The State of Pentesting 2021

Want more? Get the full report.

In this report, we dive into data from 1,602 pentests performed in 2020 on Cobalt's Pentest as a Service (PtaaS) platform. We also survey 601 security practitioners, who are not Cobalt customers, to validate our findings. The result is our most comprehensive look at the state of pentesting to date. We uncover a broad mixture of pain points, workflow challenges, and suggestions on how pentesting can become a more effective layer of defense.

download the report

Take a sneak peek!

Key Takeaways:

How much risk are teams managing?

2021-state-of-pentesting-risk-management-graphic (1)

Most common types of findings

Broken Access Control: Insecure Direct Object References (IDOR)
Cross-Site Scripting: Stored
Components with Known Vulnerabilities: Outdated Software
Broken Access Control: Username/Email Enumeration
Cross-Site Scripting: Reflected

people

6 out of 10 see remediated issues
reemerge at a later date

What reduces the effectiveness of prevention & remediation?

What are the biggest challenges when implementing DevSecOps?

bar-chart-1-inline

How does security share pentest findings with the remediation team?

"Pentesting is on the one side a regulatory requirement, and a requirement by different stakeholders. But it's also a fundamental part of our secure SDLC."

Guido Reismüller

VP Information Security, Solaris Bank