2025年渗透测试现状调查报告(美国版)

Table of contents IntroductionMethodologyKey findings334 Survey report findings Increasing complexity of cyber infrastructureLarge stacks are growing largerCybersecurity insurance providers are driving tool adoptionLarger security stacks, fewer breaches yet no guaranteesNo surface is safe: Threats are spread across the entire attack surfaceMore tools, more alerts: Prioritization is more critical than everConfidence in government cyber support is lowChange outpacing the rate of security validationThe rise of software-based pentestingPentesting: From compliance obligation to strategic valuePentester availability and budget consciousness rise to the topThe shift toward automated adversarial testingPentest findings are being operationalizedAlignment of risk perception, breaches, and testing focusWhat are enterprises spending on their security?Security budgets are growing in 2025A detailed look at the numbers behind this report7891011121314151617181920212223 Introduction Welcome to the 2025 State of Pentesting Report. Now in its fourth year, thissurvey brings together insights from 500 CISOs around the world to providea clear view of how organizations are testing, validating, and evolving theirsecurity programs in a rapidly shifting threat landscape. So where do we stand in 2025?What does enterprise cybersecurity look like?Are risk and vulnerability management budgets going up or down?What’s driving security validation programs today?What is cyber insurance demanding of the technology stack? Over the past decade, the role of pentesting has changed dramatically.What was once a periodic compliance exercise is now a strategic practice,embedded in day-to-day operations and increasingly shaped by theadversarial perspective. Organizations are moving beyond reactive defenses,increasingly turning to proactive testing to identify their most criticalexposures. This report answers those questions and more, providing a data-backed viewinto the current state of security validation - and how enterprises are adaptingtheir strategies for what’s next. For any feedback or inquiries, please contact noam.hirsch@pentera.ioWishing you a meaningful read This evolution has been driven by a range of factors: the introduction ofstructured frameworks like Continuous Threat Exposure Management (CTEM),the need to meet expanding regulatory requirements, and the constantpressure to keep pace with adversaries who never stop refining their tactics. – The Pentera Market Research Team Methodology Pentera commissioned a global survey of 500CISOs and senior security executives, 200 ofthem are from the United States Representing organizations with 3,000 employeesor more across a range of industries The average time to complete the survey was9 minutes and 3 seconds The survey was conducted by Global Surveyz,an independent research firm, in January 2025.Participants were recruited through a global B2Bresearch panel and invited via email to completethe survey To minimize order bias, the answer choices formost non-numerical questions were randomized All respondents held C-level or VP roles in IT andcybersecurity functions 03 01 67% of US Enterprises Experienceda Breach in the Past 24 Months Pentesting Represents Around 11%of the Total IT Security Budget EnterpriseCISOs manage an average of 75 securitytools across their IT environments, with 45% reportingstack growth over the past year. Despite theseinvestments, 67% experienced a breach in the past24 months, underscoring the persistent challenges ofsecuring complex environments. US enterprises spend an average of $187,000 annuallyon pentesting which is about 10.5% of their total ITSecurity budgets.IT Security budgets are on the rise:Over 50% of CISOs report that they will be raising theirpentesting budgets in 2025 and 48% will be raising theiroverall IT security budgets. 02 $187KAverage annual pentesting budget Large Security Stacks: IncreasedVulnerability Data Volume While a broader security stack increases visibility ofpotential issues, it also increases operational complexity,making it harder to prioritize and respond to the mostcritical threats. Organizations with 11–50 security toolsgenerate an average of 883 alerts per week.Enterpriseswith 76–100 tools face over 2,048 alerts weekly,while those with more than 101 tools see an average of3,074 alerts. 06 04 Software-Based Pentesting isGaining Traction Confidence in GovernmentSupport is Not High 22% of CISOs say they cannot rely on the governmentfor cybersecurity support at all.Another 64% of USenterprises acknowledge government actions, butbelieve these efforts are insufficient. Only 14% believethe government is truly doing its part to help protect theprivate sector. 55% of enterprises now use software-based tools tosupport in-house testing programs,and 50% of CISOscite software-based testing as a primary method foruncovering exploitable security gaps within their ITenvironments. This reflects a growing trust in the s