Survey shows enterprises shift towards software-driven pentesting
The report is based on a survey of 500 Chief Information Security Officers (CISOs) and senior security executives and provides insight into security validation practices, budget allocation, and factors affecting the adoption of proactive risk management strategies.
The data reveals that over 50% of CISOs now use software-based pentesting to supplement their in-house security testing, a practice which was not common a decade ago. The same percentage of CISOs now designate software-based pentesting as their primary means of discovering exploitable weaknesses in their organisations' IT environments.
This shift appears to be a response to the scale and complexity of modern enterprise IT environments, which require more extensive coverage of attack surfaces and continuous validation efforts to address persistent vulnerabilities.
According to the survey, 67% of US enterprises have experienced a security breach within the past 24 months, despite the deployment of an average of 75 security tools across their environments and an increase in security stack size for 45% of organisations over the past year. Of those experiencing breaches, 76% reported significant consequences: 36% faced unplanned downtime, 30% saw data exposure, and 28% reported financial losses.
A larger selection of security tools does not always equate to improved outcomes. The report notes the difficulties posed by operational complexity: organisations managing 11 to 50 security devices generate an average of 883 alerts each week, while those with 76 to 100 tools receive 2,048 alerts, and some enterprises juggling over 101 tools deal with 3,074 weekly alerts. This volume can complicate the prioritisation and response to critical threats.
On average, US enterprises spend USD $187,000 per year on pentesting, which represents approximately 10.5% to 11% of the total IT security budget, the latter of which averages USD $1.77 million per organisation. More than half of surveyed CISOs stated they plan to increase their pentesting budgets in the coming year, with nearly half intending to raise total IT security budgets as well.
Use of software-based pentesting platforms is becoming more widespread, with 55% of organisations deploying such tools to support internal security assessments. Half the CISOs polled now see software-driven testing as essential for uncovering their most significant vulnerabilities, indicating increased trust in the efficacy and safety of these solutions.
Cyber insurance providers are influencing enterprise security technology adoption. The report shows 58% of US enterprises and 59% overall have implemented at least one recommended cybersecurity solution at their insurer's request. An additional 34% of US companies had received recommendations for specific security solutions from their insurance providers.
Despite extensive investment in technology and outside advice, confidence in government support for cybersecurity is low. In the United States, 22% of CISOs surveyed said they cannot rely on government support for cybersecurity, while 64% acknowledged government actions but believe they are insufficient. Only 14% feel that the government is fully playing its part in protecting the private sector.
Jason Mar-Tang, Field CISO at Pentera, commented on the findings: "The pace of change in enterprise environments has made traditional testing methods unsustainable. 96% of organizations are making changes to their IT environment at least quarterly. Without automation and technology-driven validation, it's nearly impossible to keep up. The report's findings reinforce the need for scalable security validation strategies that meet the speed and complexity of today's environments."
The survey underpinning the report was carried out by independent research firm Global Surveyz between December 2024 and January 2025.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
5 hours ago
- Techday NZ
Dragos names Eric Cross as Chief Revenue Officer to boost OT cyber
Dragos has appointed Eric Cross as Chief Revenue Officer to lead its global go-to-market functions in the operational technology (OT) cybersecurity sector. Cross is set to oversee sales, customer success, partner and channel ecosystems, and marketing, as Dragos continues its work to protect industrial and critical infrastructure. Bringing over 20 years of experience in enterprise sales and go-to-market leadership, Cross has previously guided revenue operations at several technology and cybersecurity companies. His resume includes global leadership roles with Reltio, Appian, Apigee, Google Cloud, Blue Coat Systems, Citrix, PeopleSoft, and Salesforce. Notably, at Apigee, Cross was instrumental in taking the company through its initial public offering and subsequent acquisition by Google. Leadership focus "Eric is a proven go-to-market leader who knows how to scale organisations, serve customers, and build lasting enterprise relationships," said Robert M. Lee, Chief Executive Officer and co-founder of Dragos. "As OT cybersecurity becomes a board-level priority across sectors, Eric's leadership will help us meet our customers where they are in their OT cybersecurity journey while accelerating our global reach and impact." Cross's appointment arrives during a period of recognisable progress for Dragos. The company was recently named a Leader in the 2024 Gartner Magic Quadrant for Cyber-Physical Systems Protection Platforms, with recognition for both vision and execution. Industry perspective Cross emphasised the significance of Dragos's mission in the current climate. In his words: Dragos stands out not just for its market leadership, but for its mission-driven approach to protecting critical infrastructure – the human, societal, and community impact resonates deeply with me. This is a pivotal time for industrial cybersecurity and Dragos is a company with a clear vision, world-class customers, and the opportunity to make an impact that truly matters. I'm thrilled to help lead the next phase of growth. Dragos continues expanding into sectors such as energy, manufacturing, transportation, and other elements of critical infrastructure. The customer base now includes many of the world's major industrial organisations, supported by a growing partner ecosystem. Financial risks in OT cyber This appointment follows Dragos's recent release of the 2025 OT Security Financial Risk Report. Developed in collaboration with Marsh McLennan's Cyber Risk Intelligence Centre, the report forecasts that global OT cyber losses could reach up to USD $329.5 billion annually under a severe but plausible scenario. These findings highlight considerable financial and operational risks faced by industrial organisations and underscore the continuing need for robust OT cybersecurity solutions. Cross's capabilities stretch across several revenue models, including direct, indirect, managed service, and OEM channels. His experience covers SaaS, security, API management, and data analytics. His leadership approach rests on ethical practices, developing talent, and fostering cross-functional collaboration - principles the company says are aligned with Dragos's values and culture. Cross holds a bachelor's degree in risk management from the University of Georgia and is known for a transformational leadership style that emphasises high-impact, cross-functional teams. His new role supports Dragos's stated aim of providing value for customers through strategic innovation and operational efficiency.
Techday NZ
2 days ago
- Techday NZ
VexTrio exposed as global ad-fraud empire with billions in play
Infoblox Threat Intel has released details exposing the VexTrio threat group as a global business enterprise involved in large-scale ad-fraud activity. Previously categorised as a major participant in malicious traffic distribution systems, VexTrio is now understood to be a complex multinational corporate entity with a network of nearly 100 companies spanning the adtech, energy and construction sectors. The network reportedly underpins an ad-fraud scheme valued in the billions. Criminal structure The investigation by Infoblox Threat Intel outlines that VexTrio is not merely an assembly of hackers, but a merger of Italian and Eastern European criminal groups. They use a structural network of businesses to obfuscate fraudulent activities. Named executives run operations which, according to the findings, have persisted for more than a decade. VexTrio is described as managing a comprehensive scam supply chain, controlling all elements from the creation of fraudulent applications to the operation of payment processors that collect illicit proceeds. Prominent adtech brands within the network, including Los Pollos, TacoLoco, and Adtrafico, function as outwardly legitimate affiliate marketing platforms while, in reality, serving the group's criminal operations. "For years, we thought that VexTrio was just a group of basement hackers," said Dr. Renée Burton, Vice President of Infoblox Threat Intel. "This investigation proves that behind the malicious links is a highly organised, multinational corporate entity that has been profiting from fraud on a massive scale. They have built an entire adtech industry to conceal their crimes in plain sight." International reach Infoblox reports that VexTrio's reach is substantial. In 2024, their affiliate network Los Pollos reported more than 2 billion unique users each month. GoDaddy, reviewing compromised websites, found that around 40 percent were redirecting traffic to VexTrio. Additionally, one of the group's core Content Delivery Network domains ranks among the world's top 10,000 most visited domains. The breadth of control extends to fraudulent product development, encompassing fake dating platforms, eCommerce portals and cryptocurrency investment websites. VexTrio operates its own payment processing and runs email validation services, enabling high-volume spam campaigns used to direct new victims into their schemes. Financial incentives and technical setup According to Infoblox, affiliates operating through VexTrio's network are offered incentives surpassing USD $100 per lead for fraudulent antivirus products. Some schemes, such as "blank credit card" scams, are promoted with claims of returns in the six-figure range and up to 300 percent return on investment. The underlying infrastructure supporting the network is described as efficient and advanced. Despite its scale, VexTrio reportedly runs fewer than 250 virtual machines globally, employing automated tools and leveraging multiple hosting and legitimate Content Delivery Network providers to avoid detection and ensure ongoing operations. This technical approach enables the group to remain both resilient and difficult to track. Business fronts and adtech complicity Central to VexTrio's evasion tactics is its use of shell companies and the portrayal of its businesses as reputable adtech providers. The investigation highlights that these companies operate under several brands in the affiliate marketing space, while simultaneously conducting various forms of fraud. The report by Infoblox suggests that adtech industry platforms facilitate the expansion of cybercrime at scale. The research further notes that affiliate networks such as Los Pollos, TacoLoco, and Adtrafico not only increase the syndicate's reach but represent potential points of exposure. As these networks track affiliate activities, they hold intelligence capable of identifying those responsible for website compromises and widespread defrauding of internet users. Researchers argue that these findings underscore the need for increased accountability and transparency in the adtech sector. The examples of compromised affiliates and fraudulent affiliate marketing tactics are presented as risks to internet safety and business integrity worldwide.
