Starting on July 15, 2024, we surveyed 200 in-house security practitioners in the US who are involved in penetration testing in their current role. Our goal was to get a better picture of the state of penetration testing, discover what drives current testing priorities and plans, and highlight key takeaways for other offensive security practitioners.

In this article, we will summarize several of the findings from our research and point to a handful of actionable insights. You can find and download the full, 31-page report here.

Pentests Are No Longer an Annual Affair

Penetration testing has shifted from an annual model to a more frequent or continuous model. In fact, only 7.5% of respondents in our survey indicated that they perform testing annually, whereas 77% perform it bi-annually, quarterly, monthly, or continuously. Continuous testing (9.5%) is now done by more testers than annual testing.

Traditionally, pentesting was often done on an annual basis, mainly to meet compliance requirements like PCI-DSS or other regulatory standards. However, this approach has significant limitations:

  1. Static Snapshot: annual tests provide a limited, point-in-time assessment of security, leaving organizations vulnerable to threats that emerge between tests.
  2. Increasing Threat Landscape: as cyber threats evolve rapidly, an annual pentest may not detect new vulnerabilities or risks that arise between tests.
  3. Complex Environments: modern IT environments, including cloud infrastructure and constantly changing applications, require more dynamic and regular testing.

To address these challenges, many organizations are moving toward continuous pentesting or more frequent (e.g., quarterly, monthly) assessments. This model allows for:

  • Real-time vulnerability detection: Continuous testing uncovers security flaws as they emerge, reducing the attack surface.
  • Attack Surface Management (ASM): Many companies now combine continuous pentesting with attack surface monitoring, where organizations constantly evaluate their external exposure to threats.
  • Cost-Efficiency: Automated tools and pentesting platforms allow for ongoing assessments at a lower cost than full manual engagements.

In-House Testers Perform More Internal vs External Testing

Half of the respondents perform internal penetration testing whereas 42% perform external network testing. Web application, social engineering and mobile application testing are not far behind and are done by more than a third of testers.

Other types of testing include IoT/embedded systems penetration testing (performed by 34% of respondents), wireless network penetration testing (33%), cloud infrastructure penetration testing (32%), and red team engagements (16%).

The data suggests a strong focus on network security, with internal and external network penetration testing being prioritized by many organizations. However, the high percentages for web application and social engineering tests suggests that companies are increasingly recognizing the importance of safeguarding both digital infrastructure and human vulnerabilities. While mobile application testing is less frequent, its significant share indicates a growing awareness of securing mobile environments as part of a comprehensive cybersecurity strategy.

Weak or Default Password Are the Most Common Vulnerability

When we asked about the most common vulnerabilities found during penetration testing, we learned that weak or default passwords are the most frequent, followed closely by outdated or unpatched software, and sensitive data exposure. Other common issues include misconfigurations and broken authentication or session management.

Weak or default passwords are encountered the most by testers who can exploit them by using automated tools to perform password-cracking attacks, such as brute-force or dictionary attacks, to gain unauthorized access to systems. They may also scan for common or default credentials that have not been changed by administrators, often found in devices, applications, or databases. Once access is gained through these weak passwords, testers can escalate privileges, move laterally within the network, or exfiltrate sensitive data. By exploiting these vulnerabilities, penetration testers can demonstrate how easily attackers could compromise an organization’s security and this can help emphasize the importance of strong password policies and proper security hygiene.

Importantly, security teams need to consider all of the above types of risks and address them often. The diverse nature of vulnerabilities identified means that only a comprehensive security approach can help prevent successful attacks.

Pentesting Budgets Are Growing

Majority of the respondents indicated that their testing budgets will grow in the next 12 months. From those, 74% indicated their budget will increase by up to 50%. Interestingly, only 9% of respondents said their budget will decrease.

The fact is, increasing complexity and frequency of cyber threats drives organizations to invest more in proactive security measures. As businesses expand their digital infrastructures and adopt cloud services, the attack surface grows, making continuous or more frequent penetration testing essential to identify vulnerabilities. Additionally, stricter regulatory requirements and compliance standards (for example, General Data Protection Regulation or California Privacy Rights Act) necessitate more thorough testing to ensure security and privacy. The rising costs associated with data breaches, both financial and reputational, further motivate organizations to allocate more resources toward preventing these incidents, explaining some of the budget increase for penetration testing.

Explore the Full Report!

Besides the above-mentioned insights, our report includes many others that provide a broad picture of the state of penetration testing in 2024. Our data sample includes companies from many industries, with the largest group (21%) representing organizations in technology and software, followed closely by financial services (15%). Interestingly, 70% of all respondents rated their organization’s cybersecurity maturity as high or very high, suggesting confidence in the approaches and processes they use.

We encourage you to read the full report to discover all the findings and see how much they correspond to your own organization.