{"id":24322,"date":"2023-01-09T22:56:15","date_gmt":"2023-01-09T17:26:15","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=24322"},"modified":"2026-03-31T17:05:53","modified_gmt":"2026-03-31T11:35:53","slug":"statistics","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/penetration-testing\/statistics\/","title":{"rendered":"83 Penetration Testing Statistics: Key Facts and Figures"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Penetration testing is a booming market due to the unquenchable and growing need for continuous testing of security that is deployed for various assets like web applications, networks, mobile applications, and cloud environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">73% of successful breaches in the corporate sector were carried out by <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/web-application-penetration-testing\/\" title=\"Web Application Penetration Testing\">penetrating web applications <\/a>through their vulnerabilities. This unprecedented increase in cyber threats is expected to boost and result in growth in the pentesting market.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The article explores the top penetration testing statistics for 2023 and will analyze the growth of the <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/penetration-testing\/\" target=\"_blank\" rel=\"noreferrer noopener\">penetration testing<\/a> market and other statistics revolving around vulnerabilities.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/cyber-security-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/cyber-security-statistics.jpg\" alt=\"cyber security statistics\" class=\"wp-image-24299\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/cyber-crime-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/cybercrime-statistics.jpg\" alt=\"cybercrime statistics\" class=\"wp-image-24300\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/data-breach-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/data-breach-statistics.jpg\" alt=\"data breach statistics\" class=\"wp-image-24301\"\/><\/a><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/healthcare-data-breach-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/healthcare-data-breaches-statistics.jpg\" alt=\"healthcare data breaches statistics\" class=\"wp-image-24302\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/phishing-attack-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/phishing-statistics.jpg\" alt=\"phishing statistics\" class=\"wp-image-24303\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/ransomware-attack-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/ransomware-attack-statistics.jpg\" alt=\"ransomware attack statistics\" class=\"wp-image-24304\"\/><\/a><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/small-business-cyber-attack-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/Small-business-cyber-security-statistics.jpg\" alt=\"Small business cyber security statistics\" class=\"wp-image-24305\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/third-party-data-breach-statistics\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/3rd-party-data-breaches.jpg\" alt=\"3rd party data breaches\" class=\"wp-image-24297\"\/><\/a><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/cyber-insurance-claims-statistics\/\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"675\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/cyber-insurance-claims-statistics.jpg\" alt=\"cyber insurance claims statistics\" class=\"wp-image-24298\"\/><\/a><\/figure>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Top_Penetration_Testing_Statistics\"><\/span>Top Penetration Testing Statistics<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2023\/01\/Statistics-Template-45.png\" alt=\"40% companies insufficient cybersecurity\" class=\"wp-image-24342\" style=\"width:446px;height:446px\"\/><\/figure>\n<\/div>\n\n\n<ol class=\"wp-block-list\">\n<li>Penetration testing is gaining so much traction that it is estimated that by 2025, it will be a $4.5 billion industry (Gartner).<\/li>\n\n\n\n<li>According to the <a href=\"https:\/\/www.hcltechsw.com\/appscan\/ponemon-report\" target=\"_blank\" rel=\"noopener\">Ponemon Institute<\/a>, 1 in 5 companies do not test their software for security vulnerabilities.&nbsp;<\/li>\n\n\n\n<li>The global network security market is expected to grow by a CAGR of 12% from 2021 to 2028.&nbsp;<\/li>\n\n\n\n<li>76% of global cybersecurity professionals agree that cyber attacks have increased due to employees working remotely.