Key Insights from the 2025 State of Pentesting Report

Posted on By CWS

Could 20, 2025The Hacker NewsPenetration Testing / Danger Administration
Within the newly launched 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from world enterprises (200 from throughout the USA) to know the methods, techniques, and instruments they use to deal with the hundreds of safety alerts, the persisting breaches and the rising cyber dangers they should deal with. The findings reveal a fancy image of progress, challenges, and a shifting mindset about how enterprises method safety testing.
Extra Instruments, Extra Information, Extra Safety… No Ensures
Over the previous yr, 45% of enterprises expanded their safety know-how stacks, with organizations now managing a mean of 75 completely different safety options​.
But regardless of these layers of safety instruments, 67% of U.S. enterprises skilled a breach up to now 24 months​. The rising variety of deployed instruments has just a few results on the every day operation and the general cyber posture of the group.
Though it appears apparent, the findings inform a transparent story – extra safety instruments do imply higher safety posture. Nonetheless, there is no such thing as a silver bullet. Amongst organizations with fewer than 50 safety instruments, 93% reported a breach. That proportion steadily declines as stack measurement will increase, dropping to 61% amongst these utilizing greater than 100 instruments.
Alert Fatigue Is Actual
The flip aspect of bigger safety stacks is that CISOs and their groups should take care of a a lot bigger inflow of knowledge. Enterprises managing over 75 safety options now face a mean of two,000 alerts per week — double the amount in comparison with organizations with smaller stacks, and people with over 100 instruments obtain over 3000 (3x the alerts).
This in flip, places far more emphasis on efficient prioritization, in any other case, important threats could get buried in a sea of alerts. On this atmosphere, the place alert volumes are excessive and time to triage is brief, organizations profit most once they can incessantly check for exploitable gaps, in order that they know which points really matter earlier than menace actors discover them first.
Software program-Primarily based Pentesting Positive factors Floor
Belief in software-based safety testing is rising quickly. Solely 5-10 years in the past, many enterprises would by no means have permitted automated instruments to run pentests of their environments for worry of inflicting outages, however sentiment is altering.
As CISOs proceed to acknowledge some great benefits of software program in scaling adversarial testing and protecting tempo with consistently altering IT environments, software-based pentesting is turning into the usual. Over half of enterprises now use these instruments to assist in-house testing, pushed by belief of their reliability and the necessity for scalable, steady validation methods. Immediately, 50% of CISOs cite software-based pentesting options as their major methodology for uncovering exploitable gaps​.
Insurance coverage Suppliers Develop into Surprising Influencers
Past inside administration and Boards of Administrators, a stunning new power is shaping safety technique: Cyber insurance coverage suppliers. 59% of CISOs admitted that they’ve carried out at the least one cybersecurity resolution that they weren’t beforehand contemplating because of their cyber insurers. It is a clear signal that insurers aren’t simply pricing threat, they’re actively prescribing methods to cut back it, and reshaping enterprise safety priorities within the course of.​.
Low Confidence in Authorities Help
Whereas governmental businesses like CISA (within the US) and ENISA (within the EU) play an essential function in menace visibility and coordination, confidence in authorities cybersecurity assist is surprisingly low.
Solely 14% of CISOs imagine the federal government is sufficiently supporting the personal sector’s cyber challenges​, whereas 64% really feel that authorities efforts, although acknowledged, are inadequate​. 22% imagine that they can not depend on the federal government in any respect for cybersecurity assist.
To benchmark your group’s pentesting practices, budgets, and priorities towards different world enterprises, register for the webinar on Could 27, 2025 the place senior safety analysts will focus on the important thing findings. Alternatively, get the total 2025 State of Pentesting Report and see all of the insights for your self!Notice: This text was written and contributed by Jay Mar Tang, Subject CISO at Pentera.

Discovered this text fascinating? This text is a contributed piece from certainly one of our valued companions. Comply with us on Twitter  and LinkedIn to learn extra unique content material we publish.

The Hacker News Tags:, , , ,

Related Posts

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack The Hacker News
Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams The Hacker News
Security Tools Alone Don’t Protect You — Control Effectiveness Does The Hacker News
Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android The Hacker News
A Technical Gap Analysis of Last-Mile Protection The Hacker News
Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials The Hacker News