Exploring the 2023 Penetration Testing Report: 5 Key Findings

Each year the threat landscape continues to evolve, and security measures must evolve with it. Recently released, Fortra’s 2023 Penetration Testing Report offers a view into the usage and perception of pen testing, with the intent to determine how these services must adapt in the future. 

For an in-depth take, cybersecurity experts unpack the findings in our webinar, “The Practice of Pen Testing: 2023 Survey Results Revealed”.  

Key Findings 

There were a few salient points in this edition that betrayed changes in the penetration testing landscape.  

1. There’s been a drop in security overconfidence, and people are pen testing for the right reasons

A couple years ago, our experts noticed a buffer of overconfidence within the security arena. Not anymore. This year, the numbers show that organizations are pen testing in healthy numbers, and for the right reasons. Last year, 75% tested for compliance purposes. This year, only 58% did it out of obligation, while the largest majority (69%) reported doing it for risk assessment and remediation prioritization.  

Spurring pen testing engagements are the fear of three leading threats, the same three as last year: ransomware, phishing, and misconfigurations.  
 
And that makes sense, considering the common thought is that most ransomware comes from phishing attacks — click on this link, for example, and before you know it a malicious script has been downloaded onto your system. That’s a valid threat, but misconfigurations and bad security practices — such as exposed remote access tools (RDP), shared passwords, and overly generous permissions — can be an equal part of the problem.  

2. Compliance as motivator: The good and the bad 

While it’s never good to see organizations testing just to check a box, there are advantages to increased compliance regulations when it comes to pen testing priorities. For every company we see taking the results and stuffing them in a drawer (and it does happen), there are others living the spirit of the law and stepping up efforts when spurred by HIPAA, SOC, PCI-DSS, GDPR, and others.  
 
First, we are seeing more tests overall. We’re seeing more testing for social engineering and phishing. And we’re seeing an increase in web application tests. This is good because cybercriminals aren’t just going after the low-hanging fruit anymore. AI and ML advancements have made it easier to scope the entire attack surface and really vet all those opportunities, so organizations are in a hurry to catch up and “see what they see” — hopefully before “they” do. 
 

3. Let’s talk in-house pen testing 

A few years back, it was the trend to make pen testing an external affair. Companies wanted best-in-class pen testers and good cyber talent was hard to come by. And it still is. However, given the length of time organizations have had to sit on some of these problems, we are slowly starting to see in-house pen testing creep back for the network areas companies feel most comfortable with. They’ll still hire out for the more challenging and sophisticated threats.  
 
That being said, it’s not easy to build an in-house pen testing team. It takes time, expertise, budget, training resources, and of course, the cycles to do it. Even in the big companies, the large corporations with large IT teams and resources to dedicate towards this, we’re still only seeing “teams” of about 3-4 people. While this does save on resources, there are also a few downsides. Downsides that can be addressed by third-party testing.  
 

4. Let’s talk third-party pen testing 

The benefits of third-party testing are several. First of all, you get a team of experts who have seen it all and can do it all, every time. We would warn that they’re not all created equal, so when you find the right one, it’s best to stick with them. Some only tell you if an endpoint can be breached — others go so far as to tell you exactly what an attacker has access to once inside. 
 
Secondly, if you go with a larger pen testing firm, they’ll have a gamut of pen testers to choose from. When you go in-house, you’ll have the same 3-4 people doing all the tests, all the time, and they’re a little too close to the data. It helps to have a fresh set of eyes on the problem, because that’s exactly what attackers are.  
 
And third, a good external pen testing agency will rack your progress, help you align with your goals, and take the burden of reporting off your shoulders so you’re ready for your upcoming audit or compliance review. Anecdotally, we know pen testers in the industry who will test for free — they charge only for the reports.  
 

5. The most used tools are the simplest ones (and that means open source OS, too) 

Another trend we noticed is that companies don’t have the cycles to spend learning complex pen testing tools. This is another reason they’ll turn to external pen testers or, go it alone with simpler tools.  
 
There’s nothing wrong with keeping it simple, although it does limit you to what the tools can accomplish (not what needs to be done). The real problem comes when simple also means “free” or “the easiest available”, and all-too-often, those can mean unvetted open source (OS) pen testing tools.  

If they’re not careful, companies can land themselves in a world of hurt because the OS tool they think they’re getting is not what they actually get. They could be a less-powerful knockoff or worse — a tool with vulnerabilities designed to put their systems at risk.   
 

All in all, we’re seeing a trend towards more independence in pen testing, and more conscientious tests. Companies are genuinely concerned about improving their security posture, and have started to engage in pen tests more often. To support this, they’ve leaned into in-house teams and available tools. While all of this is good from a proactive standpoint, it can lead to danger if not done responsibly.  

Developing a long-term relationship with an external pen testing agency can be a great support to both in-house efforts and novice teams alike. Partnering with the right provider can give you the security expertise and the resources — in time, reporting, auditing, compliance, and tooling — to maximize your pen testing investment.