as essential for supporting regulated digital health products across complex compliance regimes.

One concrete question remains embedded in their account: can continuous, AI-driven validation scale across diverse regulated environments while preserving the attestations and controls required by frameworks such as ISO 27001:2022 and FDA 21 CFR Part 11? Evinova’s experience offers one operational example, but the broader test will be whether other regulated providers can adopt AI-native continuous testing without disrupting compliance and governance demands.

Original story: https://www.govinfosecurity.com/how-ai-drives-shift-to-continuous-pen-testing-at-evinova-a-31530