The State of Pentesting 2023

The most prevalent vulnerabilities, how macroeconomic trends impact security teams, and where you might be leaving money on the table with your pentests.

State-of-Pentesting-Report-Menu-Image

Looking for the latest
State of Pentesting Report?

Explore other State of Pentesting Report insights. Access the latest State of Pentesting Report for 2025, or explore trends and data from our previous editions in 2024, 2023, and 2022. Find the year that best suits your research needs.
SOPR25-Landing Page Cover Image-1192x700

Top Security Risks Exposed in 3,100+ Pentests

Disruption, transformation, volatility — whichever keyword fits your style, it all points to one fact: change is the constant for security teams.

How do security teams plan to protect assets with fewer resources and more responsibilities?

Cobalt's 5th edition of The State of Pentesting explores this question, tapping into data from 3,100 pentests and over 1,000 responses from security practitioners in the United States, the United Kingdom, and Germany. 

Here's What You'll Learn:

  • Top vulnerabilities, security challenges, and pentesting trends
  • How layoffs and budget cuts impact organizations' security postures
  • What security teams plan to outsource and/or deprioritize to better manage growing workloads
  • How to prepare your team and environment for a productive and in-depth pentest

Top Findings for 2022

  • 1Cross-Site Scripting (XSS) Stored

    This is a type of injection attack. Any feature that allows user input can be vulnerable because it gives attackers an opportunity to inject and store malicious scripts into web applications. The next time a user pulls up data that includes the attacker’s input, their browser attempts to run the malicious code.

     

    GET THE REPORT Get the Report

     

  • 2Components with Known Vulnerabilities: Outdated Software Version

    Using outdated software versions can leave you vulnerable to serious attacks, such as remote code execution with the recently discovered Log4j flaw. If you don’t have the latest version of Apache’s logging software, you have a vulnerability in your systems described as “a severe risk” by the Cybersecurity and Infrastructure Security Agency. And this is one of thousands of examples.

    GET THE REPORT Get the Report
  • 3Broken Access Control: Insecure Direct Object References (IDOR)

    IDOR can give access to resources via user-supplied input when attackers modify a value of a parameter that points directly to an object in your database. This flaw has the potential to give attackers access to personally identifiable information, which later enables identity theft, fraud, or blackmailing.

    GET THE REPORT Get the Report
  • 4Server Security Misconfiguration: Lack of Security Headers

    Security headers can help mitigate different attacks, such as Clickjacking, XSS, and encryption-related downgrade attacks. They can also strengthen privacy by enabling users to use their browsers’ security features such as disabling access to their webcam or microphone. Missing these configurations puts your operations and customers at risk.

    GET THE REPORT Get the Report
  • 5Server Security Misconfiguration: Insecure SSL and TLS Protocols

    If teams use the SSL or TLS 1.1 protocols, their encryption is not secure. Attackers with a Man-in-the-Middle (MITM) position can break into older secure communication channels and attempt to decrypt the information. Some configurations also allow an attacker to downgrade communication from a stronger cipher suite to one that they can crack.

    GET THE REPORT Get the Report
1Cross-Site Scripting (XSS) Stored

This is a type of injection attack. Any feature that allows user input can be vulnerable because it gives attackers an opportunity to inject and store malicious scripts into web applications. The next time a user pulls up data that includes the attacker’s input, their browser attempts to run the malicious code.

 

GET THE REPORT Get the Report

 

2Components with Known Vulnerabilities: Outdated Software Version

Using outdated software versions can leave you vulnerable to serious attacks, such as remote code execution with the recently discovered Log4j flaw. If you don’t have the latest version of Apache’s logging software, you have a vulnerability in your systems described as “a severe risk” by the Cybersecurity and Infrastructure Security Agency. And this is one of thousands of examples.

GET THE REPORT Get the Report
3Broken Access Control: Insecure Direct Object References (IDOR)

IDOR can give access to resources via user-supplied input when attackers modify a value of a parameter that points directly to an object in your database. This flaw has the potential to give attackers access to personally identifiable information, which later enables identity theft, fraud, or blackmailing.

GET THE REPORT Get the Report
4Server Security Misconfiguration: Lack of Security Headers

Security headers can help mitigate different attacks, such as Clickjacking, XSS, and encryption-related downgrade attacks. They can also strengthen privacy by enabling users to use their browsers’ security features such as disabling access to their webcam or microphone. Missing these configurations puts your operations and customers at risk.

GET THE REPORT Get the Report
5Server Security Misconfiguration: Insecure SSL and TLS Protocols

If teams use the SSL or TLS 1.1 protocols, their encryption is not secure. Attackers with a Man-in-the-Middle (MITM) position can break into older secure communication channels and attempt to decrypt the information. Some configurations also allow an attacker to downgrade communication from a stronger cipher suite to one that they can crack.

GET THE REPORT Get the Report

The latest

State of Pentesting cover image
White Paper
State of Pentesting
State of Pentesting 2025
Apr 14, 2025
1 min read
read more