As technology continues to evolve, cybersecurity has become a top priority for businesses of all sizes. One of the key components of a comprehensive cybersecurity strategy is penetration testing.
Penetration testing, also known as pen testing, is the process of simulating a real-world attack on a system or network to identify vulnerabilities and weaknesses that could be exploited by hackers.
Here are statistics related to penetration testing that highlight the importance of this critical security measure:
Table 1: Penetration Testing Market Statistics
| Statistic | Value |
|---|---|
| Global penetration testing market size in 2021 | USD 1.6 billion |
| Global penetration testing market size in 2026 | USD 3.0 billion |
| Compound Annual Growth Rate (CAGR) from 2021 to 2026 | 13.8% |
| Percentage of market contributed by top companies | >50% |
| Percentage of market revenue from vendors offering penetration testing solutions | 35-40% |
Table 2: Penetration Testing Software Statistics
| Statistic | Value |
|---|---|
| Percentage of tested companies with known software security flaws | 39% |
| Percentage of organizations that don’t believe their anti-threats can block detected threats | 69% |
| Percentage of companies that store billing addresses | 54% |
| Percentage of companies that regularly upgrade software solutions | 38% |
| Percentage of companies that monitor business credit reports | 31% |
| Top reasons for email delivery failure (bill/invoice, package delivery, legal/law enforcement, scanned document) | 15.9%, 11.5%, 13.2%, 15.3% |
| Top reasons for package delivery failure notice (bill/invoice, package delivery, email delivery failure) | 7%, 4%, 3% |
Table 3: Penetration Testing Latest Statistics
| Statistic | Value |
|---|---|
| Percentage of external pentests that successfully breached network perimeter | 92% |
| Percentage of successful penetration vectors caused by poor protection of web resources | 75% |
| Percentage of systems where weak Wi-Fi security enabled access to resources on the LAN | 63% |
| Percentage of companies with breached network perimeter during external pentesting (2018) | 92% |
| Percentage of clients with network traffic analysis performed | 78% |
| Percentage of tested systems that failed to protect NBNS and LLMNR protocols | 86% |
| Percentage of tested systems with out-of-date OS versions on internal infrastructure | 44% |
| Percentage of successful cyberattacks against financial institutions | 5.3% |
| Percentage of successful cyberattacks against medical institutions | 38.9% |
| Percentage of IT budget spent on cybersecurity by medical centers | <10% |
| Percentage of all successful cyberattacks against online services | 35.1% |
| Estimated total amount of losses incurred by US businesses due to cybercrime in 2015 | USD 525 million |
| Percentage of companies with successfully breached network perimeter and access to local network | 93% |
| Percentage of companies with potential easy penetration vector | 71% |
| Percentage of penetration vectors involving insufficient protection of web applications | 77% |
| Percentage of companies with at least one such vector | 86% |
| Percentage of companies with identifiers for web applications that use domain authentication bruteforced via Autodiscover service in Microsoft Exchange Client Access Server through timing attack | 25% |
| Percentage of companies where zero day vulnerabilities allowed penetration | 14% |
| Percentage of client typology comprised by startups | ~50% |
| Percentage of repeat clients who requested penetration testing in 2020 | 40% |
| Percentage of targets with at least one critical vulnerability | 29% |
| Percentage of targets with one or more important vulnerabilities | 44% |
| Percentage of targets with one or more medium vulnerabilities | 47% |
| Percentage of targets with medium, important or critical vulnerabilities | 62% |
| Percentage of flaws found that were critical vulnerabilities | 11% |
Key Penetration Testing Statistics 2023 – MY Choice
- The global penetration testing market size is expected to reach USD 4.5 billion by 2025. (Source: Grand View Research)
- The average cost of a data breach in 2020 was $3.86 million. (Source: IBM)
- 94% of organizations experienced a phishing attack in 2020. (Source: Verizon)
- The healthcare industry has the highest cost per breached record at $499 per record. (Source: IBM)
- 53% of companies do not conduct regular vulnerability assessments. (Source: Ponemon Institute)
- The average time to identify a breach in 2020 was 228 days. (Source: IBM)
- 84% of hackers use social engineering tactics to gain access to sensitive information. (Source: KnowBe4)
- 56% of IT decision-makers believe that their organization is vulnerable to a cyber attack. (Source: Security Magazine)
- 30% of organizations have never conducted a penetration test. (Source: Cybersecurity Insiders)
- The average time to contain a breach in 2020 was 83 days. (Source: IBM)
Penetration Testing Statistics
- According to a recent study, 71% of businesses consider cybersecurity as their top priority.
