October’s Cyber Security awareness month is a timely prompt for organisations to reassess how resilient they are against fast-evolving threats. Too often, security becomes a priority only after an incident—events that frequently could have been mitigated through earlier, targeted action. The consequences remain severe: operational disruption, reputational damage, and regulatory penalties.
From point-in-time checks to real-world simulation
Traditional penetration testing offers a view of weaknesses at a single point in time. It is a practical and hands-on technical exercise compared to a traditional audit, but its scope is inherently focused on specific systems, networks, or applications. Today’s material risks stretch beyond software flaws to include process gaps, human behaviour, and third-party dependencies.
Advanced security testing addresses this gap. The most well-known form is the red team assessment - an exercise that unfolds over several weeks or even months, requiring careful planning and coordination. The payoff is a richer understanding of how an adversary could compromise a business and how well defences hold up under pressure. A formalised variant, Threat-Led Penetration Testing (TLPT), is now mandated by the Digital Operational Resilience Act (DORA) for systemically important financial institutions once every three years. TLPT uniquely incorporates threat intelligence to tailor scenarios to the organisation, taking into account active threat actors, tactics and techniques, geopolitical context, and regional nuances.
Why it delivers real value
Technology alone cannot stop every attack. The World Economic Forum’s Global Cybersecurity Outlook 2025 notes that 42% of organisations experienced phishing or social engineering incidents last year. They exploit human psychology, proving that a single misstep can bypass even strong controls. Advanced testing mirrors this reality, measuring the ability to detect, respond, and recover during a credible attack simulation. It helps technology and business leaders answer the questions that matter: Would we withstand a ransomware event or the exfiltration of sensitive data? How resilient are we if a major cyber incident hits us?
Who should prioritise it
Penetration testing benefits any organisation, particularly after major infrastructure changes or on at least an annual basis. Advanced security testing, however, is most relevant for regulated and high-maturity sectors such as financial services, iGaming, energy, manufacturing, healthcare, and other operators of critical infrastructure -industries that face sophisticated threats, complex attack surfaces spanning web and cloud applications, and a deep reliance on digital supply chains.
Advanced testing is increasingly reflected in frameworks and standards including DORA, NIS2, and ISO 27001, signalling a shift from checklist compliance to proactive risk management. As threat actors continuously adapt their methods, periodic audits alone are no longer sufficient.
Our investment and the road ahead
At PwC Digital Services, we have built significant capability in advanced cybersecurity testing across sectors, investing in specialists who understand the technical detail, regulatory environment, and business priorities of local organisations. Ultimately, advanced testing is not about pass or fail; it is about building confidence, in the boardroom, with regulators, and with customers, that the business can withstand, adapt, and recover. As Malta’s digital economy accelerates, prioritising cybersecurity is essential to protect operations, safeguard customers, and support sustainable growth.
Contact us
