1、THE STATE OF PENTESTING 2024S U R V E Y R E P O R TTable of contentsIntroductionMethodologyKey findingsSurvey report findingsIncreasing complexity of cyber infrastructure Threat actors are breaching the enterprise across all attack surfaces Overwhelming alerts and noiseHow are remediations prioritiz

2、ed?The frequency gap between security testing and organizational changeWhats driving modern pentesting practices?Boards of directors are getting more involved in pentesting and security posture dataBarriers to pentesting What is being pentested?In-house security testing What are enterprises spending

3、 on their security?CISOs must do more with less:Budget outlook in 2024A detailed look at the numbers behind this reportAbout Pentera334678951617 18 27Executive summaryTHE STATE OF PENTESTING SURVEY 20242With the introduction of the Continous Threat Exposure Management(CTEM)framework,organ

4、izations are placing more emphasis on identifying,validating,and mitigating risk within their digital environments.Pentera,the leader in Automated Security Validation,undertook our third annual State of Pentesting survey to understand the current state of security validation across organizations.Thi

5、s report provides a snapshot of how security leaders in 2024 have adopted security validation strategies across their organizations.What are primary motivations and inhibitors to pentesting?How much are organizations investing in their security practices and their security validation?Is our security

6、 effective?THE STATE OF PENTESTING SURVEY 20243MethodologyTo get more insight into the state of pentesting,we commissioned a survey of 450,CISOs,CIOs,and IT security leaders across the Americas,EMEA,and APAC(150 respondents per region).We screened for organizations with a minimum of 1,000 employees.

7、IntroductionThis year only organizations with pentesting practices in place were surveyed.The survey was conducted by Global Surveyz,an independent survey company,and took place during December 2023.The respondents were recruited through a global B2B research panel,and invited via email to complete

8、the survey.The average amount of time spent on the survey was 6 minutes and 48 seconds.The answers to the majority of the non-numerical questions were randomized,to prevent order bias in the answers.4501000+THE STATE OF PENTESTING SURVEY 20244Executive summary010351%of enterprises reported a breach

9、in the past 24 months Boards are getting more involved inpentesting and security posture dataThreat actors are successfully breaching the entire attack surface(Cloud,Web-Facing,and On-Premises)across enterprise IT environments.CISOs are reporting unexpected downtime,data exposure,and financial damag

10、es with only 7%reporting no significant damage as a result of a breach.02CISOs are being challenged to do more with less53%of enterprises report decreasing or stagnating IT Security budgets for 2024.This is a major departure from the 2023 outlook where 92%of enterprises projected a rise to their IT

11、Security budgets.When organizations cannot count on new resources,operational efficiency and getting more out of their existing security suite becomes paramount.Over 50%of CISOs report that they share the results of pentest assessments with their leadership teams as well as their Boards of Directors

12、(BoDs).With high-profile breaches in the news,management teams and BoDs are increasingly interested in understanding their organizational resilience,and the potential impact of cyberattacks to their operations and business.51%of enterprises reported a breach in the past 24 months53%of enterprises re

13、port decreasing or stagnating IT Security budgets for 202450%of the respondents share the results of pentest assessments with BoDsOverTHE STATE OF PENTESTING SURVEY 20245Executive summary0406Manual pentesting is a major investment for intermittent security assessment Prioritization is KING for secur

14、ity teamsGlobally enterprises are spending an average of$164,400(12.9%of their total IT Security Budget)on manual pentest assessments.With 60%of enterprises pentesting twice a year at most,this is a large investment and a sizable portion of the budget for a security activity that provides a snap-sho

15、t assessment of the security posture.05Security testing still outpaced by frequency of network change73%of enterprises report changes to their IT environments at least quarterly,however only 40%report pentesting at the same frequency.This underscores a serious frequency gap between the rate at which

16、 changes occur within the IT infrastructure and the rate of security validation testing,leaving organizations open to risk for extended periods of time.Over 60%of enterprises report a minimum of 500 security events for remediation per week.With a limit on how many remediations they can address,becom

17、ing“patch perfect”is an unfeasible,if not impossible,target for organizations.Security teams must concentrate their remediations on addressing the most critical security gaps before hackers have a chance to exploit them.500Security events for remediation per week$164KAverage annual pentesting budget

18、 73%40%Frequency of changeFrequency of security testing1-Incident managementIncreasing complexity of cyber infrastructure As the complexity of IT environments continues to grow,organizations are integrating a greater number of cybersecurity solutions to manage their risk.Our report found that on ave

19、rage,enterprises already have 53 security solutions in use across their organization.Only 12%of enterprises report utilizing less than 20 security solutions,while 21%report in excess of 76 solutions in their cyber stack.While there are benefits to layering security and creating a level of overlap wi

20、thin your security architecture,the noise created by such a large number of solutions can actually inhibit an organizations ability to detect and react to security threats.2%0.4%19%34%34%12%11-20 Solutions21-50 Solutions51-75 Solutions76-100 Solutions101+SolutionsLess than 10 SolutionsTHE STATE OF P

21、ENTESTING SURVEY 20246The number of security solutions does appear to be correlated with the size of the organization,however the difference is not massive with the smallest enterprise group(1,000-4,999 employees)averaging 51 solutions and the largest(10,000+employees)averaging 58.5253581,000-4,999

22、Employees5,000-9,999 Employees10,000+EmployeesNumber of security solutions by organization sizeTHE STATE OF PENTESTING SURVEY 20247Threat actors are breaching the enterprise across all attack surfaces Despite significant investment in security infrastructure,51%of organizations surveyed reported tha

23、t their organization was compromised by a cyberattack over the past 24 months.93%of CISOs who reported a breach cited an impact on the confidentiality,integrity,and/or availability of their IT environment,while only 7%reported no significant impact as a result of the breach.Close to a third of CISOs

24、 reported financial loss and a similar amount(just over 36%)reported data exposure.However,the biggest risk was to business continuity with 43%reporting unplanned downtime as a result of the cyberattack.Threat actors do not appear to be limiting their activities to any specific attack vector or infr

25、astructure environment.There was a fairly equal distribution across all environments.Almost 60%of organizations that were compromised reported impact to their remote devices,while 54%cited their on-premise infrastructure as the target.Meanwhile,just under 50%reported a breach in their cloud infrastr

26、ucture.Crowdstrikes recent Global Threat Report 2024 reported a 75%increase in cloud intrusions YoY*.As more organizations continue their cloud migration journeys and move towards majority cloud or cloud-native deployments,we expect that this number will continue to rise.Question allowed more than o

27、ne answer and as a result,percentages will add up to more than 100%Havent been breached 49%Breached in the past 12 months 19%Breached in the past 24 months 32%of enterprises were compromised by a cyberattack in the past 24 months51%45%59%54%On-PremCloudRemote devices(including VPN&BYOD)2%Not sure?7%

28、31%No signficant impactData exposure36%43%Financial lossUnplanned downtime*https:/ were enterprises impacted?Impact of the breaches Incident managementOverwhelming alerts and noiseIn addition to remediation tasks,security professionals are grappling with an overwhelming number of demands across the

29、enterprise.These can include(but are not limited to)activities such as preparation for compliance audits,incident response,policy management(GRC),Identity Management,and third party vendor management.The median organization surveyed reported between 500-1,000 security events per week,and over 60%of

30、respondents reported a minimum of 500 security events per week.For the purpose of this survey an“event”was defined as an actionable security item-“a security matter that requires a remediation action,such as patching vulnerabilities,user password reset,or an endpoint quarantine.”THE STATE OF PENTEST

31、ING SURVEY 20248The large volume of alerts underscores the challenge that,while necessary,defense-in-depth security infrastructures also introduce a level of complexity and significant noise.This can make it difficult for security teams to effectively identify and prioritize the most dangerous secur

32、ity gaps that necessitate immediate remediation.With a limit on time and resources for remediation actions the volume of events makes the prospect of becoming patch perfect difficult or completely unfeasible.The focus for security teams becomes prioritization;addressing the exploitable security gaps

33、 hidden amongst the thousands of vulnerabilities that are only theoretically dangerous.Up to --25 or more0.7%8%28%32%22%8%0.2%Number of alerts for remediation per week Incident managementHow are remediations prioritized?CISOs were asked about how they prior

34、itize remediation within their organizations.They were requested to grade the relative priority they assign each methodology for assessing the urgency and prioritization of remediations.The options included the potential business impact,the CVSS score,relying on vendor risk scoring,or simple chronol

35、ogy(addressing the events in the order they entered the system).While providing the most contextual and relevant view of how cyber risk threatens overall business continuity and operations,only 34%of respondents place business impact as a top priority to guide their remediation strategy.Our informed

36、 hypothesis for the greater reliance on other prioritization strategies is because they are more readily available and easier to do.For instance,CVSS score rankings are typically built into visibility metrics of most Vulnerability Management solutions while the down-stream impact on business operati

37、ons of a vulnerability would be out of reach for the majority of organizations.Question allowed more than one answer and as a result,percentages will add up to more than 100%THE STATE OF PENTESTING SURVEY 2024934%consider business impact analysis as a top priority guiding their remediation strategyO

38、nlyBusiness impact analysisCVSS score criticalityVendor risk scoringChronology34%40%44%17%Incident managementThe frequency gap between security testing and organizational changeChanges to the IT infrastructure,in the form of new deployments,addition or subtraction of workstations,etc,all inevitably

39、alter the organizations cyber posture.Each change introduces new potential gaps for threat actors to engage with and exploit.THE STATE OF PENTESTING SURVEY 202410Pentesting and Red-Teaming exercises,whether via third party services or in-house capabilities,are still the primary methods that organiza

40、tions utilize to validate their security.73%of enterprises report changes to their deployments at least quarterly,however only 40%report testing their security at the same frequency.This underscores a serious frequency gap between the rate at which changes occur within the IT infrastructure and the

41、rate of security validation testing,leaving organizations open to risk for extended periods.2-Pentesting practicesHow often are you adding/subtracting resources to/from your network?How often does your organization conduct manual pentest assessments?AnnuallyQuarterlyBiannuallyMonthly or more frequen

42、t18%5%42%22%5%35%36%37%Only 40%perform security testing as often73%Report change at least quarterlyWhats driving modern pentesting practices?To discover whats driving the practice,security leaders were asked why they conduct pentesting in their organization.Traditionally,pentesting originated as a c

43、ompliance requirement within many industries.Theres no question that these compliance requirements,whether imposed by regulatory bodies or cyber insurance providers,are still driving pentesting to some degree.However,the primary drivers for pentesting have evolved and today it is a security driven p

44、ractice.Cybersecurity control and validation and Assess the potential damage of a successful attack return as the top two motivations for pentesting.This indicates that many businesses today are no longer pentesting because they have to but because they want to.This year we introduced a new potentia

45、l category and found that a substantial portion of CISOs and businesses are pentesting to facilitate potential M&A activities.Organizations are wary of third party risks,and are utilizing pentests to assess the potential risk profile when acquiring a company.Question allowed more than one answer and

46、 as a result,percentages will add up to more than 100%THE STATE OF PENTESTING SURVEY 202411Cybersecurity control and validationAssess the potential damage of a successful attackPrioritize security investmentsCyber insurance requirementMerger and acquisition activitiesExecutive mandateRegulatory comp

47、liance33%31%29%27%26%25%23%Pentesting practicesBoards of directors are getting more involved in pentesting and security posture dataCISOs were surveyed about their use of pentesting reports,revealing that beyond security enhancement,these reports are increasingly utilized as a tool to communicate cy

48、bersecurity risk both internally and externally.Over 50%of CISOs reported they share pentest results with the executive team and the Board of Directors(BoD).With the rise in high profile breaches,the BoD and management teams are becoming more cognizant of cybersecurity and the business risk it repre

49、sents.It also reflects the trend towards more expertise within BoDs.As cybersecurity expertise becomes more common among BoDs,its likely that they will increasingly request reports such as pentesting results to benchmark security performance and posture over time.The communication of pentesting resu

50、lts also expands beyond the organization.As the rise of third party and supply chain risks continues to grow,customers are becoming far more aware of their risk via their partners and vendors.31%of CISOs report that they share the results of pentesting with their customers.Question allowed more than

51、 one answer and as a result,percentages will add up to more than 100%THE STATE OF PENTESTING SURVEY 202412What CISOs do with their pentesting report Pentesting practices52%31%Share with customers31%Immediatly transfer to IT Security for priotitization50%Submit to the board of directorsShare with you

52、r executive colleagues/management team4%Archive0.4%Use as paper weight15%Share with regulatorsBarriers to pentestingSimilar to what was shown in the 2023 report,the top two barriers to pentesting remain the availability of pentesters,and the fear of risk to business continuity.Above all,security tea

53、ms are tasked with ensuring that IT environments are safe and that business operations are uninterrupted.Security leaders are cautious around pentesting as many have experienced network downtime due to pentesting in the past.CISOs want to work with the most experienced pentesters who provide the hig

54、hest level of validation to their security,while also posing the least risk to operations.The largest change in comparison to the responses in 2023 is the rise in concern about internal remediations.In 2023,only 21%reported a lack of internal resources for remediation as a barrier to pentesting,whil

55、e this year the number has leapt to 36%.This was rated a primary concern amongst smaller enterprises.Among CISOs at large enterprise organizations(10,000+employees),only 25%cited a lack of internal remediation resources as a concern,while 54%listed risk to business continuity as a primary barrier.TH

56、E STATE OF PENTESTING SURVEY 202413Question allowed more than one answer and as a result,percentages will add up to more than 100%Availability of pentestersAfraid of risk to business continuityDont have the internal resources to remediateNo need-regulatory mandates dont require moreBudgetI dont thin

57、k we need more testing42%39%36%34%24%1%54%afraid of risk to business continuityOnly 25%dont have the internal resources to remediate Pentesting practicesBarriers for large enterprises(10,000+employees)What is being pentested?While pentesting the entire IT environment would be ideal,the associated co

58、sts and resource limitations of manual pentests,especially via third party service providers,make this unrealistic.Instead,pentests are largely conducted on a biannual basis as a sampling exercise that spans across all aspects of the modern attack surface.With this limitation,CISOs are forced to cho

59、ose the highest priority areas of their network,and typically test areas of the organization that they believe have the least visibility and most potential risk.THE STATE OF PENTESTING SURVEY 202414We see an even distribution across the three major attack surfaces:Cloud,External/Web-facing assets,an

60、d On-Prem.An interesting note is that CISOs are not utilizing their pentests to validate the security of individual applications.Pentesting is an expensive endeavor,and CISOs are likely not able to justify an investment at this level to test an individual application.49%49%44%15%Cloud infrastructure

61、 and servicesExternal facing assetsInternal network assetsIndividual applicationsAdditionally,while most organizations are not primarily driven by compliance,it is still a major factor in pentesting practices.Many industries are compelled to test by existing regulations,and testing an individual app

62、lication does not satisfy most compliance requirements.As such CISOs likely cannot justify a test that doesnt both satisfy their security as well as their compliance needs.Pentesting practicesQuestion allowed more than one answer and as a result,percentages will add up to more than 100%THE STATE OF

63、PENTESTING SURVEY 202415In-house security testingLast year when asked“Do you have an in-house Red Team or Pentesting team?”67%of respondents reported that they did have an in-house team.While encouraging,that number appeared unexpectedly high,so this year the question was adjusted to add the word de

64、dicated.Thus,“Do you have a dedicated in-house Red Team or Pentesting team?”While small,this change was intended to understand the percentage of organizations that have committed teams for security validation.Of the organizations surveyed this year,27%reported a dedicated pentesting or red-team in-h

65、ouse.Making sense of this difference is that around two thirds of enterprises have members of their security teams who pentest or perform red-teaming activities,however they are not wholly dedicated to these tasks.Therefore when limiting it to a dedicated in-house red-team or pentesters,that number

66、drops to about a quarter of enterprises.Already have dedicated in-house team 27%No in-house red team,and no plans to add one 31%No in-house team but planning to have it by the end of 2024 42%69%of CISOs would like to have dedicated in-house security testing Pentesting practicesWhat are enterprises s

67、pending on their security?When asked about how much they spend on their security in 2023,respondents reported an average budget of$1.27M for IT Security.Over 42%of enterprises reported a budget of over$1M while only 14%cited a budget under$500k.The average spending on pentesting is$164,400,which rep

68、resents 12.9%of the total average IT Security budget.Only 7%of enterprises reported spending less than$50k on their yearly pentesting budget.THE STATE OF PENTESTING SURVEY 202416Under$100K1%$100K-$500K13%$500K-$1M43%$1M-$2.5M35%$1M-$5M8%$5M+0.2%Under$10K0.4%$10K-$50K7%$50K-$100K32%$100K-$250K45%$250

69、K-$500K15%$500K+0.9%Globally,pentesting averages 13%of the total IT Security budget$164.4KAverage annual pentesting budget$1.27MAverage annual IT Security budget3-Budget allocation trendsCISOs must do more with less:Budget outlook in 2024The budget landscape for IT Security and pentesting has underg

70、one a significant transformation since last years.While the economic slowdown was already starting to impact organizations in late 2022,Penteras State of Pentesting 2023 report showcased that it was not projected to impact cybersecurity budgets.92%of respondents expected increases in their overall I

71、T Security budgets,while 85%anticipated their pentesting budget to grow.This year,CISOs are being challenged to do more with less.53%of CISOs project their overall IT Security budgets will either stagnate or decrease in 2024,while 56%expect the same for their pentesting budgets.While that a signific

72、ant number of organizations are still projecting increases to their overall IT security and their pentesting budgets,most increases are far more modest compared to 2023.Only 5%of CISOs this year are projecting their IT security budgets to grow by more than 10%compared to 36%in 2023.THE STATE OF PENT

73、ESTING SURVEY 202417Note-the survey responses were gathered in December 2023,when budgets for 2024 had been decided and approved.IT Security budget outlookPentesting budget outlook53%report decreasing or stagnating budgets56%report decreasing or stagnating budgets39%report increasing budgets between

74、 1-10%41%report increasing budgets between 1-10%Budget allocation trendsTHE STATE OF PENTESTING SURVEY 202418A detailed look at the numbers behind this report 22%NORTH AMERICA3%Education4%Government2%Food5%Retail&eCommerceA detailed look at the numbers behind this reportDemographics|2%PublicServices

75、2%Agriculture&Mining11%Industrial8%Banking8%Health&Pharma8%FinancialServices6%Insurance5%Transport&Logistics7%Energy&Utilities8%ProfessionalServices5%Telecom4%SoftwareDevelopment1%Technology4%Media3%InformationTechnologyIndustries of respondentsRespondents are based inTHE STATE OF PENTESTING SURVEY

76、2024193%Non Profit11%LATAM 33%EMEA 33%APAC59%31%10%MID-SIZED1K-5K EmployeesLARGE5K-10K EmployeesX-LARGE10k+EmployeesSize of organizationsC-suite 57%VP/Head 43%Job SeniorityInformation Security 12%CIO 49%CISO39%RoleTHE STATE OF PENTESTING SURVEY 202420 A detailed look at the numbers behind this repor

77、tTHE STATE OF PENTESTING SURVEY 202421How many security solutions do you currently use across your organization?Has your organization been compromised by a cyberattack over the past 24 months?Which aspect of your organizations infrastructure was compromised as a result of the attack/s?(Select all th

78、at apply)34%34%59%54%45%2%19%2%12%0.4%Less than 10 Solutions11-20Solutions21-50Solutions51-75Solutions76-100Solutions101+SolutionsHavent been breached 49%Breached in the past 12 months 19%Breached in the past 24 months 32%of enterprises were compromised by a cyberattack in the past 24 months51%Not s

79、ureCloud environmentOn-prem environmentRemote devices(including VPN and BYOD)A detailed look at the numbers behind this report A detailed look at the numbers behind this reportTHE STATE OF PENTESTING SURVEY 202422What kind of disruption or impact have your organization experienced as a result of the

80、 cyberattack,if at all?(Select all that apply)How many security“events”does your organization receive per week?(“Event”is defined as a security matter that requires a remediation action.Examples include,Vulnerability to be patched,User Password Reset,Endpoint Isolation/Quarantine)Rank what level of

81、priority your organization assigns each of the following methods when deciding which security events to remediate:Business Impact Analysis,Vendor Risk Scoring,CVSS score criticality,Chronology(The order they entered your system)43%36%31%7%No significant impact from cyber attackFinancial lossData exp

82、osureUnplanned downtimeUp to --25 or more0.7%8%28%32%22%8%0.2%2%17%41%39%1%40%44%15%1%34%46%18%1%44%42%13%ChronologyNot using this method3rd Priority1st Priority2nd PriorityVendor risk scoringCVSS score criticalityBusiness impact analysis A detailed look at

