Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity Industry Needs
May 1, 2024
PRESS RELEASE
SAN FRANCISCO, April 30, 2024 /PRNewswire-PRWeb/ -- Cobalt, the pioneers of Pentest as a Service (PtaaS) and leading provider of offensive security solutions, today announced its sixth annual State of Pentesting Report. In addition to a deep dive into pentesting trends, this year's report uncovers an industry deeply grappling with how to both use and protect from AI amidst significant resource and staffing constraints.
Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications. As part of the report, Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year (from Cobalt State of Pentesting Report 2022), aligning with increases in Common Vulnerabilities and Exposures (CVE) records. Additionally, findings indicated that the median time to fix vulnerabilities also increased in comparison to previous years.
In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change. Some of the most critical findings include:
Challenges In the Eye of the AI Storm: The study highlights the push-pull relationships cyber security teams have with AI. A huge majority (86%) cite their teams have adopted AI-powered tools on their teams, while on the flip side, seven in ten respondents also cite an increase in threats coming from AI. This aligns with the growth Cobalt experienced in its business. Throughout 2023, Cobalt performed an increasing number of pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience. The most common vulnerabilities uncovered included prompt injection (including jailbreak), model denial of service, and prompt leaking (sensitive information disclosure). Despite the increased investment, many teams (59%) worry they are still trailing behind the AI threat.
Short Staffing Shifts From Concerning to Significant Risk: The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels. Thirty-one percent of respondents said their organization conducted layoffs during the past six months, and ⅓ of those agree their organization faces greater cyber risk due to those departures. Most concerning is that there are no signs of a strong staffing recovery. Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year. Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year. This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.
C-Suite Pressures: As attacks rise, C-suite executives are increasingly finding themselves at the top of the accountability and liability food chains. It's clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it's impacting their physical health. Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats. Among all groups surveyed, they are the most concerned about AI adoption (33% more than non-C-suite respondents). Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.
"With cybersecurity teams strained by staffing shortages and concerns rising about AI's potential to enhance cyberattacks, the importance of pentesting as a proactive measure is key," said Caroline Wong, Chief Strategy Officer at Cobalt. "Our data reinforces the actions we as an industry need to take: prioritizing talent acquisition, exercising caution in AI integration to safeguard against evolving threats, and leveraging pentesting."
"Enterprises today not only face digital threats but the personal toll that these challenges take on their executives," said Chris Manton-Jones, CEO at Cobalt." As leaders, it is crucial to understand that cybersecurity is not just about securing our digital assets but also about ensuring the safety of our entire organization, including ourselves. This is where Cobalt can help make a difference. We close the gaps with security expertise and provide scalable offensive security testing across the entire attack surface. It adds a community of trusted security experts to your team and takes your security program to the next level."
Cobalt will be discussing the report at its booth #4324 in Moscone North Expo during RSA. Visit https://www.cobalt.io/ to learn how Cobalt can help your organization and to download the full 2024 State of Pentesting Report.
About Cobalt
Cobalt combines talent and technology with speed, scalability and resilience. Our award-winning Pentest as a Service (PtaaS) model empowers organizations to keep pace with their evolving attack surface and agile software development lifecycles. Thousands of customers and hundreds of partners rely on Cobalt's modern SaaS platform and exclusive community of more than 400 trusted security experts to secure applications, networks, and devices. We deliver security testing that supports business drivers, maximizes internal resources, and creates stronger security programs so that organizations can operate fearlessly and innovate securely.
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024