New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →

FAQ.

What is continuous pentesting?
Continuous pentesting is adversarial validation that runs on every release, infrastructure change, or scheduled cadence, instead of the once-a-year project model. It chains real exploit techniques across the full attack surface (web, APIs, cloud, identity, binaries, internal network) and delivers exploit-proven findings within hours, not weeks. The goal is to keep the gap between code change and supervisory evidence as short as possible: every finding ships with a reproducible proof-of-concept, business impact, and remediation plan that maps to NIS2 / DORA / KRITIS / TISAX controls.
What is the difference between pentesting and vulnerability scanning?
A vulnerability scanner (e.g. Nessus, Qualys, Greenbone) checks assets against a database of known CVEs and misconfigurations, then prints a list. Typically thousands of findings, mostly noise, no exploit context. A penetration test chains those findings into real attack paths: it proves whether a vulnerability is actually exploitable in your environment, escalates privileges, moves laterally, and reaches the data or systems an adversary would target. Scanners answer "what could be wrong"; pentests answer "what an attacker can actually do today". Auditors under NIS2, DORA, and KRITIS explicitly distinguish the two.
Where is VORNAC data stored?
All customer data (test configurations, raw findings, proof-of-concept evidence, reports, audit logs) is processed and stored exclusively in German data centres operated by German providers, under German jurisdiction. Not the EU at large: Germany specifically. No subprocessors outside Germany. No US Cloud Act exposure. The processing complies with GDPR and BDSG by default, not on request. This is one of the reasons regulated customers under DORA / KRITIS / NIS2 / TISAX choose VORNAC: ICT third-party risk obligations on data residency are met without contractual workarounds.
What reports does VORNAC deliver for audits?
Every test cycle produces a single audit-ready report that is admissible under all relevant European frameworks: TISAX, KRITIS, NIS2, DORA, BaFin VAIT/BAIT, ISO/IEC 27001. No separate per-framework export, no re-formatting. The report goes straight into the audit binder.
What is NIS2 and who is affected?
The NIS2 Directive (EU 2022/2555) is the EU framework for cybersecurity across essential and important entities. It expands the scope from NIS1 to roughly 100,000 organisations in sectors like energy, transport, healthcare, water, digital infrastructure, public administration, manufacturing, food, postal services, chemicals, research, and digital providers. NIS2 mandates risk management, incident handling, supply-chain security, and effectiveness testing. Member states transposed NIS2 into national law (in Germany: NIS2-Umsetzungsgesetz); management bodies are personally liable for compliance.
What is DORA and who is affected?
The Digital Operational Resilience Act (DORA, EU Regulation 2022/2554) sets binding ICT risk-management, incident-reporting, resilience-testing and third-party-risk obligations for the financial sector across the EU. It applies to banks, payment and e-money institutions, investment firms, insurance and reinsurance undertakings, asset managers, crypto-asset service providers, and the critical ICT third-party providers that serve them. DORA has been in full effect since 17 January 2025. Supervisors expect demonstrable evidence, not policy documents alone.
What is KRITIS and who is affected?
KRITIS is the German regulatory category for critical infrastructure operators, defined in the BSI-KritisV ordinance. It covers nine sectors (energy, water, food, IT and telecommunications, healthcare, finance and insurance, transport, public administration, media and culture) whenever an operator exceeds the sector-specific threshold (e.g. 500,000 supplied citizens). KRITIS operators must implement state-of-the-art security, register with the BSI, report significant incidents within hours, and provide auditable evidence every two years. NIS2 broadens this further to all essential and important entities.
What is TISAX and who is affected?
TISAX (Trusted Information Security Assessment Exchange) is the information-security assessment scheme of the German automotive industry, managed by the ENX Association and based on the VDA ISA catalogue. Automotive OEMs (VW, BMW, Mercedes-Benz, Audi, Porsche, etc.) and many Tier-N suppliers require TISAX from their partners as a contractual prerequisite, typically before any prototype data, personal data, or connected-vehicle data is exchanged. Assessment levels range from AL1 (self-assessment) to AL3 (on-site audit by an accredited audit provider). Labels are valid for three years.
What are BaFin VAIT and BAIT?
VAIT (Versicherungsaufsichtliche Anforderungen an die IT) and BAIT (Bankaufsichtliche Anforderungen an die IT) are the German Federal Financial Supervisory Authority's (BaFin) circulars that translate broader IT-governance principles into concrete supervisory expectations for insurers (VAIT) and banks/financial-services institutions (BAIT). They cover IT strategy, IT governance, information-risk management, identity and access management, IT projects, IT operations, outsourcing, and IT continuity. Since DORA's entry into force, VAIT/BAIT continue to apply as the German national specification layered on top of the EU framework.
What is TLPT and when is it required?
Threat-Led Penetration Testing (TLPT) is an intelligence-driven red-team exercise on a financial entity's live production systems, scoped against realistic adversary tradecraft. Under DORA and the TIBER-EU framework, TLPT is mandatory for designated financial entities (typically banks, insurers and market-infrastructure providers above a supervisory materiality threshold) at least every three years. Tests must be conducted by independent, accredited testers; the scope, threat intelligence, and results are reviewed by the competent authority (in Germany: BaFin / Deutsche Bundesbank).
How much does continuous pentesting cost?
VORNAC is licensed per target system, not per engagement and not per pentest. The fee depends on the number of in-scope systems, independent of their complexity, and includes unlimited test runs over the contract period: every release, every infrastructure change, on-demand via web interface or API. You are not buying a pentest; you are buying continuous security for each system in scope. Compared to manual annual pentests, customers report up to 75% lower external testing cost while running tests every week instead of once a year. We share a concrete quote after a 30-min intro call, which you can book on our website.
What qualifications do my VORNAC points of contact hold?
Every named contact at VORNAC is a working offensive-security practitioner, not an account manager handed a pentest deck. Each pentester holds at least one credential from OSCP (Offensive Security Certified Professional), OSEP (Experienced Penetration Tester), CISSP (Certified Information Systems Security Professional), or BSI-recognised competence credentials, plus practical experience across regulated industries. Triage, scope discussions, and remediation calls go straight to someone who has done the work. Auditors see credentials they already trust on the engagement record.
How does VORNAC integrate with CI/CD pipelines?
Pentests can be triggered from any CI/CD system via webhook on commit, merge, deploy, or scheduled jobs: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, CircleCI. Findings are pushed back into the developer's ticketing system (e.g. Jira) with severity, reproducible proof-of-concept, and remediation guidance, so engineering teams treat them as regular development tickets. The result: validated security feedback in the same pipeline that already ships the code, no separate engagement-scoping or consultant-calendar friction.

Question we didn’t answer? Book a 30-minute call with the VORNAC team.