&nbsp;<\/li>\n\n\n\n<li>CheckPoint Software Technologies reveals that<a href=\"https:\/\/www.fortunebusinessinsights.com\/industry-reports\/network-security-market-100339\" target=\"_blank\" rel=\"noopener\"> 81% of organizations<\/a> have switched to remote working while 74% plans to keep conducting their businesses remotely for an indefinite period.&nbsp;<\/li>\n\n\n\n<li>A report by Kaspersky shows that 40% of companies do not have sufficient cybersecurity.&nbsp;<\/li>\n\n\n\n<li>80% of senior IT employees and security leaders believe that companies lack sufficient protection against cyber attacks, and 77% of them don&#8217;t have an incident response plan.<\/li>\n\n\n\n<li>93% of healthcare organizations have faced at least one breach in the last three years.&nbsp;<\/li>\n\n\n\n<li>A report from (ISC)\u2019s 2021<a href=\"https:\/\/www.marketsandmarkets.com\/Market-Reports\/penetration-testing-market-13422019.html\" target=\"_blank\" rel=\"noopener\"> Cyber Workforce<\/a> shows that global cybersecurity forces need to grow by 65% in order to effectively defend the critical assets of organizations.&nbsp;<\/li>\n\n\n\n<li>45% of organizations in Canada carried out penetration tests to identify cyber risks and prevent cybercrimes.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Let us dive deeper into the world of pentest statistics.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_the_Numbers_Dont_Usually_Show\"><\/span>What the Numbers Don\u2019t Usually Show<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Everyone\u2019s talking about pentesting ROI, coverage, and cadence\u2014but here\u2019s what most stats leave out:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In 2024, Astra found <strong>5.33 vulnerabilities per minute<\/strong><\/li>\n\n\n\n<li><strong>Manual pentests uncovered nearly 2000% more unique issues<\/strong> than automated scans<\/li>\n\n\n\n<li>Automated pentests alone helped prevent <strong>$2.88B in potential losses<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The <em>State of Continuous Pentesting 2025<\/em> doesn\u2019t just measure frequency; it reveals where point-in-time testing falls short, how security debt compounds, and what modern testing truly looks like when done correctly.<\/p>\n\n\n<div class=\"gb-container gb-container-e7c5d7cf\">\n<div class=\"gb-container gb-container-ab421196\">\n\n<div class=\"gb-headline gb-headline-4ab8b3a2 gb-headline-text\">Critical vulnerabilities are up 83%\u2014but they\u2019re just the tip of the iceberg. <span style=\"color:#3078FE;\">Discover how attackers are chaining low-severity issues into high-impact exploits.<\/span><\/div>\n\n\n<div class=\"gb-container gb-container-3fe8d7c6\">\n\n<a class=\"gb-button gb-button-d64ca209 gb-button-text\" href=\"https:\/\/www.getastra.com\/reports\/state-of-continous-pentesting-insights\/2025\" target=\"_blank\" rel=\"noopener noreferrer\">Download the Report<\/a>\n\n<\/div>\n<\/div>\n\n<div class=\"gb-container gb-container-6a88c5dd\">\n<div class=\"gb-container gb-container-138f55b1\">\n<div class=\"gb-container gb-container-22c8a380\">\n<div class=\"gb-container gb-container-c1f45f6d\">\n\n<figure class=\"gb-block-image gb-block-image-daf3dd39\"><img loading=\"lazy\" decoding=\"async\" width=\"1646\" height=\"1805\" class=\"gb-image gb-image-daf3dd39\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png\" alt=\"\" srcset=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png 1646w, \/cdn-cgi\/image\/width=1401,height=1536,fit=crop,quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/09\/4b5722b6-girlone.png 1401w\" sizes=\"auto, (max-width: 1646px) 100vw, 1646px\" \/><\/figure>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Penetration_Testing_Statistics_for_2023\"><\/span>Penetration Testing Statistics for 2023<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\" id=\"schedule-a-visit\" style=\"font-size:59px;line-height:1.15\"> 29% of organizations have automated 70% and more of their security testing<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The compound annual growth rate for the penetration testing market size is expected to grow by 13.7 from 2022 to 2027.&nbsp;<\/li>\n\n\n\n<li>According to a report by Kaspersky Lab, more than 40% of companies lack sufficient cybersecurity.&nbsp;<\/li>\n\n\n\n<li>The same report reveals that 73% of successful breaches in the business sector were accounted for by the penetration of vulnerable web applications.&nbsp;<\/li>\n\n\n\n<li>The most vulnerable points for a security breach are applications at 35% and networks <a href=\"https:\/\/news.broadcom.com\/releases\/vmware-releases-2021-global-security-insights-report-detailing-the-surge-in-cyberattacks-targeting-the-anywhere-workforce\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">at 21%.<\/a>&nbsp;<\/li>\n\n\n\n<li>In the vulnerability assessment analytical note of 2022 by Netwrix, nearly 52% of organizations want to change to a new assessment solution to reduce the number of false positives detected.&nbsp;<\/li>\n\n\n\n<li>According to Gartner\u2019s 2021 Market Guide for Vulnerability Assessment, it is vital to find a <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/vapt-india\/\">VAPT vendor<\/a> than aligns with your company\u2019s computing architecture.&nbsp;<\/li>\n\n\n\n<li>This report also found that most organizations still focus on traditional <a href=\"https:\/\/www.getastra.com\/services\/vapt-services\" data-type=\"link\" data-id=\"https:\/\/www.getastra.com\/services\/vapt-services\">VAPT services<\/a> like Tenable and Qualys.\u00a0<\/li>\n\n\n\n<li>The report mentions that prioritization of vulnerabilities does increase the number of vulnerabilities that need immediate remediation.&nbsp;<\/li>\n\n\n\n<li>According to the CoreSecurity Penetration Testing Report (2020), 50% of companies make use of commercial pentesting tools while 72% of them rely solely on open-source penetration testing tools.&nbsp;<\/li>\n\n\n\n<li>In features that are relevant for a paid penetration testing app, 69% of companies said reporting, 64% were interested in multi-vector testing capabilities, and 58% in automation of redundant tasks.&nbsp;<\/li>\n\n\n\n<li>41% of Canadian organizations planned to conduct penetration tests during 2020-2021 to eliminate cyber risks.&nbsp;<\/li>\n\n\n\n<li>Over 50,000 external and internal weaknesses can be identified using vulnerability scans.&nbsp;<\/li>\n\n\n\n<li>The top 3 areas of focus for penetration tests are servers, web applications, and databases.&nbsp;<\/li>\n\n\n\n<li>Only 29% of organizations have automated 70% and more of their security testing reveals a <a href=\"https:\/\/info.veracode.com\/sans-survey-rethinking-the-sec-in-devsecops-asset.html\" target=\"_blank\" rel=\"noopener\">2021 SANS survey<\/a>.&nbsp;<\/li>\n\n\n\n<li>The same survey showed that only 44% of companies have incorporated security tests and reviews as a part of coding workflows.&nbsp;<\/li>\n\n\n\n<li>66% of organizations automated test builds, however only 52% follow CI and automated security testing.&nbsp;<\/li>\n\n\n\n<li>More than 30,000 followers on LinkedIn use #penetrationtest to share and stay updated with the latest insights on this field.&nbsp;<\/li>\n\n\n\n<li>33k+ people are interested in pentesting and follow the hashtag.<\/li>\n\n\n\n<li>The mobile penetration testing segment, in the USA, Canada, Japan, China, and Europe will drive the 20.7% CAGR.<\/li>\n\n\n\n<li>Penetration testing for the public sector is likely to bolster the industry further by 2028 says<a href=\"https:\/\/www.digitaljournal.com\/pr\/penetration-testing-for-public-sector-market-likely-to-boost-future-growth-by-2028-nettitude-fireeye-rapid7-wizlynx-group-usa-veracode-rhino-security-labs\" target=\"_blank\" rel=\"noopener\"> Digital Journal<\/a>.<\/li>\n\n\n\n<li>Unfilled jobs in the cyber security department grew by 350% from 1 million in 2013 to <a href=\"https:\/\/cybersecurityventures.com\/jobs\/\" target=\"_blank\" rel=\"noopener\">3.5 million in 2021<\/a>.&nbsp;<\/li>\n\n\n\n<li>Employment in the computer and IT field is expected to grow by 13% from 2020 to 2030.&nbsp;<\/li>\n\n\n\n<li>71% of U.S. job listings for pentester require a bachelor\u2019s degree while only 20% ask for a graduate degree.&nbsp;<\/li>\n\n\n\n<li>In 2021 there were 22,075 job openings for pentesters in the U.S.A.&nbsp;<\/li>\n\n\n\n<li>In 2021, ethical hackers used Remote Desktop Protocol (RDP) for 70% of attacks to gain internal access.&nbsp;<\/li>\n\n\n\n<li>70% of companies do penetration tests for vulnerability management program support, 69% for assessing security posture, and 67% for achieving compliance revealed in the CoreSecurity Penetration Testing Report.&nbsp;<\/li>\n\n\n\n<li>32% of organizations said they do a pentest annually or bi-annually.&nbsp;<\/li>\n\n\n\n<li>51% of businesses exclusively enlist the services of a <a href=\"https:\/\/www.getastra.com\/blog\/cms\/third-party-penetration-testing\/\" target=\"_blank\" rel=\"noreferrer noopener\">third-party penetration testing <\/a>team.