18 Sep Global Penetration Testing Market To Exceed $5 Billion USD Annually By 2031
25 Ethical Hacking Facts, Figures, Predictions, and Statistics. Sponsored by BreachLock
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Sep. 18, 2024
“If you’re spending one dollar on cybersecurity and you’re not doing penetration testing, then you’re doing something terribly wrong,” Seemant Sehgal, founder and CEO at BreachLock, told Cybersecurity Ventures.
You can spend as much as you wish on perimeter and network defense, implementing zero-trust policies, training staff, and endpoint protection, but unless you consistently test the effectiveness of cybersecurity defense, potential pathways for exploitation remain open.
Substantial and frequent penetration testing is crucial for modern businesses to mitigate the risk of cyberattacks today. Facts, figures, predictions and statistics help CISOs and cybersecurity leaders understand the market dynamics.
25 PEN TESTING MARKET STATISTICS
- Cybersecurity Ventures predicts the global penetration testing product and service market will exceed $5 billion annually by 2031. This is based on vetting and averaging market forecasts from numerous industry sources.
- 92 percent of U.S. and European organizations increased their overall IT security spending last year, with 85 percent raising their penetration testing budgets, reports TechRepublic.
- By some estimates the global penetration testing market will grow more than 24 percent through 2026.
- In many cases annual penetration tests don’t happen. Budgets are one problem, as BizTech Magazine reports, with 1 in 3 companies citing money as their reason for not conducting the tests more frequently.
- The range of penetration testing can start as low as a few hundred dollars and on the upper end can even exceed $100,000. The cost of a penetration test for the average organization is $18,300.
- eSecurity Planet has identified 11 key factors that affect pentration testing costs: Scope & Scale; Penetration Test Type; Tester Experience; Compliance Requirements; System Type; Remediation and Retesting; Future Opportunities; Special Requirements; Contract Type; Vendor Type; and Costs Beyond The Contract.
- As a general estimation, the typical time span for a deep-dive penetration test is anywhere from 3 to 5 weeks, sometimes lasting up to a couple of months, according to Kevin Mitnick’s namesake firm, Mitnick Consulting. Mitnick, widely known as the world’s most famous hacker, passed away on Jul. 16, 2023. He would have turned 60 on Aug. 6 during last year’s Black Hat USA 2023 conference in Las Vegas.
- The 3 main types of penetration testing are: Black box testing for an attacker’s view to cover a broader scope; Grey box testing for an insider view with minimal access; and White box testing for a much deeper inside view. The main difference between each type is in the amount of information being given to the tester by the organization being tested.
- The U.S. Bureau of Labor Statistics (BLS) projects 35 percent job growth for information security analysts, including penetration testers, between 2021 and 2031. This is much faster than the average for all occupations in the U.S.
- There were more than 22,000 job openings for penetration testers in the U.S. last year, with knowledge of computer science being the most requested skill.
- Payscale estimates that entry-level penetration testers can expect a salary of approximately $72,823 per year when they enter the field. With 5 to 9 years of experience, the average compensation rises to $110,251, and highly experienced penetration testers can expect a salary of approximately $124,607 annually.
- According to Cyber Seek, 11 percent of penetration testers have an associate degree, 65 percent earned their bachelor’s degree, and 24 percent graduated with a master’s degree.
- 13 percent of ethical hackers (aka penetration testers) are female and 87 percent are male, according to CareerExplorer, which bills itself as the world’s leading career advancement platform. The largest ethnic group of ethical hackers are White, making up 42 percent of the population, according to CareerExplorer. The next highest segments are South Asian and Other, making up 17 percent and 11 percent respectively.
- The 7 best penetration testing certifications, according to Network Assured, are: Certified Ethical Hacker (CEH) certification; GIAC Exploit Researcher and Advanced Penetration Tester (GXPN); GIAC Penetration Tester (GPEN) certification; Licensed Penetration Tester Master (LPT) Certification; CompTIA Pentest+ certification; Offensive Security Certified Professional (OSCP); and GIAC Web Application Penetration Tester (GWAPT) certification.
