CEGID is a Lyon-headquartered conglomerate of software companies operating across critical sectors handling deeply sensitive customer data. Listed on Euronext, it serves enterprises across Europe and beyond.

André leads SecOps for CEGID's infrastructure across Portugal, Spain, and Africa, covering more than twenty companies inside the group, each with its own products, teams, and exposure.

Why annual pentests stopped working

After five years running CEGID's offensive security programme, André reached a conclusion that has since become consensus across mature security teams: annual, checklist-based pentesting cannot defend a multi-company group whose products ship code every week.

He tried other approaches and ran into a familiar wall: false positives, often in the thousands. The signal-to-noise ratio was unworkable. Real exploitable risks got buried under flagged versions and theoretical issues.

He needed three things at once: full visibility across 20+ company surfaces, validation of what attackers could actually exploit, and a velocity that matched the product teams shipping into production.

Continuous AI pentesting plus elite human events, one platform

CEGID deployed Ethiack across the group. Hackian runs continuous, autonomous pentesting against more than 2,000 exposed assets, validating exploitability and surfacing prioritised risk to the security and product teams in real time. Ethiack's elite ethical hackers run in-depth events on the most critical assets, where human creativity uncovers the chained, business-logic attacks that automation alone can miss.

The numbers speak for themselves: under 0.5% false positives, real-time prioritisation across 20+ companies, and over €12M in prevented cybersecurity risk.

CEGID now runs an offensive security programme that scales with the group, not against it.

Operating across multiple companies and exposure surfaces? Start a 30-day trial →