What if we tell you your cleanest security review of 2025 could also be the most dangerous?
In November, security teams hit their scan targets, filed compliance reports, and headed into the holidays with dashboards that looked exactly right. One month later, December produced 1.8 million vulnerabilities…more than the population of 70-odd sovereign states and territories, and more than the platform found in all of 2024. The sad part? The December crisis wasn’t a surprise attack but a scheduled consequence that nobody had put on the calendar.
That’s the story of pentesting in 2025: the right data existed, in the wrong column, read by teams asking the wrong question. Based on 6.8 million findings across 8,000+ engagements, here are five major penetration testing trends that defined security in 2025 and what they cost programs that missed them.
Trend #1: The metric most programs are using incorrectly
For years, vulnerability count was treated as a reasonable way to measure risk, maybe even the only one. But in 2025, that logic broke. You’re measuring quantity when you should be measuring severity.
Total vulnerability volume grew 275% year-over-year. But buried inside that number, Criticals grew 1,360%, i.e., 14.6x faster than everything else. In 2024, 1 in 40 findings was Critical. By 2025, it was 1 in 10. Same dashboard, very different threat environment.
Severity split determines how security teams should plan staffing, prioritize remediation, and identify attack vectors that could cause the most damage. Instead of only tracking total findings, we looked at Criticals and Highs together, compared severity patterns across quarters, and reviewed them against the previous month’s risk profile. And here’s what we found, in 2025:
- Q3 was 29% more dangerous per finding than Q4
- Yet, Q4 carried 63% more total volume
- Teams focused on Q4 as the crisis, but missed where the real risk was
The Fix You Need:
If your remediation program is built on the findings count and optimizing their fix plan solely based on those numbers, then what good is a security plan that focuses on quantity over quality? Teams should stop asking “how many?” and start asking “how dangerous?”, thereby prioritizing by severity.
“The uncomfortable truth, as we looked at this data, is that most organizations are under-secured because they are mis-measured.” — Shikhil and Ananda, Co-founders, Astra Security
Trend #2: The 30-day blind spot
The most surprising pentesting trend from 2025 was also the most actionable for 2026: a month’s scan volume predicts the following month’s findings, not its own. Same-month scan data has zero predictive value. But 43% of next month’s risk is explained by this month’s scan volume. Higher scans in one month had lower findings in the subsequent month, and vice versa.
November 2025 was the quietest scanning month of the year, where security teams wrapped up, audits were completed, and teams focused on planning year-end activities. But December produced more vulnerabilities than all of 2024 combined. The dashboard lit up like a Christmas tree, and the presents for attackers were vulnerabilities waiting to be unwrapped.
This reveals the harsh reality that vulnerabilities do not just disappear. They accumulate and are flagged in the following month’s report. The December crisis was visible 30 days before it arrived in anyone’s report. The scan data in November was the bat signal that everyone missed.
The Fix You Need:
Teams reduce testing once compliance work is complete. Attackers do not follow your audit schedule; they are always on the lookout for attack vectors. So, stop planning for penetration testing and scanning only around when audits happen and start planning them when risk shifts. Additionally, you can use scanning volume as a key indicator. This is more of a planning problem than a technical problem, and most importantly, easily preventable.
Trend #3: Cloud overtook the web
Cloud vulnerabilities grew 44x in 2025, but cloud testing coverage barely grew 1.23x. Last year, cloud overtook web as the primary attack surface in three separate quarters. It accounted for 39% of total vulnerability volume but received only 14% of pentest engagements.
Cloud testing in this case does not require an argument on how risky it is; it requires an adequate budget. A cloud pentest engagement returns an average of 7,480 findings. A web engagement returns 3,060. Cloud testing produces 2.4 times more findings per engagement. This clearly underlines that rather than saying money is insufficient on the whole, it is simply not being budgeted for the right attack surface.
Cloud vulnerabilities are being missed due to two reasons: firstly, cloud testing is underinvested, and secondly, the most expensive cloud exposure is coming from somewhere the cloud team is not looking. The latter is a bigger problem in this trend.
80% of tracked AWS and S3 credential exposure in 2025 was found during mobile pentests and not during cloud infrastructure scans. If a developer hardcodes an API key into a mobile binary and the app ships. It then gets published, downloaded, and sits in the App Store with a solid 4.2-star rating. But the cloud team’s testing scope does not include the mobile, and the mobile team’s scope does not include credential extraction. So the exposed key stays inside an app accessible to anyone, exactly where it is. Eventually, when the cloud backend is breached, the incident report would say cloud, but no one would suspect the app.
The Fix You Need:
You do not need to increase your security budget, rather you need to move it. Instead of allocating cloud testing a menial percentage of your web spend, allocate based on attack surface size and finding yield. Siloed teams testing independently blocks the holistic view and keeps finding the same vulnerabilities the second time around. Meanwhile, credentials are hiding in between scopes.
Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer
Trend #4: IDOR, the vulnerability that lives everywhere and gets fixed nowhere
The one vulnerability class from 2025 that appeared across every surface tested (web, API, cloud, iOS, Android, and network), with $1.1 million in tracked financial exposure. Insecure Direct Object Reference is not a new term, but what changed in 2025 is the scale at which it is now being found.
Here’s how it works: if your backend API accepts a predictable identifier (order ID, document ID, or user ID) and returns the requested data without verifying whether the requester is allowed to access it. Change a single digit in the URL, and you can now look at someone else’s data. While this is not considered a bug in the traditional sense.
This gap in design stems from assumptions built into the access model before considering what happens if someone abuses this API. This is exactly why IDOR is not fixed.
There is no CVE for IDOR and no vendor patch, which means CVE-based triage workflows deprioritize it; there is nothing to assign, no ticket that says “apply fix from vendor.” It has to be resolved at the design level, and so every time a new feature is shipped without addressing the underlying access control logic, it regenerates somewhere new.
In simpler terms, if you fix the access control flaw in the web app today, but if the underlying design logic remains unchanged, the same weakness can reappear in an API endpoint that ships weeks later.
CVE-tracked disclosures on testing platforms fell 91% in 2025. That means most of the impactful vulnerability classes do not have a CVE entry at all. Owing to them often being design-level issues, access-control gaps, or business-logic weaknesses, the fix lies within the product. So if your remediation program is built mainly around CVE-based prioritization, it may be focusing on the wrong risks.
The Fix You Need:
Your security team cannot be optimized based on CVE prioritization. The most impactful vulnerabilities in 2025 do not have a CVE number since they are not generic vendor bugs; they are design decisions that your team has made. Design-level flaws would require only design-level fixes. That would require you to review access control logics before shopping.
Trend #5 The autonomous pentesting trend and the governance gap that came with it
The wait has finally come to an end. Autonomous pentesting was commercially deployed in 2026. About time! Platforms are trained on millions of real findings and can now run the initial stages of a pentest in minutes rather than weeks.
It also surfaces the first critical exploit in hours rather than days. Autonomous platforms can run 80 times faster than the traditional manual approach in first-finding time. But, on the other hand, does this tool follow any rules or have any agreed-upon scope at all?
The governance problem is still catching up. An autonomous pentesting platform makes real-time exploitation decisions such as whether to investigate and test further, how aggressively to test, and when to stop. Without a defined governance framework, agreed scope boundaries, autonomy tiers, and rules for unattended activity, decisions are being made by the platform itself.
OWASP APTS is the first governance standard built specifically for autonomous pentesting, defining four autonomy levels and 173 requirements to help teams control how these platforms operate. It can be considered a framework that provides clear answers to questions that auditors and incident report teams will ask if an automated pentest goes wrong, including what rules the tool was following and how they can prove it stayed within them.
“Autonomous pentesting tools are making real-time exploitation decisions on production systems. The question is not whether they work, it’s whether you can prove they stayed within the boundaries you set. APTS gives organizations a way to answer that before an incident forces the question.” — Jinson Varghese Behnan, Pentest Lead, Astra Security.
The Fix You Need:
If your organization is evaluating autonomous tools in 2026, without concrete governance in play, you are just asking for technical risks. You would literally be adding a new attack surface inside your security infrastructure. Define scope boundaries, document rules for when the platform should stop, and use OWASP APTS before you automate risk instead of an autonomous pentest.
Why Astra Security?
Astra Security is a leading pentesting platform that also combines AI-powered Autonomous Pentesting from CREST-certified security experts, trusted by 1000+ companies across. We are also CERT-IN empaneled and a PCI-ASV. We test web, mobile, cloud, LLMs, networks, IoTs, and APIs.
Owing to Astra Security testing all attack surfaces together, we catch crucial vulnerabilities that could otherwise be overseen by most other providers, and the aforementioned exploits are trending, such as cloud credentials hiding in mobile binaries, IDOR regenerating across every surface simultaneously, and critical vulnerabilities are showing up faster than annual or half-yearly tests can keep track of.
Our autonomous pentesting capabilities are trained on 4,000+ real pentests and 10M+ vulnerabilities and run 80x faster than traditional manual approaches, with certified human pentesters vetting the findings to avoid false positives.
For cloud security, we run 400+ configuration checks and 3,000+ automated tests across AWS, Azure, and GCP, integrated directly into CI/CD, so testing moves with your daily deployments. That’s the fix for the 30-day blind spot.
Astra Security also co-authored OWASP APTS (the only governance standard for autonomous pentesting), so our autonomous pentesting services come with defined boundaries, auditable decisions, and proof that the platform stayed within scope.
No other pentest product combines automated scanning + expert guidance like we do.
Discuss your security
needs & get started today!
Final Thoughts
That November clean report? Well, now you know it wasn’t actually clean; it was a blind spot missed by most. A similar pattern can be observed across all of these penetration testing trends. Severity hiding in volume numbers, cloud credentials exposed in mobile pentests, and IDOR regenerating everywhere. The information was right there, but it was not interpreted correctly.
Moreover, in each of these cases, the gap between what is being measured and what is actually happening is exactly where exploits quietly pile up, until one fine day they blow up in your face with an expensive breach.
The cost of cybercrime is anticipated to hit $12.2 trillion globally by 2031, making each upcoming year increasingly difficult for security teams as attackers grow smarter with AI’s assistance. That said, we dont deny that the 275% growth in total vulnerability volume is real, but the 14.6x growth in criticals buried inside it is what you need to focus on. Similarly, cloud’s 44x growth is real too.
But so is the fact that 80% of cloud credential exposure is sitting inside mobile binaries that most cloud teams are not even scoping. Riskier vulnerabilities are now harder to find and easier to miss as teams continue to test web, mobile, cloud, and API environments in silos. Most importantly, your testing calendar should be planned around your risk cadence, not audit deadlines.
