Digi.no featured River Security, myself and Magnus Holst, on a theme close to why we started the company: Når pentest ikke er nok: dette lar oss spille samme sport som kriminelle hackere (in Norwegian, subscription).
The argument is simple. A traditional penetration test is a snapshot, usually once a year, of a scope you defined in advance. Attackers do not work that way. They probe continuously, they do not respect your scope, and they only need to be right once. If you test annually and they test daily, you are not playing the same sport.
Continuous testing and attack surface management close that gap. You watch your real, changing exposure the way an adversary does, all the time, and you act on what shows up rather than waiting for the next scheduled engagement. That is how defenders get onto the same field as the people actually trying to break in, instead of reviewing the game a year after it was played.