- 77% of companies use penetration testing to evaluate their security measures.
- The global penetration testing market size is expected to reach USD 4.5 billion by 2025.
- 57% of organizations have experienced a cybersecurity attack in the last year.
- 68% of businesses believe that a cyber attack is inevitable.
- The average cost of a data breach in the US is $8.19 million.
- 90% of cyber attacks start with a phishing email.
- 69% of organizations do not have a formal incident response plan.
- 43% of cyber attacks target small businesses.
- 60% of small businesses go out of business within six months of a cyber attack.
Why is vulnerability prioritization important in a vulnerability management program?
Vulnerability prioritization is crucial to close potential security holes and reduce the window of opportunity for adversaries, especially considering the rapid growth of the threat landscape with over 25,000 vulnerabilities disclosed in 2022 (The Stack).
How has prioritization maturity improved in organizations?
According to the SANS Vulnerability Management Survey, companies have shown improvement in prioritization maturity, with a shift from Level 3 (defining) to Level 4 (quantitatively managed) and Level 5 (optimizing). Levels 4 and 5 grew by 6.3% and 2.2% respectively in 2022 from the previous year.
Do organizations prioritize implementing Zero Trust and multifactor authentication (MFA)?
The 2022 Endpoint Management and Security Trends Report reveals that only 33% of organizations prioritize implementing Zero Trust and multifactor authentication (MFA).
How many organizations prioritize risks for their IT teams?
The TAC Security Survey indicates that 34% of businesses do not prioritize risks for their IT teams.
Do businesses rely on vulnerability management solutions for security risk review?
According to the TAC Security Survey, 88% of businesses review security risks on their own instead of using a vulnerability management solution.
How effective is the prioritization of critical vulnerabilities and patching?
The State of Vulnerability Management in DevSecOps (2022) states that 52% of respondents find prioritizing critical vulnerabilities highly effective, while 43% indicate that patching is highly effective.
Why do companies perform penetration tests?
According to the CoreSecurity 2022 Penetration Testing Report, 75% of companies perform penetration tests to measure their security posture or for compliance reasons, with 57% doing it to support a vulnerability management program.
What tools do penetration testers use during engagements?
The CoreSecurity 2022 Penetration Testing Report reveals that most penetration testers use a combination of security tools, with 78% using both free and commercial tools, and 11% relying solely on free and open-source tools.
What are the important features in paid pentesting software tools?
Based on the CoreSecurity 2022 Penetration Testing Report, 77% of companies consider reporting as a must-have feature in paid pentesting software tools. Additionally, 67% value extensive threat libraries, and 61% are interested in multi-vector testing capabilities.
How many unique weaknesses can vulnerability scans identify?
According to SecurityMetrics, vulnerability scans can identify over 50,000 unique external and/or internal weaknesses.
Which areas are prioritized for automated penetration testing?
The RidgeSecurity Survey reveals that servers, web applications, and databases are the top three areas of focus for automated penetration testing.
How many organizations have automated the majority of their security testing?
The 2021 SANS Survey shows that only 29% of organizations have automated 70% or more of their security testing.
Do organizations include security tests and reviews in coding workflows?
The 2021 SANS Survey indicates that 44% of organizations have included security tests and reviews as part of their coding workflows.
Penetration Testing Facts
11. Penetration testing is also known as ethical hacking.
It involves simulating a cyber attack to identify vulnerabilities in a network or application.
- Penetration testing can be manual or automated.
- Penetration testers use various tools and techniques to identify vulnerabilities.
- Penetration testing is not a one-time event; it should be done regularly.
- Penetration testing can help businesses comply with regulations and industry standards.
- Penetration testing can also help businesses avoid reputational damage.
How big is the interest in the penetration testing market?
The penetration testing market has a significant interest with over 31,000 followers using the penetration testing hashtag on LinkedIn to share and stay updated with the latest news and insights. Additionally, more than 34,000 people are interested in #pentesting and follow this hashtag.
Has interest in penetration testing been growing over time?
