53% of IT leaders believe that regular testing and validation of cyber incident recovery plans is a key benefit a cyber incident recovery solution provides to contribute to better cyber resilience.

70% of organizations test their cyber incident recovery plans annually.

53% of respondents supplement their efforts with internal testing

Nearly nine in 10 security leaders (88%) view penetration testing as an essential component of their overall security programme.

More than half (58%) of respondents require third-party penetration test reports to validate software security.

9 in 10 UK organisations tested elements of their recovery capabilities in the last 12 months, which is a significant increase from previous years.

23% of financial services organizations have not conducted digital operational resilience testing (a DORA requirement).

63% of organizations are engaged in mobile application security testing.

Respondents stated that automated security validation enabled them to test over 200x more threats than manual testing.

94% of security leaders agree that pentesting is foundational to security.

Financial companies have a lower rate of serious findings (11%) in pentests.

Large organisations resolve only 60% of serious pentest findings.

Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.

The rate for serious findings in pentests being resolved in each calendar year remains stuck at just 55%.

15% of organisations resolve 10% or less of their serious findings in pentests.

Only 66% of organisations are conducting regular security assessments like pentesting on their AI products.

The proportion of serious findings in pentests has also declined by about half (from 20% to 11%) over 10 years.

Small companies lead with 81% of serious findings in pentests resolved.

57% of organisations resolve at least 90% of their serious findings in pentests.

Canadian organisations conducting annual security testing indicated an average of 23 incidents and 33 breaches in their cloud environments compared to 25 incidents and 29 breaches respectively for those without regular testing .