Within the newly launched 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from international enterprises (200 from throughout the USA) to grasp the methods, ways, and instruments they use to deal with the hundreds of safety alerts, the persisting breaches and the rising cyber dangers they need to deal with. The findings reveal a fancy image of progress, challenges, and a shifting mindset about how enterprises strategy safety testing.
Extra Instruments, Extra Knowledge, Extra Safety… No Ensures
Over the previous 12 months, 45% of enterprises expanded their safety expertise stacks, with organizations now managing a mean of 75 totally different safety options.
But regardless of these layers of safety instruments, 67% of U.S. enterprises skilled a breach prior to now 24 months. The rising variety of deployed instruments has just a few results on the every day operation and the general cyber posture of the group.
Though it appears apparent, the findings inform a transparent story – extra safety instruments do imply higher safety posture. Nevertheless, there is no such thing as a silver bullet. Amongst organizations with fewer than 50 safety instruments, 93% reported a breach. That share steadily declines as stack dimension will increase, dropping to 61% amongst these utilizing greater than 100 instruments.
Alert Fatigue Is Actual
The flip aspect of bigger safety stacks is that CISOs and their groups should cope with a a lot bigger inflow of data. Enterprises managing over 75 safety options now face a mean of two,000 alerts per week — double the amount in comparison with organizations with smaller stacks, and people with over 100 instruments obtain over 3000 (3x the alerts).
This in flip, places far more emphasis on efficient prioritization, in any other case, important threats might get buried in a sea of alerts. On this atmosphere, the place alert volumes are excessive and time to triage is brief, organizations profit most once they can ceaselessly check for exploitable gaps, in order that they know which points actually matter earlier than risk actors discover them first.
Software program-Primarily based Pentesting Positive aspects Floor
Belief in software-based safety testing is rising quickly. Solely 5-10 years in the past, many enterprises would by no means have permitted automated instruments to run pentests of their environments for concern of inflicting outages, however sentiment is altering.
As CISOs proceed to acknowledge the benefits of software program in scaling adversarial testing and protecting tempo with continuously altering IT environments, software-based pentesting is changing into the usual. Over half of enterprises now use these instruments to assist in-house testing, pushed by belief of their reliability and the necessity for scalable, steady validation methods. At the moment, 50% of CISOs cite software-based pentesting options as their major technique for uncovering exploitable gaps.
Insurance coverage Suppliers Change into Surprising Influencers
Past inside administration and Boards of Administrators, a shocking new drive is shaping safety technique: Cyber insurance coverage suppliers. 59% of CISOs admitted that they’ve carried out a minimum of one cybersecurity answer that they weren’t beforehand contemplating on account of their cyber insurers. It is a clear signal that insurers aren’t simply pricing danger, they’re actively prescribing methods to cut back it, and reshaping enterprise safety priorities within the course of..
Low Confidence in Authorities Help
Whereas governmental businesses like CISA (within the US) and ENISA (within the EU) play an necessary position in risk visibility and coordination, confidence in authorities cybersecurity assist is surprisingly low.
Solely 14% of CISOs consider the federal government is satisfactorily supporting the non-public sector’s cyber challenges, whereas 64% really feel that authorities efforts, although acknowledged, are inadequate. 22% consider that they can not depend on the federal government in any respect for cybersecurity assist.
To benchmark your group’s pentesting practices, budgets, and priorities in opposition to different international enterprises, register for the webinar on Could 27, 2025 the place senior safety analysts will focus on the important thing findings. Alternatively, get the full 2025 State of Pentesting Report and see all of the insights for your self!
Notice: This text was written and contributed by Jay Mar Tang, Subject CISO at Pentera.
