mt cloud Continuous Penetration Testing (CPT)

The main articles are:

• Security Information and Event Management (SIEM)
• Pentesting (pentesting)

2026: Continuous Penetration Testing Launch

Russian cloudy provider mt cloud March 5, 2026 announced the launch of a service for continuous verification of external security IT infrastructures - Continuous Penetration Testing (CPT). The service allows companies to fulfill the requirements FSTEC of Russia in accordance with the previously approved Methodology for assessing the criticality of vulnerabilities software, software and hardware, as well as organize a comprehensive vulnerability management process.

Vulnerabilities and configuration errors on the outer perimeter remain one of the key ways to penetrate the IT infrastructure. This risk is repeatedly increased: attacks have become massive and automated, and the infrastructure itself is distributed and complex. Due to microservices, DevOps approaches, test loop and working with contractors, the perimeter becomes more dynamic and difficult to inventory. Under these conditions, episodic checks create only the illusion of security, and unresolved problems accumulate, turning threats into real incidents.

The market is shifting towards a model of regular multiple validation of each domain and IP address. The CPT service switches control of the external perimeter to this continuous monitoring mode. Its architecture covers a full cycle of reconnaissance and attacks on the outer perimeter:

1. Network Intelligence - Asset Search (Subfinder), Recursive Domain Search (Amass, dnsrecon) and Domain Hijack Check.
2. Perimeter Inventory - high-speed port scanning (Masscan up to 1 million SYN packets/s), followed by determining service versions (Nmap + custom probes).
3. Search for technical vulnerabilities - running exploits (NSE, NASL), checking with the NIST and CVEdetails databases, as well as testing for weak passwords (Hydra, Patator).
4. Analyze web applications - automatically build an application map (Katana), search for directories (Dirsearch), analyze CMS (Magescan), check security headers (Securityheaders), identify WAF and search for vulnerabilities on OWASP Top-10 databases (ZAP) and Nuclei.
5. Visualization - automatically taking screenshots of all active web services for a quick assessment of "live" entry points.

CPT automates external perimeter monitoring in 24/7 mode. The service finds all the company's resources available from the Internet, checks open ports and monitors their compliance with the allowed list. It detects missing software updates, web framework configuration errors leading to data leaks, and ranks vulnerabilities by severity. A full scan of all assets takes no more than 8 hours, regardless of the amount of infrastructure. The service performs automatic validation of the found vulnerabilities with the formation of PoC scripts (scripts for curl, docker).

The validation process not only confirms the possibility of practical exploitation of vulnerabilities, but also minimizes the number of false positives. As a result, the report ceases to be a formal CVE list and becomes an understandable work tool for the team.

Perimeter vulnerabilities and configuration errors are one of the main vectors of penetration into the IT infrastructure of companies. Regular scanning of the external perimeter allows you to quickly identify vulnerabilities and fix them before attackers exploit them. At the same time, scanning should keep up with changes in a rapidly changing infrastructure, provide complete coverage of the external surface of the attack using a single service and correctly work with domestic software and non-standard protocols. It is also important to confirm the vulnerabilities found and provide commands with detailed information related to them - then the report becomes a real working tool, said Viktor Vinogradov, director of information security mt cloud.