In the newly released 2025 Pentest Report, Pentera investigated 500 CISOs in Global Enterprise to understand the strategies, tactics and tools it uses to address thousands of security alerts, persistent violations, and growing cyber risks. The findings reveal a complex picture of progress, challenges, and changing ways of thinking about how businesses approach security testing.
More tools, more data, more protection… No guarantee
Over the past year, 45% of businesses have expanded their security technology stack, and organizations now manage an average of 75 different security solutions.
However, despite these layers of security tools, 67% of US companies have experienced violations in the past 24 months. The growing number of tools deployed has some impact on the organization’s day-to-day operations and overall cyber attitude.
It seems clear, but the findings tell a clear story. More security tools will improve your security attitude. However, there are no silver bullets. Among organizations with less than 50 security tools, 93% reported violations. As stack size increases, that percentage drops steadily, dropping to 61% of people using more than 100 tools.
Alert fatigue is real
The backstage of a large security stack is that CISOs and their teams must compete with a larger influx of information. Enterprises, which manages over 75 security solutions, face an average of 2,000 alerts per week. Compared to organizations with smaller stacks, they are twice the volume, and those with more than 100 tools receive over 3000 (three times the alerts).
This places a greater emphasis on effective prioritization. Otherwise, critical threats could be buried in the sea of alerts. In this environment with high alert volumes and short time to triage, organizations benefit most when they can test frequently exploitable gaps, so they know which issues are really important before threat actors first find them.
Acquiring software-based pen tests
Trust in software-based security testing is growing rapidly. Just five or ten years ago, many companies never allowed automated tools to run pentests in their environments for fear of causing a shutdown, but emotions are changing.
As CISOS continues to recognize the benefits of software in scaling adversarial testing and maintains a ever-changing IT environment and pace, software-based pen testing is becoming the norm. Today, more than half of companies use these tools to support in-house testing driven by the need for reliable and scalable continuous verification strategies. Today, 50% of CISOS cite software-based pen testing solutions as the main way to uncover exploitable gaps.
Insurance providers become unexpected influencers
Beyond internal management and boards, an incredible new power is shaping security strategies, namely cyber insurance providers. 59% of CISOs admitted that they implemented at least one cybersecurity solution that they had not previously considered as a result of cyber insurers. It is a clear indication that insurers are proactively prescribing ways to reduce it, not just pricing risks, and reshaping the security priorities of companies in the process.
Low confidence in government support
Government agencies such as CISA (USA) and ENISA (EU) play a key role in threat visibility and coordination, but government trust in cybersecurity support is surprisingly low.
Only 14% of CISOs who believe the government is adequately supporting private sector cyber agendas, while 64% feel that government efforts are not recognized but insufficient. 22% believe they can’t rely on the government at all for cybersecurity help.
To benchmark your organization’s pentest practices, budgets and priorities for other global companies, register for a webinar on May 27, 2025 where senior security analysts discuss key findings. Or get the full state of the 2025 Pentest Report and see all your insights!
Note: This article was written and contributed by Jay Martane, a field stool at Pentera.
Source link
