• eSecurity Planet has identified 11 key factors that affect pentration testing costs: Scope & Scale; Penetration Test Type; Tester Experience; Compliance Requirements; System Type; Remediation and Retesting; Future Opportunities; Special Requirements; Contract Type; Vendor Type; and Costs Beyond The Contract.
• As a general estimation, the typical time span for a deep-dive penetration test is anywhere from 3 to 5 weeks, sometimes lasting up to a couple of months, according to Kevin Mitnick’s namesake firm Mitnick Consulting. Mitnick, widely known as the world’s most famous hacker, passed away on Jul. 16, 2023. He would have turned 60 on Aug. 6 during this year’s Black Hat USA 2023 conference in Las Vegas.
• The 3 main types of penetration testing are: Black box testing for an attacker’s view to cover a broader scope; Grey box testing for an insider view with minimal access; and White box testing for a much deeper inside view. The main difference between each type is in the amount of information being given to the tester by the organization being tested.
• The U.S. Bureau of Labor Statistics (BLS) projects 35 percent job growth for information security analysts, including penetration testers, between 2021 and 2031. This is much faster than the average for all occupations in the U.S.
• There are over 22,000 job openings for penetration testers in the U.S., with knowledge of computer science being the most requested skill.
• Payscale estimates that entry-level penetration testers can expect a salary of approximately $72,823 per year when they enter the field. With 5 to 9 years of experience, the average compensation rises to $110,251, and highly-experienced penetration testers can expect a salary of approximately $124,607 annually.
• According to Cyber Seek, 11 percent of penetration testers have an associate degree, 65 percent earned their bachelor’s degree, and 24 percent graduated with a master’s degree.
• 13 percent of ethical hackers (aka penetration testers) are female and 87 percent are male, according to CareerExplorer, which bills itself as the world’s leading career advancement platform. The largest ethnic group of ethical hackers are White, making up 42 percent of the population, according to CareerExplorer. The next highest segments are South Asian and Other, making up 17 percent and 11 percent respectively.
• The 7 best penetration testing certifications in 2023, according to Network Assured, are: Certified Ethical Hacker (CEH) certification; GIAC Exploit Researcher and Advanced Penetration Tester (GXPN); GIAC Penetration Tester (GPEN) certification; Licensed Penetration Tester Master (LPT) Certification; CompTIA Pentest+ certification; Offensive Security Certified Professional (OSCP); and GIAC Web Application Penetration Tester (GWAPT) certification.
• The popular Certified Ethical Hacker (CEH) certification from EC-Council, which is held by many penetration testers, costs between $1,699 and $2,049. If a candidate fails to pass the CEH test, they can request a $499 CEH Retake Exam Voucher. CEH exam pass rates vary based on how much training and experience the candidate has, but Infosec’s Ethical Hacking boot camp for instance has a 93 percent exam pass rate.

• The 5 emerging skills gaining momentum, with 5-year projected growth, in demand for penetration testers are: Container Security 156 percent; Comprehensive Software Security 114 percent; Threat Hunting 105 percent; SaaS Application Security 76 percent; and Anomaly Detection 58 percent.
• According to the Open Worldwide Application Security Project (OWASP) Top 10, to penetration testers analyzing web-based applications and platforms, these are the ten most critical categories of vulnerabilities: broken access control, cryptographic failures, injection security flaws, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging & monitoring issues, and server-side request forgery (SSRF).
• Breachlock’s 2022 Annual Penetration Testing Intelligence report reveals that injection and sensitive data exposure account for over 35 percent of critical penetration test findings. Based on data collected from over 8,000 tests performed in 2021,15 percent of critical risk findings were related to privilege escalation issues. Over 50 percent of high-risk findings were caused by cross-site scripting security flaws.
• There are 33.2 million small businesses in America, accounting for 99.9 percent of all U.S. businesses. Research from BreachLock suggests that over 87 percent of all critical and high penetration test findings are found in organizations with under 200 employees. Furthermore, the majority of SMBs only conduct penetration testing exercises for compliance and contractual reasons.
• A recent report from cybersecurity certification platform CER found that only six of 45 cryptocurrency wallet brands, or around 13  percent, have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products.
• Around 40 percent of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60 percent said they need 5 hours or less to break into a corporate environment once they identify a weakness.
• The world’s best cybersecurity students came together at Rochester Institute of Technology to face off in the Collegiate Penetration Testing Competition (CPTC) global finals in early 2023. The event wrapped up the largest offense-based cybersecurity competition for college students, which is hosted annually by RIT. A team of California State Polytechnic University, Pomona students took home the top CPTC trophy — for the second year in a row. Stanford University placed second and the University of Central Florida placed third.
• A Tesla Model 3 was hacked by France-based pentesters in less than 2 minutes at a 2023 Pwn2Own Hacking Contest in Vancouver, Canada. The attacks gave them deep access into subsystems controlling the vehicle’s safety and other components. Vulnerabilities in the automotive category offered the highest rewards at this year’s contest.
• Penetration testing emerged in the mid-1960s, according to a study published by California State University in San Bernadino. The U.S. Department of Defense (DoD) sponsored “Tiger Teams” in the 1970s. “Tiger teams were government and industry-sponsored teams of crackers who attempted to break down the defense of computer systems to uncover, and eventually patch, security holes.”
• According to Google Trends, interest in the term “penetration tester” has steadily increased since 2018. First issued a search trend score of 65 based on a “peak popularity” rating of 100, “penetration tester” earned its highest score of 99 between Oct. 30 and Nov. 5, 2022. Between Jun. 11 and Jun. 17, 2023, the term earned a popularity score of 94.

– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Charlie Osborne, Editor-at-Large for Cybercrime Magazine, contributed to this report.

Sponsored by BreachLock

Affordable, Smarter and Scalable Cyber Security Testing

BreachLock™ offers a SaaS platform that enables our clients to request and receive a comprehensive penetration test with a few clicks.

Our unique approach makes use of manual as well as automated vulnerability discovery methods aligned with industry best practices.

We execute in-depth manual penetration testing and provide you with both offline and online reports. We retest your fixes and certify you for executing a Penetration Test. This is followed up with monthly automated scanning delivered via the BreachLock platform. Throughout this process, you have access to the platform and our security experts who will help you find, fix, and prevent the next cyber breach.

Find out why penetration testing with BreachLock™ is the leading choice for startups, SMBs, and enterprises around the world.

BreachLock has offices in The Netherlands, London, New York City, and Wilmington, Del.