According to Google Trends, interest in “penetration testing” has been slowly and steadily growing over the past five years.
Was there a peak in interest during the Log4Shell (CVE-2022-44228) incident?
Yes, when Log4Shell hit the infosec community, there was a high peak in December 2021 with many people searching for “log4shell.”
What are the top related topics searched alongside penetration testing?
The top three related topics that internet users search for alongside penetration testing are web application, security, and server-computing.
What is the level of interest in penetration testing on YouTube?
According to vidIQ results, there is a medium interest in penetration testing on YouTube, with an average score of 59 for “penetration testing” and a score of 56 for “pentesting.”
Which pages and profiles have the most followers on LinkedIn?
The top 10 penetration testing pages on LinkedIn, based on follower count, are:
- The Hacker News: 416k+ followers
- Offensive Security: 411k+ followers
- Hack the Box: 377k+ followers
- TryHackMe: 282k+ followers
- EC-Council: 277k+ followers
- SANS Institute: 255k+ followers
- Black Hat Ethical Hacking: 218k+ followers
- HackerOne: 214k+ followers
- Pentester Academy: 213k+ followers
- Rapid7: 131k+ followers
Who are some infosec specialists worth following on LinkedIn?
Here are 10 infosec specialists on LinkedIn who share valuable insights and are worth following:
- Jayson E. Street
- Jack Rhysider
- Gabrielle Botbol
- Fredrik Alexandersson (aka STOK)
- Alyssa Miller
- Phillip Wylie
- HD Moore
- Jason Haddix
- Jay Jay Davey
- Natalia Antonova
Penetration Testing Benefits
18. Penetration testing helps businesses identify vulnerabilities before they can be exploited by attackers.
- Penetration testing can help businesses prioritize their security investments.
- Penetration testing can help businesses comply with regulations and industry standards.
- Penetration testing can help businesses avoid reputational damage.
- Penetration testing can help businesses avoid costly data breaches.
Table 1: Penetration Testing Compliance and Importance
| Metric | Percentage |
|---|---|
| Perform penetration tests for compliance | 75% |
| Importance of pentesting for compliance | |
| – Very important | 71% |
| – Not at all important | 4% |
| Organizations using third-party pentesters | 58% |
| Use of third-party pentesters by assessment type | |
| – Network testing | 81% |
| – Application testing | 68% |
| – Cloud security engagements | 48% |
| Struggle to maintain high-quality security standards | 66% |
Table 2: Red Teaming Assessment Statistics
| Metric | Percentage |
|---|---|
| Red teaming as a best practice | 47% |
| Red teaming after security incidents | 39% |
| Frequency of red teaming assessments | |
| – Once a month or less | 37% |
| Organizations performing red team testing | |
| – External firms | |
| — Once a month or more | 1% |
| — Once every 2-6 months | 25% |
| — Once every 7-11 months | 39% |
| — Once a year | 27% |
| Effectiveness of internal and external red teams | 54% |
| Increased security investment due to red and blue team exercises | 98% |
Table 3: Ethical Vulnerability Exploitation Insights
| Metric | Value |
|---|---|
| Security flaws found in 2021 | 28,695 |
| Exploitable vulnerabilities disclosed in 2021 | 4,108 |
| Impact of Log4Shell vulnerability | |
| – Vulnerability references | 1,850 |
| – Vendor/product combinations impacted | 6,200+ |
| Software vulnerabilities reported in 2022 | 65,000 |
| Software vulnerabilities reported in 2021 | 66,547 |
| Vulnerabilities not reported by companies | 32% |
Table 4: Web Application Security Testing
| Metric | Percentage |
|---|---|
| Exposure to cross-site scripting attacks | 28% |
| Targets including OWASP Top 10 vulnerabilities | 76% |
| Application and server misconfigurations | 21% |
| Broken access control vulnerabilities | 19% |
| External attacks involving web application exploits | |
| – Web application exploits | 32% |
| – Software vulnerability exploits | 35% |
| – Supply-chain attacks | 33% |
| Cyberattacks aimed at exploiting web applications | 39% |
| Prioritizing building security into development processes | 21% |
Penetration Testing Trends
23. Artificial intelligence and machine learning are increasingly being used in penetration testing.
- Cloud-based penetration testing is becoming more popular.
- Penetration testing is being integrated into the software development lifecycle.
- Bug bounty programs are becoming more popular.
- More businesses are outsourcing their penetration testing needs.
- The use of automation in penetration testing is increasing.
Can you provide some experienced infosec specialists worth following for expanding pentesting knowledge?
Absolutely! Here are 10 experienced infosec specialists worth following for their expertise and insights in the field:
- Heath Adams (Cyber Mentor)
- Chris Kubecka
- J Wolfgang Goerlich
- Kim Crawley
- Chris Truncer
- Chris Campbell
- Simon J. Bell
- Conda
- AccidentalCISO
- Gabrielle Hempel
What are some key statistics about the penetration testing market?
Here are some key statistics about the penetration testing market:
- The global penetration testing market is expected to grow from $1.6 billion in 2021 to $3.0 billion by 2026, at a CAGR of 13.8% from 2021 to 2026.
- The US pentesting market was estimated at US$325.8 million in 2020, and China is projected to reach a market size of $705.9 million by 2027.
- The mobile application penetration segment is expected to drive a 20.7% CAGR, with the USA, Canada, Japan, China, and Europe playing a significant role in the growth.
Are there any specific factors driving the growth of the penetration testing market?
Yes, the growth of the penetration testing market is driven by several factors, including:
- Increasing demand for the protection of software-based products, such as mobile and web apps.
- Growing use of cloud-based security solutions.
- The rise of wireless networks and the increasing number of connected devices, creating demand for penetration testing across various industries.
- Penetration testing opportunities in the public sector, which are expected to boost future growth.
What are the current job opportunities and salaries in the penetration testing field?
Hers are some job statistics in the penetration testing field:
- The number of unfilled cybersecurity jobs grew by 350% from 2013 to 2021, with 3.5 million openings predicted in 2025.
- Employment in computer and information technology occupations is projected to grow 13% from 2020 to 2030, with about 667,600 new jobs.
- By 2025, nearly half of cybersecurity leaders are expected to change jobs, with 25% exploring different career paths due to work-related stressors.
Penetration Testing Adoption
29. Large enterprises are more likely to adopt penetration testing than small and medium-sized businesses.
- The financial services sector is the largest user of penetration testing.
- The healthcare sector is increasing its adoption of penetration testing.
- The government sector is increasing its adoption of penetration testing.
- The global penetration testing market is expected to reach $4.5 billion by 2025.
- Penetration testing is now a requirement for compliance with many industry regulations, including PCI DSS, HIPAA, and ISO 27001.
- According to a report by Cybersecurity Ventures, the global cost of cybercrime is projected to reach $10.5 trillion by 2025.
- Penetration testing is a proactive approach to identifying and addressing security vulnerabilities, rather than a reactive approach after a breach has occurred.
- Penetration testing can help identify and address vulnerabilities before they are exploited by hackers.
- Penetration testing can provide valuable insights into the effectiveness of an organization’s security controls and policies.
- Penetration testing can help organizations meet compliance requirements and avoid costly fines.
- Penetration testing can help organizations protect their reputation and avoid damage to their brand.
What is the average salary for a penetration & vulnerability tester?
The average salary for a penetration & vulnerability tester posted online in 2022 was $101,446.
What level of education is typically required for a pentester role?
Approximately 66% of US online job listings for a pentester and vulnerability tester require a bachelor’s degree, while only 24% ask for a graduate degree.
How many job openings were available for Penetration and Vulnerability Testers in the USA?
There were 22,075 online job openings for Penetration and Vulnerability Testers in the USA in 2021, and the number increased to 27,409 in 2022.
What are the top skills required by US employers for a pentester role?
The top 5 most common skills required by US employers for a pentester role are: Information security, Penetration testing, Linux, Python, and Java.
What are the average salaries for penetration testers in the US and European countries?
In the US, the average salary for a penetration tester is around $90,273 per year. In different European countries, the average salary per year ranges from €30,968 in Italy to €58,151 in Germany (Payscale).
How often do organizations perform penetration tests?
According to the CoreSecurity 2021 Penetration Testing Report, 39% of organizations performed a pentest once to twice a year in 2021. In 2022, 42% of organizations performed pentests.
How many organizations enlist the services of a third-party penetration testing team?
