77% of internal Security Operations Center (SOC) teams reported a skills shortage in penetration testing as of 2025, indicating a significant gap in essential cybersecurity capabilities.

21% of organizations rely on regular penetration testing to assess the effectiveness of their API security measures.

Cloud misconfigurations and excessive permissions vulnerabilities were found in 42% of cloud environments that were pen tested.

Nearly nine in 10 security leaders (88%) view penetration testing as an essential component of their overall security programme.

More than half (58%) of respondents require third-party penetration test reports to validate software security.

33% of respondents are still not conducting regular security assessments, including penetration testing, for their Large Language Model (LLM) deployments.

32% of LLM pentest findings are serious

Overall, 69% of serious findings across all pentest categories are resolved.

The resolution rate for high-severity vulnerabilities found in LLM pentests falls to just 21%.

Pentesting accounts for 11% of the total IT security budgets of U.S. enterprises.

U.S. enterprises allocate an average of $187,000 annually to pentesting.

50% of CISOs identify software-based testing as a primary method for uncovering exploitable security gaps within their organizations.

The average total IT security budget for U.S. enterprises is $1.77 million.

67% say infrequent pen testing has left concerning gaps in security assessments.

Almost two-thirds (approximately 66%) of security leaders say that missing exposures due to manual pen testing is an issue.

94% of security leaders agree that pentesting is foundational to security.

Financial companies have a lower rate of serious findings (11%) in pentests.

Large organisations resolve only 60% of serious pentest findings.

Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.

LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested.