// 3 CVE · 4 EXPLOIT IN THE LAST 24H
Gartner formalizes the COST framework for continuous vulnerability validation. Exploit time has compressed to under 10 hours, and 53% of professionals consider traditional pentesting obsolete by the time the report lands.

2026 marked a point of no return for enterprise offensive security. The average time between disclosure of a zero-day vulnerability and its weaponization into a working exploit — the so-called "Zero Day Clock" — has dropped to under 10 hours, down from roughly 53 days two years ago. Against this backdrop, Gartner published the report "How to Implement a Continuous Offensive Security Testing Program," which defines the COST framework: a structured model to replace the "scan-schedule-patch" cycle with a continuous loop of validation, decision, and re-validation. The central claim is that no single tool — not even traditional penetration testing — can close the gap between vulnerability discovery and proof of actual exploitability on its own.

Key Takeaways
  • Gartner predicts that by 2028, over 60% of enterprise pen-test programs will have abandoned the annual cycle for continuous validation
  • The COST framework is structured around Design-Build-Run-Improve with three pillars: change-based triggers, a unified sensing layer, and orchestration of multiple methods
  • In 2025, 49,183 new CVEs were published — about 135 per day — a roughly 40% year-over-year increase; less than 0.5% are patched
  • 94% of organizations consider it important to keep humans in the loop for offensive security programs, according to Omdia research surveying 400 professionals

The Decision Problem COST Solves

The core of the Gartner framework isn't technological — it's epistemological. "The hard part was never finding the exposure. It was deciding what to do about it: whether to patch, mitigate, monitor, or accept, and banking that that decision would still hold tomorrow." This framing, reported by Help Net Security based on the Gartner report, identifies the true bottleneck in enterprise security: the decision, not the discovery.

A traditional penetration test answers that question for the day it runs, "then silently expires." COST replaces that expiration with a system where validation is triggered by real changes — new assets, control drift, threat intelligence updates — not calendar dates. The sensing layer unifies data from existing scanners; the orchestration coordinates pentesting, control validation, red teaming, bug bounty, and Adversarial Exposure Validation (AEV) into an integrated workflow.

The operational consequence is a decision chain of custody: every validated vulnerability enters a ticket system (Jira/ServiceNow) with a traceable state, and post-fix re-validation is automatic. This solves the "report shelfware" problem, where annual pentesting results pile up without action.

Why Orchestration Is Harder Than Buying Another Tool

The COST framework demands a workflow redesign, not a purchase. Technologically, the model rests on three components many organizations have yet to integrate.

First, a unified sensing layer that ingests and normalizes data from existing scanners — a data engineering challenge often underestimated. Second, orchestration of multiple methods with different risk profiles: autonomous pentesting with AI agents covers the roughly 10-15% of assets testable with live exploits, while TTP-chain validation covers the remaining 85-90% through inference without detonation. Third, integration with ticketing systems and a human-in-the-loop instance for critical decisions and destructive actions.

Picus, a vendor positioned by Gartner in the COST vendor matrix for Adversarial Exposure Validation, describes this convergence as a union of three disciplines: Breach and Attack Simulation, Autonomous Penetration Testing, and Exposure Validation. TTP-chain validation, in particular, enables exploitability testing without live detonation — a non-negotiable requirement for production environments.

Rapid7 has formalized a similar approach in its multi-agent AI architecture for red teaming, where "destructive and ambiguous actions require human approval" and a human tester reviews every dynamic test. This confirms that autonomy is partial and supervised, not substitutive.

"We've crossed what's increasingly called the Mythos threshold, the point at which AI models became capable enough to discover and weaponize vulnerabilities autonomously." — Gartner report framing, via Help Net Security

The Market Numbers: From Annual Cycle to Continuous Business Process

Omdia research, conducted among 400 professionals and cited by BusinessWire, provides a quantified snapshot of the transition. 53% consider traditional pentesting obsolete by the time the report is delivered. 58% already use PTaaS (Penetration Testing as a Service), the most adopted offensive security model. 88% plan increased offensive security spending over the next 12 months, with 23% forecasting significant increases. 60% of analysts expect to shift from execution to supervision of autonomous workflows.

The sharpest figure is 94%: nearly all organizations see value in keeping humans in the loop for offensive security programs. This invalidates the "automation-only" narrative and explains why COST is an orchestration framework, not a replacement.

The effectiveness metrics Gartner reports for Picus — 92% reduction in SLA violations on high/critical vulnerabilities, doubling of control effectiveness within three months, 98% reduction in critical-ticket backlog — are vendor-supplied data not independently verifiable. The report does not explain the asterisk on the 98% figure, and the dossier does not allow verification of the methodology.

Why It Matters

The dossier does not specify compliance requirements or regulatory frameworks that make COST mandatory: Gartner positions it as a strategic recommendation, not a standard. The source also does not clarify whether the Picus metrics are generalizable or limited to a self-reported customer sample.

The brief does not document details on COST framework implementation costs, nor typical deployment timelines for transitioning from an annual to a continuous model. No infrastructural overlaps emerge linking Rapid7's multi-agent architecture to Picus AEV at present: they are separate implementations, both consistent with the Gartner framework but not integrated with each other.

The meaning of the asterisk on the "98% smaller critical-ticket backlog*" metric is not explained in the dossier. The exact publication date of the Gartner report is also unknown: the Help Net Security article is dated July 8, 2026, but the original report may have been released on a different date.

For the enterprise reader, the relevant point is that COST requires pre-existing process maturity. Organizations without a unified sensing layer or integration with DevSecOps/CTEM risk implementing an incomplete framework, where orchestration remains manual and the continuous loop breaks at the first alert.

Frequently Asked Questions

Does COST completely replace traditional penetration testing?
No. The Gartner framework repositions it as a component of a larger system, not eliminating it. Pentesting retains utility for limited scope and depth of analysis, especially where practical demonstration of exploitability is required.

What is the difference between autonomous pentesting and TTP-chain validation?
Autonomous pentesting uses AI agents to execute live exploits, covering the roughly 10-15% of assets where detonation is acceptable. TTP-chain validation tests exploitability by inference, without execution, for the remaining 85-90%.

Is the COST framework mandatory for compliance?
The dossier does not document regulatory requirements or certifications that make COST mandatory. It is a Gartner recommendation, not an industry standard.

Information is based on cited sources and current as of publication.

Sources


Sources and references
  1. helpnetsecurity.com
  2. rapid7.com
  3. cyberscoop.com
  4. nvd.nist.gov
  5. securityboulevard.com
  6. businesswire.com
  7. picussecurity.com