Continuous testing: pentests, red team exercises, bug bounty, automated DAST/SAST - Scope includes cloud infrastructure, APIs, mobile, supply chain - Testing integrated with SDLC (security testing in CI/CD pipeline) - Findings integrated with GRC platform and risk register - Metrics-driven: mean tim