Global Trends in Penetration Testing 2023

07 Jun 2023
Book your demo now >
Chen Tene Pentera VP of Customer Operations
Back to top

In the past 24 months, more than 88% of organizations have been breached

That’s right: almost nine out of ten companies were hacked. Considering that organizations utilize an average of 44 security solutions to protect their IT environments this number is alarming. 

The way enterprises handle such security threats is impacted by global trends, from the economic slowdown to the growing awareness of cyber risks and threats. Additional trends, like the emergence of satellite security practices such as cyber insurance, are also influencing security strategies. 

So how are these global changes affecting security validation and pentesting practices?

We attempt to answer this question in our new report (conducted by Global Surveyz Research). Based on a comprehensive survey of 300 security executives from the US, UK and West Europe, at VP or C-level positions, who work at companies with more than 1,000 employees, the report paints an overarching picture of the state of pentesting.

Our key findings include:

  • Organizations are still experiencing high rates of breaches
  • Pentesting is no longer just about regulatory compliance
  • The percentage of companies with In-house Red-Teams is on the rise

To read the complete report with all the details, click here.

Let’s take a closer look at these findings.

Rising IT Security Budgets Despite Economic Slowdown

Despite the economic slowdown, caused by global supply chain shortages following the pandemic and the ongoing conflict in Ukraine, companies can’t be complacent about their cybersecurity. A recent report by Check Point Research (CPR), found that cyberattacks have risen by 38% in 2022 compared to the previous year, with an average of 1,168 weekly attacks per organization being recorded.

These results align with our findings, that in the past two years, a shocking 88% of organizations have reported being compromised by a cyber incident, and the trend shows no signs of slowing down. With budgets being cut across the board, it’s crucial that cybersecurity remains a top priority. 

But, there is a glimmer of hope amidst the uncertainty. Our research shows some promising findings: 92% of organizations are raising their IT security budgets and 86% are raising their pentesting budgets. Approximately a third of respondents plan to increase these budgets by more than 10%. 

It seems that the issue of security is taken seriously and that the value CISOs and security experts are bringing to the table is recognized and appreciated.

The Changing Landscape of Pentesting: Insights from the Latest Report

Not too long ago, if you were to ask a security executive what was the top reason for conducting pentesting, they’d tell you it was meeting regulatory compliance. Checking the boxes was common practice among many CISOs, however today, we’re seeing an evolution from regulatory-driven to security-driven practices. Our report finds that the top motivators for pentesting according to security executives are:

  • The need for security control and validation
  • Satisfying cyber insurance requirements
  • As a means for assessing the potential damage of an attack

This shift in drivers and triggers for pentesting is a clear sign of the growing maturation within the cybersecurity industry and the growing understanding of the value the adversarial perspective brings. Security executives are now relying on pentesting as part of their strategies and plans.

Another interesting trend is the emergence of cyber insurance as a pentesting driver. In our 2020 survey, only 2% of respondents mentioned cyber insurance as a decision making factor for pentesting and that number has jumped to 36% today. This correlates to what we’ve seen with our customers, who are more conscious of cyber insurance requirements than ever before. 

The Role of Automation in Pentesting for Business Continuity

Security executives are dealing with a lot of risk, but one that they’re particularly worried about is the risk to business continuity.

With the continual updates in software and applications, pentesting should also take place frequently to ensure coverage and relevance. Yet, 45% of respondents who conduct pentesting are alarmed by the potential risk to business applications or network availability when pentesting. This prevents them from increasing their pentesting frequency. Another barrier to increasing pentesting rates is the lack of manual pentesters.

Organizations want to test more, but lack the tools needed for such frequent testing.

This is why automation is so important: it allows you to test an infinite number of scenarios without putting your network at risk.

The Benefits of Continuous Pentesting with Automation

Despite the growing need for pentesting, some organizations are still struggling to get the job done. According to our survey, only 15% of organizations run automated pentesting. 39% run manual tests on their own and 42% use a third party service. 18% don’t run pentests at all.

Pentesting automation can help bridge these gaps. Automation enables continuous pentesting in an efficient manner since it does not rely on manual testers and it can run swiftly to avoid business disruption.

There is even more room for optimism. By the end of 2023, nearly all, 96%, of security executives are expected to have an in-house red team. 67% already have one and 29% plan to. These teams can also help increase pentesting scope and velocity.

Defense-in-Depth: Is it Still the Best Strategy?

When it comes to cybersecurity, defense-in-depth is still the most widely used strategy. 92% of organizations utilize this approach, with only 6% of organizations having less than 10 security tools in place. 

Yet, the prevalence of cyber attacks shows that this strategy, or the way it is implemented, is not effective. Pentests, for example, are carried out by most organizations only once a quarter, at best. Half of organizations run pentests only once or twice a year.

This means that most organizations are not testing their defenses enough to know whether their security strategies are effective.

This is why we created this report: so you can learn about how other companies are dealing with these issues and how you can adjust your own security strategies to modern digital needs. 

We hope that our State of Pentesting 2023 Report helps guide your decisions as you determine how best to increase your security posture and transform your stack into something more relevant and effective for today’s digital world.

Read the entire report here.

Subscribe to our newsletter

Find out for yourself.

Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.

Start with a demo
Related articles

Create Stronger Passwords with These 5 Tips

Would you believe if I told you that you 81% of data breaches worldwide are caused by hacked passwords? This statistic provided by Verizon Data Brea...

Top Ingredients for a Winning Startup

“He shoots, he scores!” I still hear the sports announcer’s excitement coming across the loudspeaker -- in my high school basketball court days. ...

Comparing Cyber Warfare to Chess Strategies

In cyber warfare, like in chess, the game outcome is not determined by a single exploit (or move), but rather by a patient silent-predator strategy....