<\/li>\n\n\n\n<li>42% of respondents working at organizations said they built an in-house pentesting team.<\/li>\n\n\n\n<li>93% of companies were breached through accessing the local networks by pentesters reveals a 2020 report by Positive Technologies.&nbsp;<\/li>\n\n\n\n<li>The average time for penetrating a local network was four days.<\/li>\n\n\n\n<li>An interesting observation on external pentesting corporate information systems was that in 77% of the cases, penetration vectors involved insufficient protection of web applications.&nbsp;<\/li>\n\n\n\n<li>86% of companies and their web applications had at least one such vector.&nbsp;<\/li>\n\n\n\n<li>Other <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/penetration-testing-methodology\/\">penetration testing methods<\/a> are used to brute force credentials for services like database management systems (15%) and remote access (6%).&nbsp;<\/li>\n\n\n\n<li>In 2019, around 58% of companies did both external and internal penetration tests while 19% did just external and 23% did just internal penetration tests.&nbsp;<\/li>\n\n\n\n<li>Internal penetration tests carried out in 23 companies resulted in total takeovers by pentesters within three days.&nbsp;<\/li>\n\n\n\n<li>One simple way to overtake and obtain control over systems was seen in 61% of the companies.&nbsp;<\/li>\n\n\n\n<li>47% of pentesting attacks go unnoticed as their activities may be too similar to that of the users and or administrators.&nbsp;<\/li>\n\n\n\n<li>BusinessWire points out that the international penetration testing software market will grow from US$ 1,411.9 million in 2021 to US$ 4,045.2 million by 2028. It is estimated to grow at a CAGR of 14.4% from 2021 to 2028.<\/li>\n\n\n\n<li>75% of infosec companies conduct penetration tests to stay compliant.&nbsp;<\/li>\n\n\n\n<li>Out of the surveyed companies, 71% of them reported that pentesting is crucial for compliance initiatives while 4% said that it&#8217;s not all important.&nbsp;<\/li>\n\n\n\n<li>58% of the infosec pros said their organizations use third-party pentesters to meet compliance requirements.&nbsp;<\/li>\n\n\n\n<li>According to Cobalt\u2019s The State Of Pentesting 2022, 66% of respondents struggle to maintain high-quality security standards, particularly around compliance.&nbsp;<\/li>\n\n\n\n<li>A penetration testing company revealed that out of the 200 pentests carried out by them in 2020 :-<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>40% were repeated pentest clients.&nbsp;<\/li>\n\n\n\n<li>29% of targets had at least one critical vulnerability.&nbsp;<\/li>\n\n\n\n<li>62% had medium, critical and important vulnerabilities.&nbsp;<\/li>\n\n\n\n<li>44% had one or more important vulnerabilities.&nbsp;<\/li>\n\n\n\n<li>Out of the vulnerabilities found, 11% were critical vulnerabilities, 19% were important, 20% were medium vulnerabilities, and 40% and 10% of vulnerabilities were weak and information related respectively.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2023\/01\/Statistics-Template-46.png\" alt=\"penetration testing market CAGR\" class=\"wp-image-24343\" style=\"width:446px;height:446px\"\/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Now that we have taken a look at statistics revolving around penetration testing and its booming market, let\u2019s take a look at something equally relevant to it, which is statistics pertaining to vulnerabilities discovered during penetration tests and vulnerability assessments.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended Reading: <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/penetration-testing\/\" data-type=\"link\" data-id=\"https:\/\/www.getastra.com\/blog\/security-audit\/penetration-testing\/\" target=\"_blank\" rel=\"noreferrer noopener\">What is Pentest? A Complete Guide for 2025<\/a><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Vulnerability_Statistics_Relevant_To_Pentesting\"><\/span>Vulnerability Statistics Relevant To Pentesting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Around 69% of all vulnerabilities are accounted for by CVEs with a network attack vector.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-1999-0517\" target=\"_blank\" rel=\"noopener\">CVE-1999-0517<\/a> is the oldest vulnerability discovered in 2020, being over 21 years old.&nbsp;<\/li>\n\n\n\n<li>According to RiskBased Security, 28,695 vulnerabilities were unearthed in 2020.&nbsp;<\/li>\n\n\n\n<li>A Vulnerability Management Survey <a href=\"https:\/\/www.sans.org\/white-papers\/39930\/\" target=\"_blank\" rel=\"noopener\">by SANS<\/a> revealed that 82% of respondents rely on the prioritization of vulnerabilities.