77% of internal Security Operations Center (SOC) teams reported a skills shortage in penetration testing as of 2025, indicating a significant gap in essential cybersecurity capabilities.

10% of organizations have advanced API security strategies that include dedicated API testing and protection.

21% of organizations rely on regular penetration testing to assess the effectiveness of their API security measures.

42% of organizations conduct code reviews and security testing.

53% of IT leaders believe that regular testing and validation of cyber incident recovery plans is a key benefit a cyber incident recovery solution provides to contribute to better cyber resilience.

70% of organizations test their cyber incident recovery plans annually.

Approximately 40% of financial firms have increased their penetration testing frequency to quarterly or continuous testing.

Cloud misconfigurations and excessive permissions vulnerabilities were found in 42% of cloud environments that were pen tested.

Nearly nine in 10 security leaders (88%) view penetration testing as an essential component of their overall security programme.

More than half (58%) of respondents require third-party penetration test reports to validate software security.

53% of respondents supplement their efforts with internal testing

9 in 10 UK organisations tested elements of their recovery capabilities in the last 12 months, which is a significant increase from previous years.

23% of financial services organizations have not conducted digital operational resilience testing (a DORA requirement).

63% of organizations are engaged in mobile application security testing.

The resolution rate for high-severity vulnerabilities found in LLM pentests falls to just 21%.

Overall, 69% of serious findings across all pentest categories are resolved.

32% of LLM pentest findings are serious

33% of respondents are still not conducting regular security assessments, including penetration testing, for their Large Language Model (LLM) deployments.

50% of CISOs identify software-based testing as a primary method for uncovering exploitable security gaps within their organizations.

The average total IT security budget for U.S. enterprises is $1.77 million.