83、 the numbers behind this reportTHE STATE OF PENTESTING SURVEY 202423How often are you adding and/or decommissioning(subtracting)resources from your network?How often does your organization conduct MANUAL pentest assessments?18%36%42%37%5%5%35%22%AnnuallyAnnuallyBiannuallyBiannuallyMonthly or more fr

84、equentMonthly or more frequentQuarterly Quarterly A detailed look at the numbers behind this reportTHE STATE OF PENTESTING SURVEY 202424What are the MAIN reasons your organization conducts pentesting?What do you do with your pentest report?Why are you NOT conducting manual pentesting assessments mor

85、e often?Cybersecurity control and validationAssess the potential damage of a successful attackPrioritize security investmentsCyber insurance requirementMerger and acquisition activitiesExecutive mandateRegulatory compliance33%31%29%27%26%25%23%52%31%31%50%Share with your executive colleagues/managem

86、ent teamAvailability of pentestersAfraid of risk to business continuityDont have the internal resources to remediateNo need-regulatory mandates dont require moreBudgetI dont think we need more testingSubmit to the board of directorsImmediatly transfer to IT Security for priotitizationShare with cust

87、omersShare with regulators4%Archive0.4%Use as paper weight15%42%39%36%34%24%1%A detailed look at the numbers behind this reportTHE STATE OF PENTESTING SURVEY 202425During a penetration test,you direct the pentesters to target/test my organizations:Do you have a dedicated in-house Red Team or Pentest

88、ing team?What is your current annual budget for PENTESTING(2023)?What is your current annual budget for your OVERALL IT Security(2023)?49%49%44%15%Individual applicationsInternal network assetsExternal facing assetsCloud infrastructure and services69%of CISOs would like to have dedicated in-house se

89、curity testingNo in-house red team,and no plans to add one 31%Already have dedicated in-house team 27%No in-house team but planning to have it by the end of 2024 42%Under$100K1%$100K-$500K13%$500K-$1M43%$1M-$2.5M35%$1M-$5M8%$5M+0.2%Under$10K0.4%$10K-$50K7%$50K-$100K32%$100K-$250K45%$250K-$500K15%$50

90、0K+0.9%A detailed look at the numbers behind this reportTHE STATE OF PENTESTING SURVEY 202426Your annual PENTESTING budget for 2024 is due to:Your annual OVERALL IT Security budget for 2024 is due to:Decrease by more than 10%Decrease by more than 10%Increase bymore than 10%Increase bymore than 10%In

91、crease by1-10%Increase by1-10%Remainunchangedyear-over-yearRemainunchangedyear-over-yearDecrease by1-10%Decrease by1-10%5%5%39%41%13%12%42%39%1%2%Pentera is the market leader for Automated Security Validation,empowering organizations to easily test the integrity of all cybersecurity layers across th

92、e complete attack surface.With continuous validation,Pentera identifies true security exposures at any moment,at any scale.Thousands of security professionals and service providers around the world trust Pentera to guide remediation and close security gaps before they are exploited.For more info,vis

93、it:pentera.ioThe Pentera Platform automatically uncovers real exposures in the organizations IT environment.Pentera uses an adaptive,rule-based,algorithm to scan and challenge the entire attack surface-Internal,External,and Cloud,providing real-time security validation at scale.Pentera safely perfor

94、ms the actions a malicious adversary would reconnaissance,sniffing,spoofing,cracking,(harmless)malware injection,file-less exploitation,post-exploitation,lateral movement,and privilege escalation all the way to data exfiltration.Requiring no agents or pre-installations,the platform gives security te

95、ams a complete attack operation view that provides a true assessment of their resiliency against real attacks,prioritizing remediation efforts with a threat-facing perspective.Pentera applies the latest hacking techniques,including ransomware strains and leaked credentials,enabling organizations to

96、focus their resources on the remediation of the vulnerabilities that take part in a damaging“kill chain”.With Pentera,organizations continuously reduce cyber exposure and maintain the highest resilience posture by performing validation tests as frequently as needed-daily,weekly,or monthly.This gives

97、 companies a better grasp not only of their security gaps but also allows them to test the efficiency of the security stack and maintain consistency across the organization.About PenteraPenteras Automated Security Validation PlatformTHE STATE OF PENTESTING SURVEY 2024 2024 Pentera.All rights reserved.