&nbsp;<\/li>\n\n\n\n<li>The same report also mentions that nearly 78% of them do so using CVSS severity rating.&nbsp;<\/li>\n\n\n\n<li>73% of surveyed organizations believe that exploitability goes beyond CVSS severity and thus also relies on the risk-based approach to prioritization of vulnerabilities.&nbsp;<\/li>\n\n\n\n<li>The implementation of zero trust and multifactor authentication measures are only prioritized by 33% of organizations, reveals the <a href=\"https:\/\/www.action1.com\/2022-endpoint-management-and-security-trends-report\/\" target=\"_blank\" rel=\"noopener\">Security Trends Report<\/a> by Endpoint.&nbsp;<\/li>\n\n\n\n<li>TAC Security Survey reveals that 88% of businesses review security risks on their own rather than relying on a vulnerability management solution.&nbsp;<\/li>\n\n\n\n<li>52% of organizations patch or resolve critical vulnerabilities and security risks within a week of identifying them.&nbsp;<\/li>\n\n\n\n<li>There was a peak in the searches for log4shell online when Log4Shell (CVE-2022-44228) hit the infosec community.&nbsp;<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\" id=\"schedule-a-visit\" style=\"font-size:59px;line-height:1.15\"> <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-1999-0517\" target=\"_blank\" rel=\"noopener\">CVE-1999-0517<\/a> is the oldest vulnerability discovered in 2020, being over 21 years old. <\/h3>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Statistics_That_Indicate_the_Need_For_Penetration_Testing\"><\/span>Statistics That Indicate the Need For Penetration Testing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In 2021, the healthcare industry was subject to <a href=\"https:\/\/www.securitymagazine.com\/articles\/96965-33-of-third-party-data-breaches-in-2021-targeted-healthcare-orgs#:~:text=33%25%20of%20third%2Dparty%20data%20breaches%20in%202021%20targeted%20healthcare%20orgs,-January%2024%2C%202022&amp;text=Despite%20cybersecurity%20prioritization%20following%20the,33%25%20of%20incidents%20last%20year.\" target=\"_blank\" rel=\"noopener\">33% of all attacks<\/a> that were caused by third parties.<\/li>\n\n\n\n<li>The first death caused by the ransomware was reported in September 2020, when an attack on a hospital\u2019s IT systems in D\u00fcsseldorf, Germany led to failure. (<a href=\"https:\/\/apnews.com\/article\/technology-hacking-europe-cf8f8eee1adcec69bcc864f2c4308c94\" target=\"_blank\" rel=\"noopener\">Associated Press<\/a>, 2020).<\/li>\n\n\n\n<li>27% of all third-party attacks in <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/third-party-data-breach-statistics\/\">2021 were ransomware<\/a>, making it the most common attack method.<\/li>\n\n\n\n<li>95% of cybersecurity breaches are attributed to human error. (<a href=\"https:\/\/www.weforum.org\/agenda\/2020\/12\/cyber-risk-cyber-security-education\" target=\"_blank\" rel=\"noopener\">World Economic Forum<\/a>)<\/li>\n\n\n\n<li>On average, SMBs spend between $826 and $653,587 on <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/small-business-cyber-attack-statistics\/\">cybersecurity incidents<\/a>.<\/li>\n\n\n\n<li>Accenture\u2019s Cybercrime study reveals that nearly 43% of cyber-attacks are targeted at SMBs out of which only 14% are prepared to face such an attack.&nbsp;<\/li>\n\n\n\n<li>Kaspersky\u2019s quarterly report reported nearly 57,116 DDoS attacks.&nbsp;<\/li>\n\n\n\n<li>Companies in the U.S., the U.K., and Canada were affected by the DDoS attacks on VOIP providers in <a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/ddos-attack-statistics\/\">2022<\/a>.<\/li>\n\n\n\n<li>The first half of 2022 saw nearly<a href=\"https:\/\/www.statista.com\/statistics\/494947\/ransomware-attacks-per-year-worldwide\/#:~:text=During%20the%20first%20half%20of,million%20cases%20to%20133%20million.\" target=\"_blank\" rel=\"noopener\"> 236.7 million<\/a> ransomware attacks worldwide.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/ransomware-attack-statistics\/\">28%<\/a> of critical infrastructure organizations were targeted by malicious ransomware attacks. These sectors included healthcare, financial services, government organizations, and more.&nbsp;<\/li>\n\n\n\n<li>Eleven percent of breaches in an IBM study were ransomware attacks, a 7.8% increase from 2021, for a growth rate of 41%.&nbsp;<\/li>\n\n\n\n<li>79% of critical infrastructure organizations didn\u2019t employ a zero-trust architecture.&nbsp;<\/li>\n\n\n\n<li>India\u2019s biometric <a href=\"https:\/\/www.washingtonpost.com\/news\/worldviews\/wp\/2018\/01\/04\/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft\/\" target=\"_blank\" rel=\"noopener\">database Aadhar<\/a> containing the personal data of almost every citizen (nearly 1.1 billion people) was exposed in a security breach.<\/li>\n\n\n\n<li>The <a href=\"https:\/\/www.jdsupra.com\/legalnews\/shields-health-care-group-inc-announces-8019546\/\" target=\"_blank\" rel=\"noopener\">Shields healthcare<\/a> data breach is the largest data breach reported in 2022 affecting over 2 million individuals.<\/li>\n\n\n\n<li>The global annual cost of cybercrime is predicted to reach <a href=\"https:\/\/s3.ca-central-1.amazonaws.com\/esentire-dot-com-assets\/assets\/resourcefiles\/2022-Official-Cybercrime-Report.pdf?utm_medium=email&amp;utm_source=pardot&amp;utm_campaign=autoresponder\" target=\"_blank\" rel=\"noopener\">$8 trillion annually<\/a> in 2023.<\/li>\n\n\n\n<li>The next five years are due to see a 15% increase in cybercrime costs reaching 10.5 trillion by 2025.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/www.getastra.com\/blog\/security-audit\/cyber-crime-statistics\/\">80% of reported cyber crimes<\/a> are generally attributed to phishing attacks in the technology sector.&nbsp;<\/li>\n\n\n\n<li>62% of attacks that did not stem from a cybersecurity error or misuse usually were carried out through the usage of stolen personal information obtained through phishing and or brute-force attacks.&nbsp;<\/li>\n\n\n\n<li>Scams increased by 400% since March 2020 thus making COVID-19 one of the largest causes of security risks ever.&nbsp;<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-background\" style=\"background-color:#e4f3fc;grid-template-columns:auto 29%\"><div class=\"wp-block-media-text__content\">\n<div class=\"wp-block-group\" style=\"padding-top:2em;padding-right:2em;padding-bottom:2em;padding-left:2em\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p class=\"wp-block-paragraph\" style=\"font-size:36px;line-height:1.2\">The first half of 2022 saw nearly<a href=\"https:\/\/www.statista.com\/statistics\/494947\/ransomware-attacks-per-year-worldwide\/#:~:text=During%20the%20first%20half%20of,million%20cases%20to%20133%20million.\" target=\"_blank\" rel=\"noopener\"> 236.7 million<\/a> ransomware attacks worldwide.<\/p>\n<\/div><\/div>\n<\/div><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2022\/12\/Statistics-Template-22.png\" alt=\"\" class=\"wp-image-23978 size-full\"\/><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This article has compiled crucial penetration testing statistics that show the importance of pentests, and how companies are increasingly employing its services for stepping up their security game.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get your security systems vetted with a pentest today and experience a worry-free tomorrow with a vulnerability-free security system for your assets.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Penetration testing is a booming market due to the unquenchable and growing need for continuous testing of security that is deployed for various assets like web applications, networks, mobile applications, and cloud environments. 73% of successful breaches in the corporate sector were carried out by penetrating web applications through their vulnerabilities. This unprecedented increase in &#8230; <a title=\"83 Penetration Testing Statistics: Key Facts and Figures\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/penetration-testing\/statistics\/\" aria-label=\"Read more about 83 Penetration Testing Statistics: Key Facts and Figures\">Read more<\/a><\/p>\n","protected":false},"author":106,"featured_media":24340,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[722,695],"tags":[],"class_list":["post-24322","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-penetration-testing","category-statistics"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/24322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=24322"}],"version-history":[{"count":13,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/24322\/revisions"}],"predecessor-version":[{"id":42542,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/24322\/revisions\/42542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/24340"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=24322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=24322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=24322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}