Techday NZ
2 days ago
- Techday NZ
Blackpearl opens retail offer after AUD $10.3m raise & US deal
Blackpearl Group has opened its retail entitlement offer at AUD $0.95 per share, following a AUD $10.3 million institutional raise led by Australian cornerstone investors ahead of its proposed listing on the Australian Securities Exchange as a foreign-exempt entity. The retail component of the entitlement offer allows eligible shareholders to participate following the completion of the offer's institutional stage, which has attracted backing from prominent Australian institutional investors. This development comes as the company finalises its acquisition of US-based AI sales automation firm B2B Rocket, a transaction expected to raise Blackpearl's annual recurring revenue (ARR) to USD $17.5 million and set the direction towards a USD $50 million target. Australian support The institutional element of Blackpearl's accelerated non-renounceable entitlement offer (ANREO) and additional placement successfully raised AUD $10.3 million. The support from Australian investors is crucial as Blackpearl progresses its application for an ASX foreign-exempt listing, a move intended to broaden its investor base and reinforce its presence in the world's largest market for small and medium businesses. Chief Executive Officer Nick Lissette said the offer aligned with the company's broader ambitions: Blackpearl isn't in the habit of standing still. Investor demand has been clear and with Australian cornerstone support in place and our ASX pathway progressing, we're opening the retail window for eligible shareholders today. This is a rare moment - a New Zealand AI company acquiring a cutting-edge high growth US technology business, backed by Australian institutions and preparing for an ASX quotation. The raise materially broadens our investor base and strengthens our platform to scale in the world's largest SMB market. Lissette stated that the opening of the retail offer reflects a significant step in Blackpearl's expansion strategy. The offer opened to eligible shareholders on Monday 18 August and will close on 25 August, giving participants the opportunity to subscribe at AUD $0.95 per share. Oversubscriptions will be permitted for those who fully take up their entitlement. Acquisition and growth targets Blackpearl's pending acquisition of B2B Rocket, an AI sales automation business based in the United States, is expected to close this week. The company projects that this acquisition will lift ARR to USD $17.5 million, with momentum towards USD $20 million as it maintains a long-term target of USD $50 million. Lissette added: We're not inching forward, we're leaping. With B2B Rocket closing this week, we're in striking distance of $20m and so we're now focused on our $50m target. This is the growth story NZ tech needs right now. It's proof that Kiwi innovation can scale - and compete - anywhere and signals that NZ Tech belongs in the big leagues globally and has what it takes to deliver. Next steps for listing Blackpearl targets its ASX quotation in approximately three months, contingent on the successful completion of a Tier 1 standard audit of B2B Rocket. The company sees institutional support from Australia as pivotal in this phase. Lissette stated: Australian institutional backing gives us more than capital; it gives us confidence and credibility as we scale. Use of proceeds Proceeds from the entitlement offer will be used to fund the B2B Rocket acquisition, support the scaling of Bebop's growth, integrate B2B Rocket and execute its go-to-market plan, enhance Blackpearl's Data Wholesale resources, and maintain a cash buffer for working capital purposes. Lissette summarised the company's outlook: We're not just building a bigger business, we're building a bigger playing field. This particular combination of capital, capability and opportunity doesn't come around often and we intend to use it to take New Zealand AI global. Follow us on: Share on:
