Over the past decade, the role of pentesting has changed dramatically. What was once a periodic compliance exercise is now a strategic practice, embedded in day-to-day operations and increasingly shaped by the adversarial perspective. Organizations are moving beyond reactive defenses, increasingly turning to proactive testing to identify their most critical exposures.

This evolution has been driven by a range of factors: the introduction of structured frameworks like Continuous Threat Exposure Management (CTEM), the need to meet expanding regulatory requirements, and the constant pressure to keep pace with adversaries who never stop refining their tactics.

This report answers those questions and more, providing a data-backed view into the current state of security validation – and how enterprises are adapting their strategies for what’s next.

For any feedback or inquiries, please contact [email protected] Wishing you a meaningful read

– The Pentera Market Research Team

While a broader security stack visibility of potential issues, it also increases operational complexity, making it harder to prioritize and respond to the most critical threats. Organizations with 11–50 security tools generate an average of 883 alerts per week. Enterprises with 76–100 tools face over 2,048 alerts weekly, while those with more than 101 tools see an average of 3,074 alerts.

Cyber insurance providers are driving security control technology adoption. In the US 59% of enterprises have implemented at least one cybersecurity solution at the request of their insurance provider. An additional 40% reported receiving recommendations for specific solutions.

Increasing complexity
of cyber infrastructure

As enterprise IT environments evolve – spanning cloud, on-prem, and hybrid infrastructures – security teams are integrating more security solutions to address diverse risks to distributed assets. Security infrastructure today is highly complex, with enterprises managing dozens – sometimes hundreds – of cybersecurity tools across their environments. On average, US enterprises report using 75 security solutions across their environments. 62% report operating more than 75 within their organization, while only 18% of organizations utilize 50 or fewer solutions.

While the number of security solutions tends to increase with organizational size, the difference is relatively modest. Enterprises with 3,000–4,999 employees report an average of 75 tools, compared to 79 tools in enterprises with over 10,000 employees.

Large stacks are growing larger

Already complex security ecosystems are continuing to grow. In the US, 45% of CISOs reported a year-overyear increase in the net number of tools within their security stacks. Nearly half reported no change, while only a small minority indicated a reduction. Consolidation has become a common theme in cyber industry conversations, but the data doesn’t support a contraction of security stacks. Our thoughts here are that as in many cases, the idea of consolidation is a desire among CISOs who would like to reduce complexity. It would be nice if feasible, but it appears that the majority of CISOs are not successful at shrinking their stacks. Another potential here is that consolidation may be taking the form of vendor unification. CISOs may be consolidating multiple separate solutions under platforms offered by larger players. So while the total number of solutions can rise, the vendor number will decrease. In effect, organizations may be reducing operational complexity (by streamlining vendor management and interfaces), not security complexity (the number of tools in play).

Cyber insurance providers are driving tool adoption

After years of rapidly rising premiums, cyber insurance rates have begun to stabilize. This shift is due in part to stricter underwriting practices and increased demands for improved cyber hygiene from insurers.

Given the frequency and cost of breaches, it’s no surprise that insurers are highly involved in shaping their clients’ security postures. 93% of CISOs report that their cyber insurance provider has either recommended or required the adoption of security solutions not previously in place.

In fact, 59% of organizations report implementing at least one security tool at the direct request of their insurance provider. Only 7% have never received such a recommendation or request from their cyber insurance provider.

Larger security stacks, fewer breaches yet no guarantees

Despite extensive cybersecurity stacks, breaches remain common. 67% of US enterprises reported experiencing a breach in the past 24 months.

Of those who agreed to provide details of their breach, 76% reported an impact on the confidentiality, integrity, and/or availability of their data. Only 24% reported no significant impact as a result of the breach. 36% reported unplanned downtime, while 28% cited financial loss.

There is a clear correlation between the size of the stack and the probability of a breach. Among organizations with fewer than 50 security tools, 93% reported a breach. That percentage steadily declines as stack size increases, dropping to 61% among those using more than 100 tools.

This suggests that while there is no panacea, deploying multiple layers of defense does indeed enhance resilience.

No surface is safe: Threats are spread across the entire attack surface

Organizations reported breaches across the attack surface, reinforcing a key reality: Threat actors are opportunistic. Rather than focusing on specific systems or vectors, they exploit any available entry point.