- The popular Certified Ethical Hacker (CEH) certification from EC-Council, which is held by many penetration testers, costs between $1,699 and $2,049. If a candidate fails to pass the CEH test, they can request a $499 CEH Retake Exam Voucher. CEH exam pass rates vary based on how much training and experience the candidate has, but Infosec’s Ethical Hacking boot camp, for instance, has a 93 percent exam pass rate.
- The 5 emerging skills gaining momentum, with 5-year projected growth, in demand for penetration testers are: Container Security 156 percent; Comprehensive Software Security 114 percent; Threat Hunting 105 percent; SaaS Application Security 76 percent; and Anomaly Detection 58 percent.
- According to the Open Worldwide Application Security Project (OWASP) Top 10, to penetration testers analyzing web-based applications and platforms, these are the ten most critical categories of vulnerabilities: broken access control, cryptographic failures, injection security flaws, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging & monitoring issues, and server-side request forgery (SSRF).
- BreackLock’s 2024 Penetration Testing Intelligence Report reveals that critical vulnerabilities in web applications are up 150 percent and high vulnerabilities increased 60 percent in 2024 vs. 2023.
- There are 33.2 million small businesses in America, accounting for 99.9 percent of all U.S. businesses. Research from BreachLock suggests that over 87 percent of all critical and high penetration test findings are found in organizations with under 200 employees. Furthermore, the majority of SMBs only conduct penetration testing exercises for compliance and contractual reasons.
- A 2023 report from cybersecurity certification platform CER found that only six of 45 cryptocurrency wallet brands, or more than 13 percent, have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products.
- Around 40 percent of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60 percent said they need 5 hours or less to break into a corporate environment once they identify a weakness.
- The “world’s greatest collection of cybersecurity talent” assembled at Rochester Institute of Technology earlier this year for the 2024 Collegiate Penetration Testing Competition (CPTC) global finals. The annual event wrapped up the largest offense-based cybersecurity competition for college students, which is hosted annually by RIT. A team of students from Princess Sumaya University for Technology in the country of Jordan took home the top CPTC trophy. Stanford University placed second and University of Massachusetts Amherst placed third.
- A Tesla Model 3 was hacked by France-based pentesters in less than 2 minutes at a 2023 Pwn2Own Hacking Contest in Vancouver, Canada. The attacks gave them deep access into subsystems controlling the vehicle’s safety and other components. Vulnerabilities in the automotive category offered the highest rewards at last year’s contest.
- For years, higher education has held the dubious distinction of being among the top targets for cybercriminals. According to one report, 40 percent of ransomware attacks in higher education were due to exploited vulnerabilities. Pen testing can also bolster compliance with government regulations such as the Family Educational Rights and Privacy Act. This law was designed to address the abuse of student records and requires the institution to implement adequate data security programs to prevent unauthorized access and breaches. Penetration testing should be repeated at least once a year to ensure that new vulnerabilities are found and addressed.
- Penetration testing emerged in the mid-1960s, according to a study published by California State University in San Bernadino. The U.S. Department of Defense (DoD) sponsored ‘Tiger Teams’ in the 1970s. “Tiger teams were government and industry-sponsored teams of crackers who attempted to break down the defense of computer systems to uncover, and eventually patch, security holes.”
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.
Sponsored by BreachLock
Affordable, Smarter and Scalable Cyber Security Testing
BreachLock™ offers a SaaS platform that enables our clients to request and receive a comprehensive penetration test with a few clicks.
Our unique approach makes use of manual as well as automated vulnerability discovery methods aligned with industry best practices.
We execute in-depth manual penetration testing and provide you with both offline and online reports. We retest your fixes and certify you for executing a Penetration Test. This is followed up with monthly automated scanning delivered via the BreachLock platform. Throughout this process, you have access to the platform and our security experts who will help you find, fix, and prevent the next cyber breach.
Find out why penetration testing with BreachLock™ is the leading choice for startups, SMBs, and enterprises around the world.
BreachLock has offices in The Netherlands, London, New York City, and Wilmington, Del.