In 2021, 53% of businesses exclusively enlisted the services of a third-party penetration testing team. In 2022, 55% of businesses continued to do so (CoreSecurity Penetration Testing Report).
What are the main reasons organizations perform penetration tests?
According to the CoreSecurity 2021 Penetration Testing Report, 74% of organizations perform penetration tests for vulnerability management program support, 73% for measuring security posture, and 70% for compliance.
What were the common attack vectors identified in external pentesting of corporate information systems?
According to a 2022 report by Positive Technologies, vulnerabilities and flaws in web application configurations were the common attack vectors identified in external pentesting of corporate information systems.
Penetration Testing Frequency
- According to a survey by Cynet, 40% of organizations conduct penetration testing once a year or less.
- The National Institute of Standards and Technology recommends that organizations conduct penetration testing at least once a year, or whenever significant changes are made to the network or systems.
- The frequency of penetration testing should be based on the organization’s risk profile and the level of security required.
Penetration Testing Methodologies
- There are two main methodologies for penetration testing: white box and black box.
- In a white box test, the tester has complete knowledge of the system being tested, including system architecture, network layout, and source code.
- In a black box test, the tester has no prior knowledge of the system being tested and must conduct reconnaissance to gather information.
- Gray box testing is a hybrid approach that gives the tester some knowledge of the system being tested.
Penetration Testing Tools
- There are a variety of tools available for conducting penetration testing, including open source tools and commercial tools.
- Some popular open source tools for penetration testing include Metasploit, Nmap, and Wireshark.
- Some popular commercial tools for penetration testing include Rapid7, Qualys, and Nessus.
Table 1: Pentest Results
| Metric | Percentage |
|---|---|
| Pentesters gained full control of infrastructure | 100% |
| Simple way to obtain control of infrastructure | 57% |
| Password policy flaws detected | 85% |
| High-risk vulnerabilities due to outdated software | 60% |
| Password spraying used | 49% |
| Password guessing used | 33% |
| Password cracking used | 16% |
| Credential brute force used | – |
| Legitimate actions used | – |
| Successful internal attacks performed by pentesters | – |
Table 2: Growth of Penetration Testing Software Market
| Year | Market Size (in million USD) |
|---|---|
| 2021 | 1,411.9 |
| 2022 | – |
| 2023 | – |
| 2024 | – |
| 2025 | – |
| 2026 | – |
| 2027 | – |
| 2028 | 4,045.2 |
Table 3: Top 10 Penetration Testing Software Solutions
| Rank | Software Solution |
|---|---|
| 1 | Cobalt.io |
| 2 | Intruder |
| 3 | Metasploit by Rapid7 |
| 4 | Pentest-Tools.com |
| 5 | HackerOne |
| 6 | Beagle Security |
| 7 | Verizon Penetration Testing |
| 8 | SQLmap |
| 9 | Detectify |
| 10 | Acunetix by Invicti |
Table 4: Top 7 Penetration Testing Software Contenders
| Rank | Software Solution |
|---|---|
| 1 | Metasploit by Rapid7 |
| 2 | Acunetix by Invicti |
| 3 | Indusface WAS |
| 4 | Core Security |
| 5 | Veracode Application Security Platform |
| 6 | Bugcrowd |
| 7 | SQLMap |
Table 5: Top 10 Application Security Testing Products
| Rank | Software Solution |
|---|---|
| 1 | Veracode |
| 2 | Checkmarx SAST |
| 3 | InsightAppSec by Rapid7 |
| 4 | Burp Suite Professional |
| 5 | Web Application Scanning (WAS) by Qualys |
| 6 | Acunetix by Invicti |
| 7 | WhiteHat DAST by Synopsys |
| 8 | AppScan by HCL Technologies |
| 9 | Invicti (formerly Netsparker) |
| 10 | Micro Focus Fortify Static Code Analyzer |
Table 6: Top 9 Vulnerability Management Products
| Rank | Software Solution |
|---|---|
| 1 | Beagle Security |
| 2 | PDQ Deploy |
| 3 | Hackrate Bug Bounty Platform |
| 4 | DriveStrike |
| 5 | Cyber Chief |
| 6 | Runecast Analyzer |
| 7 | TOPIA |
| 8 | Centraleyezer |
| 9 | Automox |
Penetration Testing Challenges
- Penetration testing can be time-consuming and expensive.
- Penetration testing requires specialized knowledge and expertise, which can be difficult to find and retain.
- Penetration testing can sometimes result in false positives, which can be a waste of time and resources.
- Penetration testing can sometimes result in false negatives, which can leave vulnerabilities undiscovered.
- The use of artificial intelligence and machine learning is expected to play a larger role in penetration testing in the future.
- The rise of cloud computing has led to an increased need for penetration testing of cloud environments.
- The Internet of Things (IoT) is also creating new challenges for penetration testing, as connected devices can be difficult to secure.
- Penetration Testing Regulations Data
| Data | Source |
|---|---|
| 75% of infosec professionals perform penetration tests for compliance, a 5% increase from 2021. | CoreSecurity 2022 Penetration Testing Report |
| 71% of respondents consider pentesting important for compliance initiatives. Only 4% say it’s not important. | CoreSecurity 2022 Penetration Testing Report |
| 58% of infosec professionals use third-party pentesters to meet compliance requirements. | CoreSecurity 2020 Penetration Testing Report |
| 81% use third-party pentesters for network testing, 68% for application testing, and 48% for cloud security engagements. | CoreSecurity 2022 Penetration Testing Report |
| 66% of respondents struggle to maintain high-quality security standards, especially around compliance. | Cobalt The State of Pentesting 2022 |
- Red Teaming Assessment Statistics
| Data | Source |
|---|---|
| 47% of organizations believe red teaming is a best practice for risk assessment. | 2022 ESG Research Report Security Hygiene and Posture Management |
| 39% of organizations perform red teaming after experiencing security incidents. | 2022 ESG Research Report Security Hygiene and Posture Management |
| 37% of organizations conduct red teaming assessments once a month or less. | 2022 ESG Research Report Security Hygiene and Posture Management |
| 92% of companies see significant value in red team testing, compared to 72% in the previous year. | 2020 Red and Blue Team Survey |
| 1% of companies perform red team tests once a month or more, 25% every 2-6 months, 39% every 7-11 months, and 27% once a year. | 2020 Red and Blue Team Survey |
| 54% believe internal and external red teams are effective in testing blue units. | 2020 Red and Blue Team Survey |
| 98% of companies increased their security investment as a result of red and blue team exercises. | 2020 Red and Blue Team Survey |
| Businesses conducting red team testing exercises reduced breach costs by an average of $204k. | The 2022 Cost of a Data Breach report by IBM |
- Ethical Vulnerability Exploitation Insights
| Data | Source |
|---|---|
| 28,695 security flaws were found in 2021, a significant increase from 2020. | RiskBased Security Report 2021 |
| 4,108 vulnerabilities disclosed in 2021 were exploitable remotely. | RiskBased Security Report 2021 |
| Log4Shell had over 1,850 vulnerability references and impacted 6,200+ vendor/product combinations. | RiskBased Security Report 2021 |
| Ethical hackers reported over 65,000 software vulnerabilities in 2022 and slightly higher in 2021. | HackerOne’s 2022 Security report |
| 25% of hackers found vulnerabilities but chose not to report them through a Vulnerability Disclosure Program (VDP). | HackerOne’s 2022 Security report |
| 32% of reported vulnerabilities remain undetected by companies and open to exploitation. | Ethical Hacker Insights Report 2021 |
- Web Application Security Testing
| Data | Source |
|---|---|
| 28% of web applications tested had exposure to cross-site scripting attacks. | The 2021 Software Vulnerability Snapshot report |
| 76% of targets included vulnerabilities from the OWASP Top 10. | The 2021 Software Vulnerability Snapshot report |
| 21% of web applications tested had misconfigurations in application and server settings. | The 2021 Software Vulnerability Snapshot report |
| 19% of web applications tested had broken access control vulnerabilities. | The 2021 Software Vulnerability Snapshot report |
| 39% of cyberattacks aimed at exploiting web applications were successful. | The 2021 Software Vulnerability Snapshot report |
| 32% of external attacks involved web application exploits, 35% involved software vulnerability exploits, and 33% were supply-chain attacks. | The 2021 Software Vulnerability Snapshot report |
- Bug Bounty Programs Statistics
| Data | Source |
|---|---|