On an individual level, threat actors often have preferred techniques and favored parts of the attack surface. For example, APT29 (also known as Cozy Bear) is known for targeting cloud and identity infrastructure, relying heavily on living-off-the-land techniques and token theft rather than deploying traditional malware. FIN7, by contrast, operates with a very different MO – focusing attacks on Point-of-Sale (POS) systems, web-facing assets, remote access tools like RDP, and third-party vendors as initial access points.

But the broader threat landscape is far less predictable. It’s not just you against Cozy Bear or FIN7 – it’s you against the collective ingenuity of the global threat actor community. To defend effectively, organizations must be prepared for any type of attack, across any part of the attack surface.

Nearly a third of enterprises reported a compromise on their Web Facing Assets, reflecting the perception of their exposure and accessibility as “low-hanging fruit.” External attack surfaces were compromised at nearly twice the rate of internal networks and servers, which are generally better protected and harder to reach.

This emphasizes the importance of securing the perimeter – if the external surface isn’t protected, it becomes the easiest way in.

Question allowed more than one answer and as a result, percentages will add up to more than 100%

More tools, more alerts: Prioritization is more critical than ever

Enterprise IT and security teams are inundated with alerts. In the United States the average organization sees 2,000 alerts per week.

For the purpose of this survey and “alert” is defined as a security matter that requires a remediation action. Examples include, Vulnerability to be patched, Endpoint Isolation/Quarantine).

More security tools mean greater visibility and more data points to act on, but also more information to process. This places a greater necessity on the ability to prioritize alerts effectively and respond to what matters most.

If not managed well, the sheer volume of alerts can overwhelm security teams, delay response times, and allow critical threats to go unnoticed, leading to increased risk of breaches, operational disruption, or data loss.

Confidence in government cyber support is low

When asked about their confidence in the government’s role in aiding and protecting the private sector from cyberattacks, only 14% of US CISOs said they believe the government is truly doing its part to help protect the private sector. Another 64% of enterprises acknowledge government efforts, such as threat intelligence sharing and cybersecurity funding, but view these actions as insufficient.

Government agencies play an important role in shaping cybersecurity policy and enabling collaboration, but their structure and scale often limit their ability to move at the speed required by today’s rapidly evolving threat landscape. Initiatives like CISA’s Known Exploited Vulnerabilities (KEV) catalog have been valuable in promoting transparency and accelerating information sharing around high-priority threats, helping organizations focus on the vulnerabilities most likely to be used in real-world attacks. Still, the majority of enterprise CISOs recognize that while these efforts are helpful, securing the private sector is not something they can rely on government help for.

Pentesting: From compliance obligation to strategic value

While once seen primarily as a compliance requirement, pentesting has evolved into a core component of modern security strategy. Regulatory frameworks in many industries still mandate testing. PCI DSS 4.0.1, for example, requires any organization that stores, processes, or transmits payment card data to perform external and internal penetration testing at least annually, as well as after significant infrastructure changes. The presence of regulation will always compel testing, but many CISOs have moved beyond regulations and it no longer serves as a primary motivator for their testing practices.

For the third consecutive year, control validation and impact assessment have ranked among the top drivers for pentesting, highlighting the growing strategic importance of validation in security programs. Enterprises are also utilizing pentesting as a tool for due diligence to prepare for high-stakes business events like mergers and acquisitions.

Question allowed more than one answer and as a result, percentages will add up to more than 100%

Pentester availability and budget consciousness rise to the top

Despite the growing importance of continuous security validation, there are inhibitors preventing enterprises from growing their pentesting programs and pentesting frequency. This year’s data highlights the top inhibitors to more frequent testing, revealing a mix of resource constraints, operational risk concerns, and budgetary pressures.

Pentester availability remains one of the most consistent barriers. According to the World Economic Forum, there is a global shortfall of 4 million cybersecurity professionals. For the third consecutive year, the lack of available pentesters ranks among the top two obstacles to more frequent testing among our surveyed CISOs.

