The Crowded Battle: Key Insights from the 2025 State of Pentesting Report

In the newly released 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from global enterprises to understand the strategies, tactics, and tools they use to cope with the thousands of security alerts, the persisting breaches and the growing cyber risks they have to handle. The findings reveal a complex picture of progress, challenges, and a shifting mindset about how enterprises approach security testing.

More Tools, More Data, More Protection… No Guarantees

Over the past year, 45% of enterprises expanded their security technology stacks, with organizations now managing an average of 75 different security solutions​. 

Yet despite these layers of security tools, 67% of U.S. enterprises experienced a breach in the past 24 months​. The growing number of deployed tools has a few effects on the daily operation and the overall cyber posture of the organization. 

Although it seems obvious, the findings tell a clear story – more security tools does mean better security posture. However, there is no silver bullet. Among organizations with fewer than 50 security tools, 93% reported a breach. That percentage steadily declines as stack size increases, dropping to 61% among those using more than 100 tools. 

Alert Fatigue Is Real

The flip side of larger security stacks is that CISOs and their teams must contend with a much larger influx of information. Enterprises managing over 75 security solutions now face an average of 2,000 alerts per week — double the volume compared to organizations with smaller stacks, and those with over 100 tools receive over 3000 (3x the alerts)​. 

This in turn, puts much more emphasis on effective prioritization, otherwise, critical threats may get buried in a sea of alerts. In this environment, where alert volumes are high and time to triage is short, organizations benefit most when they can frequently test for exploitable gaps, so they know which issues truly matter before threat actors find them first.

Software-Based Pentesting Gains Ground

Trust in software-based security testing is growing rapidly. Only 5-10 years ago, many enterprises would never have permitted automated tools to run pentests in their environments for fear of causing outages, but sentiment is changing. 

As CISOs continue to recognize the advantages of software in scaling adversarial testing and keeping pace with constantly changing IT environments, software-based pentesting is becoming the standard. Over half of enterprises now use these tools to support in-house testing, driven by trust in their reliability and the need for scalable, continuous validation strategies. Today, 50% of CISOs cite software-based pentesting solutions as their primary method for uncovering exploitable gaps​.

Insurance Providers Become Unexpected Influencers

Beyond internal management and Boards of Directors, a surprising new force is shaping security strategy: Cyber insurance providers. 59% of CISOs admitted that they have implemented at least one cybersecurity solution that they were not previously considering as a result of their cyber insurers. It’s a clear sign that insurers aren’t just pricing risk, they’re actively prescribing how to reduce it, and reshaping enterprise security priorities in the process.​. 

Low Confidence in Government Support

While governmental agencies like CISA (in the US) and ENISA (in the EU) play an important role in threat visibility and coordination, confidence in government cybersecurity support is surprisingly low. 

Only 14% of CISOs believe the government is adequately supporting the private sector’s cyber challenges​, while 64% feel that government efforts, though acknowledged, are insufficient​. 22% believe that they cannot rely on the government at all for cybersecurity help.

Get the full 2025 State of Pentesting Report and learn how leading enterprises are adapting their strategies, tools, and budgets to manage thousands of weekly alerts, ongoing breaches, and growing cyber risk.