| Ethical hackers reported 66,547 valid bugs in 2021, a 21% increase from the previous year. | HackerOne’s 2021 Hacker-Powered Security report |
| 80% of customers running private bug bounty programs yielded higher results than mature public programs. | HackerOne’s 2021 Hacker-Powered Security report |
| Vulnerability Disclosure Programs (VDPs) saw 47% vulnerability growth, and hacker-powered pentests rose 264% compared to traditional bug bounties. | HackerOne’s 2021 Hacker-Powered Security report |
| Cross-site scripting, information disclosure, and improper access control were the top 3 vulnerabilities reported and rewarded in 2021. | HackerOne’s 2021 Hacker-Powered Security report |
| The average payout for a critical bug increased by 315%, from $6,443 in 2021 to $26,728 in 2022. | HackerOne’s 2022 Security report |
| 50% of ethical hackers chose not to disclose a vulnerability due to unresponsiveness or difficulties working with the company. | HackerOne’s 2022 Security report |
- Network Security Assessment Statistics
| Data | Source |
|---|---|
| Global cyberattacks on corporate networks increased by 38% per week in 2022 compared to 2021. | Check Point Cybersecurity Report 2022 |
| In 2021, network intrusion was the leading cause of cyberattacks experienced by US companies (56%). | Statista |
| Lateral movement appeared in 25% of all attacks in 2021. | VMWare Global Incident Response Threat Report 2022 |
| Organizations believe networks are the second most vulnerable breach point (21%), after applications (35%). | VMWare Global Security Insights Report 2021 |
| 16.8% of network/host vulnerabilities across surveyed companies were high or critical risk. | Edgescan 2022 Vulnerability Statistic Report |
| The average time to fix host/network vulnerabilities was 63.1 days. | Edgescan 2021 Vulnerability Statistics Report |
| CVEs with a network attack vector accounted for 69% of all vulnerabilities in 2020. | Redscan report |
| In 93% of local companies’ networks, cybercriminals could breach and gain a foothold. | Positive Technologies Research Report 2021 |
| The oldest vulnerability discovered in 2020 was 21 years old (CVE-1999-0517), impacting SNMPv2. | Edgescan 2021 Vulnerability Statistics report |
In 2022, there was a record-breaking growth year for CVE data with over 25,000 vulnerabilities published. On average, there were 68.75 CVEs published per day.
In 2022, there were 404 high-risk vulnerabilities with CVSSv3 10.00 and RCE access published, compared to 363 in 2021.
In 2022, there were 860 vulnerabilities with CVSSv3 scores of 9.0 – 10.0 in the tech ecosystem, compared to 1165 in 2021.
In 2022, over 13,000 vulnerabilities were published, with 3238 flagged with CVSSv2 scores ranging from 7.0 to 10.0. This is a 40% decrease compared to the approximately 21,000 vulnerabilities recorded in 2021.
The top 5 most frequent vulnerability categories discovered by the pentesting community are Server Security Misconfigurations (38%), Cross-Site Scripting (13%), Broken Access Control (11%), Sensitive Data Exposure (10%), and Authentication and Sessions (8%).
At least 66 zero-day vulnerabilities appeared in 2021, driven by the fast proliferation of hacking tools on a global scale.
A report indicates that there were 20,174 security vulnerabilities (CVEs) published in 2021, compared to 17,049 in 2020. The three most common ones were XSS, memory corruption, and SQL.
In 2022, 62% of security teams reported experiencing zero-day exploits, up from 51% in 2021. These exploits were often linked to geopolitical issues.
On average, security teams needed 14 days to fix vulnerabilities.
According to Statista, over 1 million companies worldwide use the Microsoft Office 365 suite, making it an attractive attack vector.
According to the AppSec Stats Flash report, the remediation rate for critical vulnerabilities saw a decline from 54% in 2020 to 47% in 2021.
According to the Mordor Intelligence Report, the VA market is projected to grow at a 10% CAGR (Compound Annual Growth Rate) over the next 5 years.
No, the Ponemon Report indicates that one in five organizations do not test their software for security vulnerabilities, potentially leaving their systems at risk.
According to the 2022 Vulnerability Assessment Analytical Note, 70% of organizations have a vulnerability assessment tool deployed internally or provided as a third-party service.
The same 2022 Vulnerability Assessment Analytical Note reveals that 70% of respondents acquired a vulnerability assessment tool for proactive security measures.
English 
Arabic 