Pentesting No Longer Driven by Regulatory Compliance, New Study Finds

While the initial need for penetration testing (pentest) arose from regulatory compliance, it is no longer the prime mover, said Pentera, an automated security validation specialist in a new report.

The Boston, Massachusetts and Tel Aviv-based company’s annual State of Pentesting 2023, in which it surveyed 300 chief information officers (CIO) and chief information security officers (CISOs) across Europe and the U.S., found that the primary motivations for pentesting are security validation, assessing potential impact and cyber insurance.

Why Organizations Pentest

Only 22% of the study’s participants pointed to compliance as the main reason to pentest. Regulatory or executive mandates are still impactful but not the primary rationale driving pentesting, Pentera said.  Despite deploying multiple security solutions, nearly nine in 10 organizations (85%) in the last two years bumped up their pentesting security budgets following a breach incident, said Pentera. But it’s not just additional budget that should be driving more pentesting, the company said, but rather a strategy and vehicle for continuous validation.

“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” said Aviv Cohen, Pentera’s chief marketing officer. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”

How Organizations are Doing Cybersecurity

Here are some additional findings from the study: