Report reveals the failures of penetration testing


CyCognito research shows cost, coverage and cadence limitations leave organisations exposed when they rely on penetration testing.

External attack surface management and attack surface protection provider CyCognito has released research that reveals that although businesses invest significantly in – and rely heavily on – penetration testing, this approach doesn’t accurately measure security posture or breach readiness.

The research, conducted by Informa Tech, surveyed enterprises with 3 000 or more employees and found that 70% of those polled perform penetration tests as a way to measure their security posture and 69% to prevent breaches. However, only 38% test more than half of their attack surface annually.

According to CyCognito, although many businesses are conducting penetration tests to detect and mitigate threats, they remain dangerously vulnerable. The research highlighted that using penetration testing as a security practice results in organisations lacking visibility over their Internet-exposed assets.

This results in blindspots that are vulnerable to exploits and compromise, much in the same way as locking the front door of a house but leaving the back door and windows unlocked does.

“It creates an attractive target, because attackers will naturally focus on those IT assets organisations leave untested,” the company said.

The report unpacked some other findings. It’s common for organisations with 3 000 employees or more to have upwards of 10 000 Internet-connected assets; however, 36% of respondents claimed that only 100 or fewer assets are covered by pen tests, and 58% said 1 000 or fewer assets are covered by pen tests.

Another 60% reported that they are concerned that pen testing gives them limited coverage or leaves them with too many blindspots, and 47% say that pen testing detects only known assets and not new or unknown ones.

About 45% claimed to conduct pen tests only once or twice per year, and 27% do it once per quarter, which is woefully inadequate given the fast pace of threat evolution and how quickly infrastructure and applications change.

The vast majority, 79%, believe that pen tests are costly, and 78% say they would utilise pen tests on more apps if the costs were lower.

Finally, it takes 71% of respondents anywhere from one week to one month to conduct a penetration test. Then, more than 26% have to wait between one to two weeks to get test results, and 13% wait even longer.

Rob Gurzeev, CEO and co-founder of CyCognito, said security testing should tell companies what bad actors are able to see and exploit so that defenders can prevent breaches.

“But when companies are only able to see assets they already know about, test just a portion of their attack surface, and do that only a few times per year, preventing breaches isn’t possible. So, the biggest takeaway from this report is that what organisations want or are hoping to achieve through pen testing versus what they actually are accomplishing are two very different things,” he added.

There is very limited value in testing only a portion of the attack surface periodically, Gurzeev stressed. “Unless you are continuously discovering and testing your entire external attack surface, you don’t have an overall understanding of how secure your organisation is. If there is a path of least resistance, attackers will find it, and find a way to exploit it.”