Enterprises are adopting the adversarial perspective and software-based pentesting platforms to identify real risk and prioritize security efforts more effectively

BOSTON, May 8, 2025 – Pentera, the market leader in automated security validation, today announced the release of its fourth annual State of Pentesting survey report. Pentera surveyed 500 CISOs and senior security executives from enterprises with more than 3,000 employees across the United States, Germany, France, and the United Kingdom. The 2025 report offers data-driven analysis on the current state of security validation practices, budget priorities, and the key factors influencing the adoption of proactive risk management strategies.

Unthinkable a decade ago, today over 50% of enterprise CISOs report using software-based pentesting to support their in-house testing practices. Even more notable, 50% of CISOs now identify software-based testing as a primary method for uncovering exploitable security gaps within their organizations. These trends signal a broader shift toward testing approaches that offer greater scale, cover the full attack surface, and enable continuous validation of the enterprise.

Key findings from the report include:

• 67% of enterprises reported a breach in the past 24 months – 76% of CISOs reported a significant impact following a breach; 36% reported unplanned downtime, 30% cited data exposure, and 28% experienced financial loss.
• Pentesting represents a significant share of security budgets – S. enterprises allocate an average of $187,000 annually to pentesting, accounting for 11% of their total IT security budgets, which average $1.77 million.
• Cyber insurance providers are driving tech adoption – 59% of enterprises have adopted at least one new security solution they were not previously considering at the request of their cyber insurance provider.

“The pace of change in enterprise environments has made traditional testing methods unsustainable,” said Jason Mar-Tang, Field CISO at Pentera. “96% of organizations are making changes to their IT environment at least quarterly. Without automation and technology-driven validation, it’s nearly impossible to keep up. The report’s findings reinforce the need for scalable security validation strategies that meet the speed and complexity of today’s environments.”

The survey was conducted by Global Surveyz, an independent research firm, from December 2024 through January 2025.