Annual Report

The
State
of
Pentesting
2021

Want more? Get the full report.

In This Report

We dive into data from 1,602 pentests performed in 2020 on Cobalt's Pentest as a Service (PtaaS) platform. We also survey 601 security practitioners, who are not Cobalt customers, to validate our findings. The result is our most comprehensive look at the state of pentesting to date. We uncover a broad mixture of pain points, workflow challenges, and suggestions on how pentesting can become a more effective layer of defense.

Download the Report

Pentesting Book

What are companies vulnerable to?

How much risk are teams managing?

Chart Risk Management Pie Chart

Most common types of findings

  1. Broken Access Control: Insecure Direct Object References (IDOR)
  2. Cross-Site Scripting: Stored
  3. Components with Known Vulnerabilities: Outdated Software
  4. Broken Access Control: Username/Email Enumeration
  5. Cross-Site Scripting: Reflected
People Chart
6 out of 10 see
remediated issues
reemerge at a later date

What reduces the effectiveness of
prevention & remediation?

What are the biggest challenges when
implementing DevSecOps?

Biggest Challenges Bar Chart

How does security share pentest findings with the remediation team?

Pentest Findings Pie Chart
Download the Report arrow