Technology
Jul 8, 2026
Technology


Most corporate security budgets are still built around a calendar that no longer matches how software actually gets made. A penetration test gets scoped in January, scheduled for March, and signed off by April, but the application it examined may look nothing like itself by June, once a cloud migration lands, a vendor integration ships, or an AI feature goes into production.
[For more news, click here]
Outpost24, a Stockholm-based cyber risk management firm with operations in the United States, United Kingdom, and Israel, is betting that this mismatch between fixed testing cycles and constantly shifting digital environments is one of the more solvable problems in enterprise security. This week the company introduced the next generation of CyberFlex, an application security program designed to move at the pace of the systems it protects.
For two decades, application security has largely run on an annual rhythm inherited from audit culture rather than engineering reality. A company hires a firm, agrees on a scope, and receives a report that reflects a single moment in time. The trouble is that modern organizations rarely stay still long enough for that snapshot to remain accurate. New digital services launch mid-quarter, acquisitions bring unfamiliar assets into the fold, and third-party integrations quietly expand what an attacker can reach. Security teams often end up defending an attack surface that has already outgrown the plan they built to protect it, a gap that artificial intelligence has only widened by accelerating both product development and the tools attackers use to probe for weaknesses.
Omri Kletter, Chief Product Officer at Outpost24, described the imbalance in blunt terms. “Security teams are being asked to defend dynamic environments, while many AppSec programs are still planned around fixed scopes and annual cycles,” Kletter said. “CyberFlex is designed to close that gap and set a new standard for modern application security. It gives organizations the visibility to understand what has changed, the expert validation to understand what matters, and the flexibility to shift investment as risk evolves.”
What separates the new CyberFlex from a conventional testing engagement is that it treats discovery, validation, and budget as parts of one continuous workflow rather than three separate purchases. The program combines external attack surface visibility, expert-led penetration testing delivered by EU-based, CREST-certified testers, advisory support, and a flexible budget model that lets organizations move spending across testing, validation, and advisory work without renegotiating a contract every time priorities shift. A unified platform connects automated scanning, risk prioritization, and expert validation in one place, so a security leader can see not just what changed in their environment but which of those changes actually matter.
The attack surface visibility layer is designed to track known, unknown, and shadow IT assets alike, using AI-driven risk insights to show how an organization's external exposure expands over time rather than relying on a periodic inventory that goes stale within weeks. Structured tiers let a company choose the level of expert guidance and testing intensity that fits its current maturity, then adjust as its program develops, while improved reporting and dashboards are built to help security teams translate technical findings into language that executives, boards, and auditors can act on.
The clearest signal that a product change matters usually comes from the people who have to live with it day to day, and RS Group, the London-listed industrial and electronics distributor, is among the existing CyberFlex customers preparing to adopt the newest capabilities. Rebecca Wensley, Head of Security Operations at RS Group, said the program has changed how her team connects day-to-day testing work to the risks that actually matter to the business.
“CyberFlex has made it much easier to connect testing activity to real business risk,” Wensley said. “We get clearer visibility into our attack surface, expert validation where it matters most, and a more practical way to prioritize remediation and demonstrate measurable security progress to stakeholders.”
That last point, the ability to show measurable progress rather than a static report, is increasingly what separates a security program that satisfies a compliance checkbox from one that changes an organization's actual risk posture. Boards are asking sharper questions about cyber resilience than they were even two years ago, and a security leader who can point to a continuously updated view of exposure, rather than a document that was accurate on the day it was filed, has a materially easier conversation to have.
CyberFlex is not attempting to solve every problem in application security, and Outpost24 is careful not to claim that it does. What the program is aimed at is a narrower but persistent failure mode, the gap between when a plan is written and when the environment it describes has already moved on. By folding discovery, testing, advisory input, and budget flexibility into a single contract, the company is wagering that security teams would rather manage one continuously adapting program than reassemble a new scope every time their environment shifts underneath them.
Founded in 2001 and now operating fourteen offices worldwide, Outpost24 has built its reputation steadily rather than dramatically, expanding through acquisitions like its 2025 purchase of device-identity specialist Infinipoint and a fresh round of growth capital from Vitruvian Partners late last year. The next generation of CyberFlex is less a single dramatic feature than a consolidation of that steady expansion into a program built around a simple premise: security planning that assumes stillness will always be outrun by systems that never stop moving.
How Palo Alto Networks, IBM and Red Hat Are Closing the Gap Between Hackers and Defenders
Cybercrime Now Runs on Subscriptions and Supply Chains, According to a New Global Threat Ranking
Related Articles