Budget constraints have emerged as a more prominent inhibitor in 2025. In the US, 44% of CISOs named budget as a key limiting factor, up sharply from 24% in 2024. As CISOs become more cost-conscious, snapshotstyle testing no longer aligns with the expectation for continuous assurance and evolving compliance requirements.

https://initiatives.weforum.org/bridging-the-cyber-skills-gap/home

Operational risk remains a relevant inhibitor, though its priority has declined. Disruption to business continuity was the top concern in 2023, ranked second in 2024, and now sits in third place. Nearly 30% of CISOs cite the risk of outages as a barrier to more frequent pentesting. This concern is especially pronounced in large enterprises, where 41% of CISOs at organizations with over 10,000 employees identify it as a key inhibitor.

Question allowed more than one answer and as a result, percentages will add up to more than 100%

The shift toward automated adversarial testing

While 33% of organizations still rely primarily on manual testing, many are moving toward automated approaches that offer greater scale and efficiency. Software-based pentesting and red teaming (50%) have become the most widely adopted proactive testing methods, with Breach and Attack Simulation (BAS) (37%) also gaining traction.

At the same time, traditional vulnerability scanning (46%) remains a staple in many security programs, with organizations continuing to rely on it to uncover exploitable security gaps despite its limitations in validating real-world risk.

The shift towards automated solutions is expected to accelerate as more organizations adopt Continuous Threat Exposure Management (CTEM) frameworks, which emphasizes continuous testing and validation over pointin-time testing.

Question allowed more than one answer and as a result, percentages will add up to more than 100%

Pentest findings are being operationalized

When it comes to communicating and addressing f indings from pentesting, the two most common approaches are either transferring remediation tasks to IT or handling them directly within the security team. In many cases, there’s overlap. Some CISOs report using both approaches, depending on the nature of the issue. Security teams may address certain findings directly, while others are handed off to IT teams responsible for the systems or tools involved.

Pentesting reports are also being used well beyond the security function. Nearly 50% of organizations share results with company executives or senior management, and 21% share findings with regulators or their board of directors.

This highlights how pentesting is being operationalized; not just as a technical task, but as a risk communication vehicle. Reports are not being shelved; they are informing decisions, justifying investment, and helping translate technical findings into business risk.

Question allowed more than one answer and as a result, percentages will add up to more than 100%

Alignment of risk perception, breaches, and testing focus

As attack surfaces expand, security leaders are becoming more deliberate in where they direct their testing efforts. Globally, there is a clear alignment between where organizations perceive risk, where breaches have occurred, and where pentesting activity is focused.

This alignment is most apparent around externalfacing assets, which consistently rank as both the most targeted and most tested components of the enterprise environment. APIs have also emerged as a growing area of concern valued for their role in application logic and

system integrations, but often challenging to monitor. Their visibility gaps make them attractive to attackers, and increasingly, a priority for testing.

The data, reinforced by patterns observed in the global attack map, underscores a common mindset: Security leaders recognize that risk is distributed, not concentrated. In response, organizations are expanding their testing strategies to ensure broad coverage, visibility, and readiness across every layer of the attack surface.

This approach aligns closely with the principles of Continuous Threat Exposure Management (CTEM). By testing continuously, security teams can move beyond assumptions and gain real insight into where their true exposures lie, closing the gap between perceived risk and actual risk.

What are enterprises spending on their security?

US enterprises allocate an average of $187K annually to pentesting, accounting for 10.5% of their total IT security budget of $1.77M.

Not surprisingly, the data shows that larger organizations tend to invest more. Companies with over 10K employees spend on average $216K on pentesting, while those with 3K-5K employees allocate $168K.

This trend also holds for overall IT security budgets, which grow in parallel with company size, ranging from $1.4M for smaller enterprises to $2M for the largest ones. These findings highlight how security investments scale with organizational complexity, reflecting the increasing need for robust testing as attack surfaces expand.

Security budgets are growing in 2025

Very few organizations are cutting back on cybersecurity spending in 2025. In the United States, 90% of CISOs report either maintaining or increasing their overall IT security budgets for the year ahead. Pentesting budgets show a similar trend, with 87% of CISOs reporting stable or growing investment. Only 10% expect a decrease in overall IT security budgets, and 13% anticipate cuts to pentesting spend.

50% of enterprises report an increase to their pentesting budgets in the coming year, while 47.5% report a rise in their overall security budgets. This indicates that even in the face of economic pressures, security remains a strategic priority particularly in areas focused on validation and exposure management.