Penetration testing is still being treated by many organizations as a once-a-year compliance exercise – a box to tick rather than a meaningful security practice. But with cyber threats evolving daily and regulatory pressure mounting across Central and Eastern Europe (CEE), that mindset is becoming a dangerous liability for both governments and organizations.
In this interview, Marko Simeonov, CEO of Plainsea, explains why the traditional pen testing model is no longer fit for purpose and how his team is redefining it as a continuous, human-in-the-loop process. Simeonov also reflects on the cybersecurity challenges and opportunities in the CEE region and why building local resilience begins with empowering local talent and modernizing the tools they use.
What are the main limitations of traditional penetration testing models that Plainsea set out to overcome – and why do these limitations persist in so many organizations today? What mistakes do you usually observe?
The most common mistake is assuming penetration testing is simply a one-off project that functions as a compliance checkbox. This approach is fundamentally flawed because it fails to account for the dynamic nature of modern IT environments. Vulnerabilities can emerge daily, so treating pen testing as an annual or quarterly exercise rather than a continuous process is what keeps organizations always one step behind the adversary.
This is why, at Plainsea, we set out to challenge this model by enabling continuous penetration testing. Not just automating a few mundane tasks like other solutions do, but giving human testers the ability to stay embedded within the organization’s testing lifecycle, adapt to infrastructure changes, and surface findings dynamically.
How does Plainsea’s model of continuous penetration testing work in practice – and what does it change for both internal security teams and external testing providers?
Continuous pen testing means rethinking not just the testing cadence but the way the entire process is orchestrated, as I mentioned earlier. At Plainsea, we’ve built a platform that enables internal security teams and external testers to operate within a shared, unified system – where new assets, findings, risks, and priorities can be tracked in near real time.
For internal pen testing teams, this means far better control and visibility. They can triage, assign, and resolve issues as they appear and have everything in one place.
For service providers, it’s an opportunity to offer new value – transforming a once-linear engagement into an ongoing partnership. And for both sides, it’s a move toward real operational resilience.
Many cybersecurity platforms lean heavily into automation. How does Plainsea strike a balance between smart automation and the human expertise that’s still critical in pen testing?
Automation should never be about eliminating the human from the equation – it’s about reducing noise and optimizing manual work so the human can focus on the complex problems. For example, automating CVE enrichment or report generation can save hours of work. But identifying real-world risk? Contextualizing a business impact? That still requires human judgment to be interpreted.
With that idea in mind, at Plainsea, we’ve automated the parts that testers and clients alike find tedious: scoping, documentation, vulnerability information enrichment, CVE mapping, formatting, and reporting. That frees up ethical hackers to do what they do best – think creatively and critically.
How does Plainsea help security leaders move from reactive, ad-hoc security postures to a more proactive and measurable approach to risk reduction?
Proactivity in cybersecurity isn’t just about finding vulnerabilities faster — it’s about closing the loop. That means asking: are we reducing risk? Are we getting better over time? And can we prove it?
Plainsea helps leaders answer those questions with confidence. Our platform tracks trends across projects, business units, and even external providers. It brings consistency to reporting, structure to remediation, and accountability to the process.
When security becomes measurable, it becomes manageable. That’s the shift – from reactive firefighting to strategic, continuous improvement.
What unique cybersecurity challenges or opportunities do you see emerging from the CEE region – and how is Plainsea positioning itself in this context?
Central and Eastern Europe (CEE) sits at a pivotal intersection of digital ambition and cybersecurity urgency. The region has become one of Europe’s biggest investors in cybersecurity and defense technologies – and it’s doing so in a context shaped by proximity to geopolitical tensions, growing regulatory pressure, and an increasingly sophisticated threat landscape. The result is a complex, fast-moving cybersecurity landscape – full of potential but also growing pains.
For all its momentum, the region still faces a serious disconnect between strong, yet limited technical talent and the operational maturity required to translate that talent into sustained resilience.
You’ll find exceptional security engineers in places like Romania, Bulgaria, and Poland – professionals who could easily stand shoulder-to-shoulder with their colleagues worldwide. Yet, many operate within organizations where penetration tests are still commissioned only after an audit finding or a breach. Incident response plans often exist more on paper than in practice. Risk ownership is dispersed, and remediation workflows are rarely embedded into broader security strategies. The result is that, on one hand, many organizations remain in a reactive posture, despite having the raw capability to do more. On the other – it creates a brain drain of CEE’s cybersecurity workforce.
Lithuania, for example, continues to report major difficulties in hiring experienced cybersecurity professionals, with some positions remaining vacant for months despite competitive salaries. Similar shortages are being felt in Hungary, the Czech Republic, and across the region – especially as the NIS2 Directive and other EU-wide frameworks begin to raise the bar on accountability, reporting, and cyber readiness.
And yet – this isn’t just a challenge – it’s an opportunity. Countries like Estonia have demonstrated what’s possible with integrated public-private cybersecurity ecosystems. Poland’s MSSP sector is rapidly evolving, with more providers moving toward continuous testing and offensive security-as-a-service. Indigenous security companies like ESET and Safetech Innovations are proving that global-grade cybersecurity doesn’t have to be imported – it can be grown right here.
All of this is proof CEE doesn’t need to replicate the slower-moving enterprise security models of Western Europe. It has the chance to build leaner, smarter, and more agile service delivery models – if the tools and infrastructure allow it. That’s exactly where our platform is focused: giving service providers and security teams the operational backbone to offer scalable, continuous testing – without overwhelming resources or burning out existing talent.
We’re not trying to “export Silicon Valley.” We’re building something grounded in the needs, speed, and strengths of the region.
Looking ahead, what’s your vision for the future of penetration testing – especially as AI capabilities grow and compliance expectations evolve?
AI will help us scale – no question. It will generate payloads, simulate lateral movement, and even flag anomalous behavior that a human might overlook. But AI won’t tell you WHY something matters in your specific context – that still requires a human analyst who understands business risk, not just system behavior.
What we’re moving toward is a world where pen testing is no longer a periodic audit but a continuous and integral part of the security lifecycle. Compliance regimes like NIS2 and DORA are already nudging organizations in that direction – not just asking if a test was done, but how frequently, how effectively, and how findings translate into remediation and resilience.
I believe the next five years will be about transforming penetration testing into a strategic layer in enterprise risk management – integrated with CI/CD, aligned with risk governance, and enriched by AI in a way that elevates, rather than replaces, human expertise. That’s how we’ll keep up with adversaries who are already moving at machine speed – while still defending with human insight.
This article is part of The state of defense and cybersecurity tech in CEE. Download the full report here!
