According to Gartner, penetration testing or pentesting is a cybersecurity strategy that "provides visibility into aggregations of misconfigurations or vulnerabilities that could lead to an attack that could cause serious business impact."
Jason Mar-Tang, AVP and Field CISO at Pentera, considers it "a proactive cybersecurity exercise where white hat hackers emulate cyberattacks against an organisation to identify exploitable security gaps within the IT environment." To put it simply, he says that "pentesting utilises the attacker's mindset and capabilities to improve the organisation's defensive capabilities."
Mar-Tang adds that the strategy is a crucial cybersecurity measure because it enables security teams to validate their existing security controls from the attacker's perspective. Pentests challenge the existing security controls within the organisation against the tactics, techniques, and procedures (TTPs) that threat actors are using in the wild. This validation enabled security teams to understand where their security can be exploited and proactively patch any gaps before threat actors ever get a chance," he adds.
A survey report from Pentera, entitled "State of Pentesting 2024," reports that enterprises are spending around 12.9% of their total IT Security Budget on manual pentest assessments globally, at an average of $164,400. Gartner expects pentesting to gain traction, with estimated growth reaching $4.5 billion in 2025.
Overcoming pentesting challenges
According to the State of Pentesting Report 2024, the top barriers to pentesting are the availability of pentesters (42%) and the fear of risk to business continuity (39%).
"Security teams are tasked with ensuring that IT risk is minimised and that business operations remain uninterrupted. Security leaders are understandably cautious around pentesting because many have experienced network downtime due to pentesting accidents in the past. CISOs want to work with the most experienced pentesters who provide the highest level of validation to their security while posing the least risk to operations," said Mar-Tang.
He advises organisations to research and find highly skilled pentesters for the specific kind of environment that the organisation requires, whether on-premises or in cloud environments.
Mar-Tang highlighted the importance of pentests that use real-time threat intelligence and updated attack techniques and methodologies during tests. He said this enables organisations to close any exploitable security gaps before malicious players do.
"The more up-to-date your testing methodologies, the greater your security resiliency against attackers will be," the Pentera executive added.
"The more up-to-date your testing methodologies, the greater your security resiliency against attackers will be."
Jason Mar-Tang
Frequency gap
The State of Pentesting 2024 Survey Report highlights that 42% of organisations conduct pentesting biannually mainly for cybersecurity control and validation (33%), cyber attack potential damage assessment (31%), and prioritising security investment (29%).
Alarmingly, 51% of organisations were compromised by cyberattacks in the past 24 months. Further, 73% of enterprises report changes to their IT environments at least quarterly, but only 40% report pen-testing at the same frequency, highlighting the frequency gap between the rate at which changes occur within the IT infrastructure and the rate of security validation testing.
"You are leaving long periods where you have not validated your security controls. There is a high likelihood that your configurations have opened an entirely new threat vector for attackers to exploit. Without testing, these attack vectors could remain open for months, leaving threat actors plenty of time and opportunities to compromise your organisation", Mar-Tang warned organisations.
Automation
Mar-Tang advises CIOs and security and development team heads to automate the process.
"Currently, 3rd party manual pen-testing is still the most common method of security validation, but it isn't enough. These manual tests are often limited in scope, covering only a small subset of your organisation's IT assets, and most organisations only pentest once or twice a year at most. Why not get the benefits and insights from pen testing continuously?" he said.
"With automated security validation, organisations can test the effectiveness of their security controls at scale against the latest attack techniques used by threat actors today. This allows them to maintain a consistent view of their risk posture from threat actors and continuously remediate proven exploitabilities within their environment," Mar-Tang concluded.