Security Audit

83 Penetration Testing Statistics: Key Facts and Figures

Updated on: October 20, 2023

83 Penetration Testing Statistics: Key Facts and Figures

Penetration testing is a booming market due to the unquenchable and growing need for continuous testing of security that is deployed for various assets like web applications, networks, mobile applications, and cloud environments.

73% of successful breaches in the corporate sector were carried out by penetrating web applications through their vulnerabilities. This unprecedented increase in cyber threats is expected to boost and result in growth in the pentesting market. 

The article explores the top penetration testing statistics for 2023 and will analyze the growth of the penetration testing market and other statistics revolving around vulnerabilities. 

cyber security statistics
cybercrime statistics
data breach statistics
healthcare data breaches statistics
phishing statistics
ransomware attack statistics
Small business cyber security statistics
3rd party data breaches
cyber insurance claims statistics

Top Penetration Testing Statistics

40% companies insufficient cybersecurity
  1. Penetration testing is gaining so much traction that it is estimated that by 2025, it will be a $4.5 billion industry (Gartner).
  2. According to the Ponemon Institute, 1 in 5 companies do not test their software for security vulnerabilities. 
  3. The global network security market is expected to grow by a CAGR of 12% from 2021 to 2028. 
  4. 76% of global cybersecurity professionals agree that cyber attacks have increased due to employees working remotely. 
  5. CheckPoint Software Technologies reveals that 81% of organizations have switched to remote working while 74% plans to keep conducting their businesses remotely for an indefinite period. 
  6. A report by Kaspersky shows that 40% of companies do not have sufficient cybersecurity. 
  7. 80% of senior IT employees and security leaders believe that companies lack sufficient protection against cyber attacks, and 77% of them don’t have an incident response plan.
  8. 93% of healthcare organizations have faced at least one breach in the last three years. 
  9. A report from (ISC)’s 2021 Cyber Workforce shows that global cybersecurity forces need to grow by 65% in order to effectively defend the critical assets of organizations. 
  10. 45% of organizations in Canada carried out penetration tests to identify cyber risks and prevent cybercrimes. 

Let us dive deeper into the world of pentest statistics. 

Penetration Testing Statistics for 2023

29% of organizations have automated 70% and more of their security testing

  1. The compound annual growth rate for the penetration testing market size is expected to grow by 13.7 from 2022 to 2027. 
  2. According to a report by Kaspersky Lab, more than 40% of companies lack sufficient cybersecurity. 
  3. The same report reveals that 73% of successful breaches in the business sector were accounted for by the penetration of vulnerable web applications. 
  4. The most vulnerable points for a security breach are applications at 35% and networks at 21%. 
  5. In the vulnerability assessment analytical note of 2022 by Netwrix, nearly 52% of organizations want to change to a new assessment solution to reduce the number of false positives detected. 
  6. According to Gartner’s 2021 Market Guide for Vulnerability Assessment, it is vital to find a VAPT vendor than aligns with your company’s computing architecture. 
  7. This report also found that most organizations still focus on traditional VAPT services like Tenable and Qualys. 
  8. The report mentions that prioritization of vulnerabilities does increase the number of vulnerabilities that need immediate remediation. 
  9. According to the CoreSecurity Penetration Testing Report (2020), 50% of companies make use of commercial pentesting tools while 72% of them rely solely on open-source penetration testing tools. 
  10. In features that are relevant for a paid penetration testing app, 69% of companies said reporting, 64% were interested in multi-vector testing capabilities, and 58% in automation of redundant tasks. 
  11. 41% of Canadian organizations planned to conduct penetration tests during 2020-2021 to eliminate cyber risks. 
  12. Over 50,000 external and internal weaknesses can be identified using vulnerability scans. 
  13. The top 3 areas of focus for penetration tests are servers, web applications, and databases. 
  14. Only 29% of organizations have automated 70% and more of their security testing reveals a 2021 SANS survey
  15. The same survey showed that only 44% of companies have incorporated security tests and reviews as a part of coding workflows. 
  16. 66% of organizations automated test builds, however only 52% follow CI and automated security testing. 
  17. More than 30,000 followers on LinkedIn use #penetrationtest to share and stay updated with the latest insights on this field. 
  18. 33k+ people are interested in pentesting and follow the hashtag.
  19. The mobile penetration testing segment, in the USA, Canada, Japan, China, and Europe will drive the 20.7% CAGR.
  20. Penetration testing for the public sector is likely to bolster the industry further by 2028 says Digital Journal.
  21. Unfilled jobs in the cyber security department grew by 350% from 1 million in 2013 to 3.5 million in 2021
  22. Employment in the computer and IT field is expected to grow by 13% from 2020 to 2030. 
  23. 71% of U.S. job listings for pentester require a bachelor’s degree while only 20% ask for a graduate degree. 
  24. In 2021 there were 22,075 job openings for pentesters in the U.S.A. 
  25. In 2021, ethical hackers used Remote Desktop Protocol (RDP) for 70% of attacks to gain internal access. 
  26. 70% of companies do penetration tests for vulnerability management program support, 69% for assessing security posture, and 67% for achieving compliance revealed in the CoreSecurity Penetration Testing Report. 
  27. 32% of organizations said they do a pentest annually or bi-annually. 
  28. 51% of businesses exclusively enlist the services of a third-party penetration testing team.
  29. 42% of respondents working at organizations said they built an in-house pentesting team.
  30. 93% of companies were breached through accessing the local networks by pentesters reveals a 2020 report by Positive Technologies. 
  31. The average time for penetrating a local network was four days.
  32. An interesting observation on external pentesting corporate information systems was that in 77% of the cases, penetration vectors involved insufficient protection of web applications. 
  33. 86% of companies and their web applications had at least one such vector. 
  34. Other penetration testing methods are used to brute force credentials for services like database management systems (15%) and remote access (6%). 
  35. In 2019, around 58% of companies did both external and internal penetration tests while 19% did just external and 23% did just internal penetration tests. 
  36. Internal penetration tests carried out in 23 companies resulted in total takeovers by pentesters within three days. 
  37. One simple way to overtake and obtain control over systems was seen in 61% of the companies. 
  38. 47% of pentesting attacks go unnoticed as their activities may be too similar to that of the users and or administrators. 
  39. BusinessWire points out that the international penetration testing software market will grow from US$ 1,411.9 million in 2021 to US$ 4,045.2 million by 2028. It is estimated to grow at a CAGR of 14.4% from 2021 to 2028.
  40. 75% of infosec companies conduct penetration tests to stay compliant. 
  41. Out of the surveyed companies, 71% of them reported that pentesting is crucial for compliance initiatives while 4% said that it’s not all important. 
  42. 58% of the infosec pros said their organizations use third-party pentesters to meet compliance requirements. 
  43. According to Cobalt’s The State Of Pentesting 2022, 66% of respondents struggle to maintain high-quality security standards, particularly around compliance. 
  44. A penetration testing company revealed that out of the 200 pentests carried out by them in 2020 :-
  • 40% were repeated pentest clients. 
  • 29% of targets had at least one critical vulnerability. 
  • 62% had medium, critical and important vulnerabilities. 
  • 44% had one or more important vulnerabilities. 
  • Out of the vulnerabilities found, 11% were critical vulnerabilities, 19% were important, 20% were medium vulnerabilities, and 40% and 10% of vulnerabilities were weak and information related respectively. 
penetration testing market CAGR

Now that we have taken a look at statistics revolving around penetration testing and its booming market, let’s take a look at something equally relevant to it, which is statistics pertaining to vulnerabilities discovered during penetration tests and vulnerability assessments. 

