There's a lot of debate about when to plug in penetration testing during the dev cycle.
Too early and things shift. Too late and fixes take forever.
What has actually worked in real-world projects — early testing with mock environments, just before staging, or post-production? And does anyone segment it by component (e.g., APIs, auth flows) or run smaller iterative tests instead of big-bang assessments?