Once viewed primarily as a compliance obligation, penetration testing (pentesting) has evolved into a strategic cornerstone of modern cybersecurity programmes.
While organisations like the ICO recommend pentesting as a best practice and UK GDPR article 32 requires ‘appropriate technical measures’ to secure personal data, including regular testing and evaluation of security controls, compliance is no longer the primary driver for many CISOs.
According to Pentera’s The State of Pentesting 2025 report, only 29% of organisations conduct pentesting primarily for regulatory compliance.
Instead, businesses are leveraging pentesting for control validation (28%), prioritising security investments (32%), and assessing potential cyber-attack damage (28%). Additionally, 16% of enterprises now use pentesting as part of merger and acquisition due diligence, highlighting its growing role in high-stakes business decisions.
Pentester Shortages and Budget Constraints Causing Problems
Despite pentesting’s rising strategic importance, organisations face significant barriers to increasing testing frequency. The global cybersecurity skills shortage, highlighted by a 4-million-professional deficit, continues to hinder testing programs.
For the third consecutive year, 48% of CISOs cited pentester availability as a top obstacle.
Budget constraints have also surged as a critical challenge. In the U.S., 44% of CISOs named budget limitations as a key inhibitor – a sharp increase from 24% in 2024.
This financial pressure clashes with the growing demand for continuous security validation, as traditional snapshot-style testing no longer meets evolving compliance and risk management needs.
Operational risks, such as business disruption, remain a concern but have declined in priority.
While 30% of CISOs still fear outages, this worry has dropped from the top inhibitor in 2023 to third place in 2025. The concern is most pronounced in large enterprises, where 41% of CISOs at companies with 10,000+ employees see operational risk as a major barrier.
Automation Gains Traction as Manual Testing Declines
Pentesting – like many other industries – is undergoing a significant shift toward automated solutions.
While 33% of organisations still rely on manual testing, 50% have adopted software-based pentesting and red teaming, and 37% are leveraging Breach and Attack Simulation (BAS) tools.
Traditional vulnerability scanning (46%) remains widely used, despite its limitations in assessing real-world attack scenarios. The move toward automation is expected to accelerate with the adoption of Continuous Threat Exposure Management (CTEM) frameworks, which emphasise ongoing testing over point-in-time assessments.
Pentesting Findings Drive Business Decisions
Pentest reports are no longer just technical documents—they are now key risk communication tools. 62% of organisations immediately transfer findings to IT security teams for remediation, while 47% handle fixes directly within their security teams.
Nearly half (47%) of companies share results with executives or senior management, and 21% submit findings to regulators or board members. This demonstrates how pentesting is being operationalised—not just for security improvements but also to justify investments and inform business strategy.
Where Are Businesses Pointing Pentesters?
As attack surfaces expand, organisations are aligning pentesting efforts with perceived vulnerabilities and historical breach data.
External-facing assets remain the most tested (57%) and are also seen as the most vulnerable (45%). APIs (48%) and applications (47%) are also high-priority targets, reflecting their growing role in cyber-attacks due to visibility gaps.
Cloud infrastructure (40% testing focus, 30% perceived vulnerability) and IoT (38% testing, 25% perceived risk) are also gaining attention, while Operational Technology (OT) remains a lower priority (29% testing, 24% perceived risk).
This alignment underscores a shift toward distributed risk management, with organisations expanding testing coverage to ensure readiness across all attack surfaces.
Recommended reading
According to the report, pentesting has transformed from a compliance checkbox into a strategic cybersecurity practice, driven by risk validation, executive mandates, and business needs.
However, challenges like pentester shortages, budget constraints, and operational risks continue to limit testing frequency.
“The pace of change in enterprise environments has made traditional testing methods unsustainable,” said Jason Mar-Tang, Field CISO at Pentera.
“96% of organisations are making changes to their IT environment at least quarterly. Without automation and technology-driven validation, it’s nearly impossible to keep up. The report’s findings reinforce the need for scalable security validation strategies that meet the speed and complexity of today’s environments.”
