Regular testing cadence (annual pentest + quarterly vulnerability scans) - Scope includes internal network, Active Directory, web applications - Testing methodology documented and aligned with standards (PTES, OWASP) - Findings tracked in vulnerability management platform with SLAs - Remediation ver