August 14 Global penetration testing market to exceed $5 billion annually by 2031
25 Ethical Hacking Facts, Figures, Predictions and Statistics. Sponsored by BreachLock
– Steve MorganEditor-in-Chief
Sausalito, California – August 14, 2023
“If you spend a dollar on cybersecurity and you don’t do penetration testing, then you’re doing something terribly wrong” Seemant Sehgalfounder and CEO of BreachLocktold Cybersecurity Ventures.
You can spend as much as you want on perimeter and network defense, implementing zero trust policies, staff training, and endpoint protection, but unless you systematically test the effectiveness of the defense of cybersecurity, potential avenues for exploitation remain open.
Thorough and frequent penetration testing is essential for modern businesses today to mitigate the risk of cyberattacks. Facts, figures, predictions and statistics help CISOs and cybersecurity managers understand market dynamics.
25 SECURITY TESTING MARKET STATISTICS
- eSecurity Planet has identified 11 Key Factors That Affect Penetration Testing Costs: Scope and scale; Penetration test type; Tester experience; Compliance requirements; System type; Correction and new tests; Future opportunities; Special needs; Type of Contract ; Supplier type; and costs beyond the contract.
- As a general estimate, the typical duration of a the in-depth penetration test lasts between 3 and 5 weeks, which sometimes lasts up to a few months, according to Mitnick Consulting, Kevin Mitnick’s namesake firm. Mitnick, widely known as the world’s most famous hacker, died on July 16, 2023. He would have turned 60 on August 6 during this year’s Black Hat USA 2023 conference in Las Vegas.
- THE 3 main types of penetration testing are: black box testing for an attacker’s perspective to cover a wider scope; Gray box testing for an internal view with minimal access; and white-box testing for a much deeper inside view. The main difference between each type is the amount of information provided to the tester by the organization being tested.
- U.S. Bureau of Labor Statistics (BLS) projects 35 percent employment growth of information security analysts, including penetration testers, between 2021 and 2031. This is much faster than the average for all occupations in the United States.
- There is more of 22,000 job offers for penetration testers in the United States, with computer knowledge being the most in-demand skill.
- Wage scale estimates that entry-level penetration testers can expect a salary of around $72,823 per year when entering the field. With 5-9 years of experience, the average salary is $110,251, and highly experienced penetration testers can expect a salary of around $124,607 per year.
- According to Cyber Seek, 11% of penetration testers have an associate’s degree, 65 percent earned their bachelor’s degreeand 24 percent earned a master’s degree.
- 13% of ethical hackers (i.e. penetration testers) are women and 87 percent are men, according to CareerExplorer, which bills itself as the world’s leading career advancement platform. The largest ethnic group of ethical hackers is white, who make up 42 percent of the population, according to CareerExplorer. The next largest segments are South Asia and Others, accounting for 17 percent and 11 percent, respectively.
- THE 7 Best Penetration Testing Certifications in 2023, according to Network Assured, are: the Certified Ethical Hacker (CEH) certification; GIAC Exploit Finder and Advanced Penetration Tester (GXPN); GIAC Penetration Tester Certification (GPEN); Certified Penetration Tester (LPT) Master Certification; CompTIA Pentest+ certification; Certified Offensive Security Professional (OSCP); and GIAC Web Application Penetration Tester (GWAPT) certification.
- EC-Council’s popular Certified Ethical Hacker (CEH) certification, held by many penetration testers, costs between $1,699 and $2,049. If a candidate does not pass the CEH test, they can apply for a $499 CEH re-test voucher. CEH exam pass rates vary depending on the candidate’s education and experience, but Infosec’s Ethical Hacking Boot Camp, for example, offers a 93% exam pass rate.
- The 5 emerging skills that are gaining momentum, with projected growth over 5 years, the demand for penetration testers is as follows: Container Security 156%; Comprehensive software security 114 percent; Threat hunting 105 percent; SaaS application security 76 percent; and Anomaly Detection 58 percent.