Vulnerability Statistics Relevant To Pentesting

  1. Around 69% of all vulnerabilities are accounted for by CVEs with a network attack vector. 
  2. CVE-1999-0517 is the oldest vulnerability discovered in 2020, being over 21 years old. 
  3. According to RiskBased Security, 28,695 vulnerabilities were unearthed in 2020. 
  4. A Vulnerability Management Survey by SANS revealed that 82% of respondents rely on the prioritization of vulnerabilities. 
  5. The same report also mentions that nearly 78% of them do so using CVSS severity rating. 
  6. 73% of surveyed organizations believe that exploitability goes beyond CVSS severity and thus also relies on the risk-based approach to prioritization of vulnerabilities. 
  7. The implementation of zero trust and multifactor authentication measures are only prioritized by 33% of organizations, reveals the Security Trends Report by Endpoint. 
  8. TAC Security Survey reveals that 88% of businesses review security risks on their own rather than relying on a vulnerability management solution. 
  9. 52% of organizations patch or resolve critical vulnerabilities and security risks within a week of identifying them. 
  10. There was a peak in the searches for log4shell online when Log4Shell (CVE-2022-44228) hit the infosec community. 

CVE-1999-0517 is the oldest vulnerability discovered in 2020, being over 21 years old.

Statistics That Indicate the Need For Penetration Testing

  1. In 2021, the healthcare industry was subject to 33% of all attacks that were caused by third parties.
  2. The first death caused by the ransomware was reported in September 2020, when an attack on a hospital’s IT systems in Düsseldorf, Germany led to failure. (Associated Press, 2020).
  3. 27% of all third-party attacks in 2021 were ransomware, making it the most common attack method.
  4. 95% of cybersecurity breaches are attributed to human error. (World Economic Forum)
  5. On average, SMBs spend between $826 and $653,587 on cybersecurity incidents.
  6. Accenture’s Cybercrime study reveals that nearly 43% of cyber-attacks are targeted at SMBs out of which only 14% are prepared to face such an attack. 
  7. Kaspersky’s quarterly report reported nearly 57,116 DDoS attacks. 
  8. Companies in the U.S., the U.K., and Canada were affected by the DDoS attacks on VOIP providers in 2022.
  9. The first half of 2022 saw nearly 236.7 million ransomware attacks worldwide.
  10. 28% of critical infrastructure organizations were targeted by malicious ransomware attacks. These sectors included healthcare, financial services, government organizations, and more. 
  11. Eleven percent of breaches in an IBM study were ransomware attacks, a 7.8% increase from 2021, for a growth rate of 41%. 
  12. 79% of critical infrastructure organizations didn’t employ a zero-trust architecture. 
  13. India’s biometric database Aadhar containing the personal data of almost every citizen (nearly 1.1 billion people) was exposed in a security breach.
  14. The Shields healthcare data breach is the largest data breach reported in 2022 affecting over 2 million individuals.
  15. The global annual cost of cybercrime is predicted to reach $8 trillion annually in 2023.
  16. The next five years are due to see a 15% increase in cybercrime costs reaching 10.5 trillion by 2025. 
  17. 80% of reported cyber crimes are generally attributed to phishing attacks in the technology sector. 
  18. 62% of attacks that did not stem from a cybersecurity error or misuse usually were carried out through the usage of stolen personal information obtained through phishing and or brute-force attacks. 
  19. Scams increased by 400% since March 2020 thus making COVID-19 one of the largest causes of security risks ever. 

The first half of 2022 saw nearly 236.7 million ransomware attacks worldwide.


This article has compiled crucial penetration testing statistics that show the importance of pentests, and how companies are increasingly employing its services for stepping up their security game. 

Get your security systems vetted with a pentest today and experience a worry-free tomorrow with a vulnerability-free security system for your assets. 

Nivedita James Palatty

Nivedita is a technical writer with Astra who has a deep love for knowledge and all things curious in nature. An avid reader at heart she found her calling writing about SEO, robotics, and currently cybersecurity.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany