Case Study: Evinova Delivers Continuous Product Security Assurance at Enterprise Velocity in Life Sciences

Industry: Healthtech and Life Sciences Technology
Organization: Evinova (AstraZeneca Group)
Security Leadership: Adeeb Mahmood, Head of Cybersecurity
Product: Terra Security Continuous Pentesting

Background

Evinova is a global healthtech business within the AstraZeneca group, delivering digitally enabled solutions that support the entire clinical development lifecycle. Its platforms empower sponsors, sites, and contract research organizations to design, execute, and manage clinical research more effectively.

Operating at the intersection of modern software development and pharmaceutical rigor, Evinova must balance speed, innovation, and usability with the trust and assurance required by regulators, healthcare partners, and global customers.

Security Leadership in a Regulated, High-Velocity Environment

As Head of Cybersecurity, Adeeb Mahmood is the senior-most accountable leader for Evinova’s cybersecurity program. His remit includes policy-setting, operational oversight, routine audit, and incident management, leading a global team responsible for safeguarding the confidentiality, integrity, and availability of Evinova’s information assets.

Reporting to Evinova’s Chief Technology Officer, Adeeb’s role requires aligning cybersecurity with business velocity while meeting stringent regulatory and compliance expectations across multiple jurisdictions.

The Challenge: Trust and Assurance at Development Speed

For Evinova, cybersecurity is inseparable from customer trust. The company must demonstrate strong, continuous product security assurance to highly regulated customers, without slowing down engineering teams or delaying innovation.

Adeeb Mahmood, Head of Cybersecurity spoke with us, sharing that, “We’re needing to provide trust and assurance to very regulated customers. By leveraging the Terra platform, we’re able to demonstrate much more rigorous product security assurance because we’re meeting the velocity of our developers. That near real-time pentesting gives us security feedback very early, rather than after the product’s already been released.”

Traditional, point-in-time penetration testing models struggle in this environment. Annual or quarterly assessments are misaligned with continuous delivery and offer limited value against rapidly evolving threats.

Continuous Security as a Daily Operating Rhythm

Evinova approaches penetration testing and vulnerability validation as a continuous function, embedded into the daily heartbeat of the organization.

“I’m not doing vulnerability management or pentesting because the calendar says it’s time. I’m doing it as part of our daily heartbeat,” says Adeeb.

This approach allows Evinova’s security team to shrink the time between detection and remediation, a critical requirement in an era where vulnerabilities can move from disclosure to active exploitation within days.

By receiving security feedback early and continuously, development teams can address issues while changes are still manageable, rather than reacting after risk has already propagated.

A Telemetry-Driven “Immune System” Model

Evinova frames cybersecurity as an enabling system for the business, not a blocking function.

“At Evinova, we think of cybersecurity as the immune system of the company. It responds proportionally, at the right time, and in the right places,” says Adeeb.

Rather than over-testing indiscriminately or reacting too late, Evinova relies on telemetry and validated security signals to guide where effort is applied. Continuous penetration testing provides the data needed to prioritize remediation, optimize resource allocation, and maintain resilience without unnecessary disruption.

Assurance Across a Complex Compliance Landscape

Evinova operates across multiple regulatory and compliance frameworks, including ISO 27001, SOC 2, and regional data protection requirements. Customers and auditors expect evidence that security controls are continuously validated and actively managed.

By embedding continuous penetration testing into its security program, Evinova can demonstrate that assurance is not driven by annual audits or static checklists, but by ongoing validation aligned with how the business actually operates.

Takeaway

Evinova’s experience illustrates how healthtech organizations embedded within global pharmaceutical ecosystems can reconcile enterprise-grade assurance with modern software velocity. By treating penetration testing as a continuous capability rather than a periodic event, Evinova aligns cybersecurity with development speed while maintaining the rigor required by regulators, customers, and partners worldwide.