Within the newly launched 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from international enterprises (200 from throughout the USA) to grasp the methods, ways, and instruments they use to deal with the 1000’s of security alerts, the persisting breaches and the rising cyber dangers they must deal with. The findings reveal a posh image of progress, challenges, and a shifting mindset about how enterprises method security testing.
Extra Instruments, Extra Data, Extra Safety… No Ensures
Over the previous 12 months, 45% of enterprises expanded their security know-how stacks, with organizations now managing a median of 75 totally different security options.
But regardless of these layers of security instruments, 67% of U.S. enterprises skilled a breach up to now 24 months. The rising variety of deployed instruments has a couple of results on the every day operation and the general cyber posture of the group.
Though it appears apparent, the findings inform a transparent story – extra security instruments do imply higher security posture. Nonetheless, there isn’t any silver bullet. Amongst organizations with fewer than 50 security instruments, 93% reported a breach. That share steadily declines as stack dimension will increase, dropping to 61% amongst these utilizing greater than 100 instruments.
Alert Fatigue Is Actual
The flip aspect of bigger security stacks is that CISOs and their groups should take care of a a lot bigger inflow of data. Enterprises managing over 75 security options now face a median of two,000 alerts per week — double the quantity in comparison with organizations with smaller stacks, and people with over 100 instruments obtain over 3000 (3x the alerts).
This in flip, places way more emphasis on efficient prioritization, in any other case, essential threats might get buried in a sea of alerts. On this setting, the place alert volumes are excessive and time to triage is brief, organizations profit most after they can continuously take a look at for exploitable gaps, in order that they know which points really matter earlier than menace actors discover them first.
Software program-Primarily based Pentesting Features Floor
Belief in software-based security testing is rising quickly. Solely 5-10 years in the past, many enterprises would by no means have permitted automated instruments to run pentests of their environments for worry of inflicting outages, however sentiment is altering.
As CISOs proceed to acknowledge some great benefits of software program in scaling adversarial testing and retaining tempo with continually altering IT environments, software-based pentesting is changing into the usual. Over half of enterprises now use these instruments to assist in-house testing, pushed by belief of their reliability and the necessity for scalable, steady validation methods. As we speak, 50% of CISOs cite software-based pentesting options as their major methodology for uncovering exploitable gaps.
Insurance coverage Suppliers Change into Surprising Influencers
Past inner administration and Boards of Administrators, a stunning new pressure is shaping security technique: Cyber insurance coverage suppliers. 59% of CISOs admitted that they’ve carried out not less than one cybersecurity resolution that they weren’t beforehand contemplating because of their cyber insurers. It is a clear signal that insurers aren’t simply pricing danger, they’re actively prescribing scale back it, and reshaping enterprise security priorities within the course of..
Low Confidence in Authorities Assist
Whereas governmental businesses like CISA (within the US) and ENISA (within the EU) play an vital function in menace visibility and coordination, confidence in authorities cybersecurity assist is surprisingly low.
Solely 14% of CISOs consider the federal government is satisfactorily supporting the non-public sector’s cyber challenges, whereas 64% really feel that authorities efforts, although acknowledged, are inadequate. 22% consider that they can not depend on the federal government in any respect for cybersecurity assist.
To benchmark your group’s pentesting practices, budgets, and priorities towards different international enterprises, register for the webinar on Could 27, 2025 the place senior security analysts will talk about the important thing findings. Alternatively, get the total 2025 State of Pentesting Report and see all of the insights for your self!
Be aware: This text was written and contributed by Jay Mar Tang, Discipline CISO at Pentera.
