73% of enterprises report changes to their IT environments at least quarterly while only 40% pentest at the same frequency

BOSTON, April 16, 2024 – Pentera, the leader in automated security validation, today released the results of its third annual industry survey: The State of Pentesting 2024. The report provides a snapshot of how security leaders in enterprises across the globe have adopted security validation strategies across their organizations over the past year.

Threat actors are continuing to successfully breach across the entire attack surface and the stakes are only getting higher: 93% of enterprises who admitted a breach reported unplanned downtime, data exposure, or financial loss as a result.

Enterprises are continuing to prioritize pentesting as part of their security tool kit, accounting for an average of $164,400, nearly 13% of their total IT security budgets. The main drivers and uses for pentesting programs continue to be validating security controls’ efficacy, understanding potential attack impact and prioritizing security investments. Over 50% of CISOs report that they share the results of pentest assessments with their leadership teams as well as their Boards of Directors, using these reports as a tool to communicate cybersecurity risk both within and outside their organizations.

Other highlights from the report include:

  • Security testing is struggling to keep pace with organizational IT change rates: 73% of enterprises report changes to their IT environments at least quarterly, however only 40% report pentesting at the same frequency. This underscores a serious frequency gap between the rate at which changes occur within the IT infrastructure and the rate of security validation testing, leaving organizations open to risk for extended periods of time.
  • Security teams are falling behind the rate of security issues: Over 60% of enterprises report a weekly minimum of 500 security events that require remediation. Becoming “patch perfect” is an unfeasible, if not impossible, target for organizations. What’s more, organizations are even more resource constrained than before. In 2023, only 21% of respondents reported a lack of internal resources for remediation as a barrier to pentesting, while this year the number has leaped to 36%.
  • More security technology does not guarantee security: Organizations are adopting a greater number of cybersecurity solutions to manage their risk. On average, enterprises already have 53 security solutions in use across their organization, however, despite large security stacks, 51% of enterprises reported a breach over the past 24 months

“The results of our latest report are indicative of the increasing infrastructure complexity of organizations today and the rising challenges that security teams face along with it. Close to a third of CISOs who cited a breach reported financial loss and data exposure, while 43% reported unplanned downtime as a result of the breach,” said Jason Mar-Tang, Field CISO at Pentera. “Attack surfaces are more dynamic than ever and resources are limited, making it even more critical for organizations to proactively validate their risk exposure with accuracy and pinpoint exploitable gaps across the complete attack surface.”

Pentera surveyed 450 CISOs, CIOs, and IT security leaders at enterprise companies with more than 1,000 employees across the Americas, EMEA, and APAC to compile this report. Click here to read the full report.

Register for our upcoming webinar on April 30 with Matt Bromiley, SANS Instructor and Jay Mar-Tang, AVP, Field CISO at Pentera to learn more.