- According to the Open Worldwide Application Security Project (OWASP) Top 10For penetration testers analyzing web applications and platforms, these are the ten most critical vulnerability categories: faulty access control, cryptographic failures, injection security flaws, insecure design, misconfiguration of security, vulnerable and obsolete components, identification and authentication failures, software. and data integrity failures, logging and security monitoring issues, and server-side request forgery (SSRF).
- Breachlock 2022 Annual Penetration Testing Report Reveals Sensitive Data Injection and Exposure Accounts for More Than 35 percent critical penetration test results. Based on data collected from more than 8,000 tests conducted in 2021, 15% of critical risk findings were related to privilege escalation issues. More than 50% of high-risk findings were due to cross-site scripting security vulnerabilities.
- There is 33.2 million small businesses in America, representing 99.9 percent of all American businesses. BreachLock research suggests that more 87 percent of all critical and high penetration test scores are found in organizations with fewer than 200 employees. Additionally, the majority of SMBs perform penetration testing purely for compliance and contractual reasons.
- A recent report from cybersecurity certification platform CER found that only six of 45 cryptocurrency wallet brands, or about 13 percent, have undergone penetration testing to detect security vulnerabilities. Of these, only half have carried out testing on the latest versions of their products.
- About 40% of ethical hackers recently surveyed by the SANS Institute said: they can penetrate most environments they test, if not everything. Nearly 60% said they need 5 hours or less to break into a corporate environment once they identify a weakness.
- The world’s best cybersecurity students gathered at the Rochester Institute of Technology to compete in the Global Finals of the Collegiate Penetration Testing Competition (CPTC) in early 2023. The event concluded the largest offensive cybersecurity competition for students, hosted annually by RIT. A team from California State Polytechnic University, Pomona students took home the inaugural CPTC trophy – for the second year in a row. Stanford University placed second and the University of Central Florida placed third.
- A Tesla Model 3 was hacked by French-based pentesters in less than 2 minutes during a Pwn2Own 2023 hacking competition in Vancouver, Canada. The attacks gave them deep access to subsystems controlling vehicle security and other components. Vulnerabilities in the automotive category offered the highest rewards in this year’s competition.
- Penetration testing appeared in the mid-1960s, according to a study published by California State University at San Bernadino. The U.S. Department of Defense (DoD) sponsored “Tiger Teams” in the 1970s. “Tiger Teams were government- and industry-sponsored hacker teams that attempted to breach the defense of computer systems to discover and possibly correct security vulnerabilities.”
- According to Google trendsInterest in the term “penetration tester” has been steadily increasing since 2018. First assigned a search trend score of 65 based on a “peak popularity” rating of 100, “ Penetration Tester” achieved its highest score of 99 between October 30 and November. June 5, 2022. Between June 11 and 17, 2023, the term received a popularity score of 94.
– Steve Morgan is founder and editor-in-chief of Cybersecurity Ventures.
Go here to read all my blogs and articles dealing with cybersecurity. Go here to send me story tips, comments, and suggestions.
Charlie Osborneeditor-in-chief of Cybercrime Magazine, contributed to this report.
Sponsored by BreachLock
Affordable, Smarter, Scalable Cybersecurity Testing
BreachLock™ offers a SaaS platform that allows our customers to request and receive a complete penetration test in just a few clicks.
Our unique approach uses manual and automated vulnerability discovery methods aligned with industry best practices.
We perform in-depth manual penetration testing and provide you with offline and online reports. We retest your patches and certify you for running a penetration test. This is followed by monthly automated analysis provided through the BreachLock platform. Throughout this process, you have access to the platform and our security experts who will help you find, fix and prevent the next cyber breach.
Discover why do penetration testing with BreachLock™ is the first choice for startups, SMEs and enterprises around the world.
BreachLock has offices in the Netherlands, London, New York and Wilmington, Del.