What Our Analysis of 4,200+ Pentests Reveals About Cyber Risk Across Industries in 2025

Organizations are innovating at a faster pace than ever, with the emergence of agentic AI and vibe coding transforming how applications are built, deployed, and exploited. As the digital threat landscape continues to evolve, the 2025 BreachLock Penetration Testing Intelligence Report offers a strategic, data-driven look at where organizations are most vulnerable and how they can adapt.

In this blog, we will highlight the most critical vulnerability findings in key industries, emerging attack trends, and asset-specific insights from BreachLock’s 2025 Penetration Testing Intelligence Report.

The Expanding Attack Surface in 2025

As we already know, the rise of agentic AI, LLMs, and vibe coding has accelerated innovation, but also expanded the attack surface beyond traditional controls. Cloud-native architectures, hybrid environments, and API-driven ecosystems are now standard, yet many organizations are still facing challenges to secure them effectively. This year’s findings show that the exploitability of these gaps is increasing, largely due to the convergence of outdated systems, cloud misconfigurations, and increasingly sophisticated multi-step attack chains. Read on for more on what we found.

Key Findings Across All Industries

Critical & High Findings

The report reveals that 45% of Critical or High severity vulnerabilities could lead to significant compromise without layered defenses, with many enabling remote code execution, privilege escalation, or unauthorized access. The top issues include:

  • Broken Access Control (32% of high-severity findings)
  • Security Misconfiguration (52% of cloud & hybrid systems)
  • Cryptographic Failures and Injection Flaws (SQL, NoSQL, XSS)

Red teaming simulations showed a median time of 2.5 hours to lateral movement, underscoring the importance of detection maturity and rapid response.

Most Common MITRE ATT&CK Techniques Observed:

BreachLock uses the latest ATT&CK data to enhance our pentesting methodologies, allowing our pentesters to define multiple attack paths and provide a comprehensive overview of potential exploitation routes for critical vulnerabilities. The most commonly observed MITRE ATT&CK Techniques over the past 12 months were:

  • OS Credential Dumping (T1003)
  • Valid Accounts (T1078)
  • Exploit Public-Facing Applications (T1190)

Sector-Specific Insights

Technology & SaaS Providers

Technology & SaaS providers represented the largest dataset for the findings in this report. While organizations in this sector have significantly expanded the depth and frequency of their penetration testing programs over the last year due to rapid cloud adoption, aggressive DevOps cycles, and growing customer demand for security transparency, these are a few key observations that offensive security leaders and practitioners in this space should be aware of:

  • Critical API vulnerabilities identified spiked 400% in 2025.
  • Security misconfigurations were the most prominent vulnerability identified in this sector, impacting 24% of systems.
  • Our pentesters noted that authentication flows showed growing risk due to weak session handling in SPAs and fragmented identity layers.

While these observations can sound damning, there are measures that security leaders can take to minimize the impact of these vulnerabilities, which our experts outline in the full report.

Banking & Financial Services

Penetration testing in the banking & financial services sector has transformed significantly over the past year, primarily due to new regulatory mandates like the Network and Information Systems Directive (NIS2) and the Digital Operational Resilience Act (DORA).

Due to the more stringent regulatory landscape, continuous penetration testing and proactive vulnerability management have contributed to minimizing the prevalence of critical vulnerabilities this year. However, financial institutions still face complex threats requiring ongoing attention, which we observed in our vulnerability findings.

  • Broken access control vulnerabilities impacted 22% of systems tested.
  • 32% of all findings fell under the critical or high severity categories.
  • Cryptographic failures and authentication vulnerabilities highlighted an ongoing need to strengthen data protection and identity management.

Retail & Consumer Goods

Retail & consumer goods organizations represented 17% of the dataset we analyzed in this report, which is not surprising due to the sector’s increasing reliance on digital platforms and e-commerce channels. Data privacy-centered regulatory pressures, such as GDPR and CCPA, have pushed these organizations to shift towards a more proactive approach to security rather than reactive. Here are a few key observations we made in this sector:

  • 68% of APIs had excessive data exposure weaknesses.
  • We identified, on average, 15 vulnerabilities per endpoint in this sector.
  • 27% of organizations in this sector are still only conducting pentesting once annually, despite more frequent release cycles that leave them vulnerable for months.

Our observations in the retail & consumer goods sector reveal a clear need for a stronger focus on API security and more frequent testing, which our experts highlight strategies for in the full Penetration Testing Intelligence Report.

Healthcare

Over the past year, regulatory frameworks such as HIPAA and the introduction of stricter compliance standards like HITECH and NIS2 in certain regions have heavily influenced the increased adoption of continuous security testing across the healthcare sector. While the standard for continuous security validation has risen significantly, not only for compliance, but to safeguard patient trust and ensure uninterrupted clinical operations, we still identified some key vulnerability trends that practitioners in the healthcare sector should be aware of:

  • 60% of all vulnerabilities identified in healthcare systems were critical and high-severity.
  • With 25% of healthcare clients migrating core services to public cloud, misconfiguration and overly provisioned IAM roles spiked as prevalent risks.
  • Broken access control vulnerabilities were identified in 22% of systems in the healthcare sector.

Energy & Utilities

Like most other sectors, the energy & utilities sector has experienced an increase in penetration testing requirements driven by escalating cyber threats and stricter regulations. Global concerns over critical infrastructure security have also risen because of high-profile cyber incidents and geopolitical tensions, pushing regulators to enforce tighter cybersecurity frameworks, such as NERC CIP and IEC 62443. To stay ahead, energy firms demand comprehensive, scenario-based assessments that simulate advanced persistent threats (APTs), with a focus on lateral movement, privilege escalation, and real-world exploitation paths within hybrid IT/OT environments. These are a few key observations our experts made from pentesting their environments:

  • Medium and High-severity issues dominate at 62%, a direct result of the widespread use of legacy systems and inadequate OT security controls.
  • Broken access controls were present in 18% of systems in this sector.
  • The growing emphasis on OT-specific pentesting has revealed a gap between IT security maturity and OT resilience.

Strategies for addressing these particular weaknesses and others are detailed in the full report by BreachLock security experts.

Strategic Takeaways for Offensive Security Leaders

Across all sectors, one message is clear: point-in-time testing is no longer enough. The complexity and velocity of modern threats demand a shift toward continuous, proactive offensive security focused on real-world exploitability and impact for more effective prioritization and faster remediation. Based on the findings in this year’s report, here are five key takeaways for CISOs and offensive security leaders:

1. Prioritize Exploitability Over Volume

Focus remediation efforts on vulnerabilities that are both high-impact and easily exploitable, especially broken access controls, misconfigurations, and insecure APIs.

2. Adopt Continuous Security Validation

Move beyond annual assessments by integrating penetration testing, red teaming, and adversarial exposure validation (AEV) into your development and deployment lifecycles. In recent years, frequent and continuous penetration testing has become more accessible thanks to modern delivery models like Penetration Testing as a Service (PTaaS) that enable users to schedule their own pentests, view results in real time, and communicate with experts through a user-friendly platform, vs traditional models that took weeks to give you results.

3. Strengthen Authentication and Authorization Controls

Weak authentication and overprivileged roles were common across all sectors. Enforce MFA, implement least privilege, and regularly audit IAM configurations.

4. Secure APIs and Cloud Infrastructure

APIs were a top target in every industry. Ensure strict access controls, rate limiting, and secure coding practices are in place, and automate cloud misconfiguration detection and remediation.

5. Monitor Third-Party SDKs Continuously

Establish a rigorous process to evaluate the security posture of third-party SDKs and libraries, including regular patching and dependency scanning, to mitigate supply chain risks that can compromise app integrity.

Final Thoughts

The 2025 BreachLock Penetration Testing Intelligence Report underscores that attackers are innovating faster than most organizations can adapt. With the right offensive security strategy rooted in continuous validation, threat-informed defense, and proactive remediation, security teams can stay a step ahead.

Whether you’re leading security at a SaaS startup, a global bank, or a national utility provider, there are clear strategies in place to know your exposures, validate your defenses, and evolve faster than your adversaries.

Download the full report to explore detailed findings, industry-specific recommendations, and expert guidance on how to operationalize penetration testing as part of your offensive security strategy in your organization.

About BreachLock

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries.

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

Know Your Risk. Contact BreachLock today!

Author

BreachLock Icon

BreachLock Labs

Industry recognitions we have earned

reuters logo Excellence Award winner logo Globee Awards Gold Winner hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image