Annual Report
First Edition
2025 - 2026
The State of

Penetration Testing

2025 - 2026
For security leaders & CISOs evaluating procurement, threats, and the evolving continuous-testing market. A synthesis of market data, regulatory drivers, and the buying-pattern shifts reshaping how organizations procure offensive security.
$2.74B
Global pen-testing market in 2025
87%
Of CISOs maintaining or growing testing budgets
29.1%
CAGR for PTaaS - the fastest-growing segment
Lion Security · The Pentest Vendor Marketplace
lionsecurity.io
Executive Summary

A market in its most significant transformation in a decade

The global penetration testing market reached an estimated $2.74 billion in 2025 and is on a trajectory toward $6–7 billion by 2033, driven by regulatory pressure, expanding attack surfaces, and a fundamental shift in how organizations think about security assurance. Regulatory mandates are hardening testing requirements across every major sector, artificial intelligence is reshaping both the attack surface and the testing toolkit, and the once-a-year assessment model is giving way to continuous, integrated programs. This report examines those forces and what they mean for security leaders.

Five findings security leaders should act on

01

Regulatory mandates have moved from advisory to mandatory.

DORA is fully in force as of January 2025, NIS2 implementation is accelerating, and PCI DSS v4.0's expanded testing requirements became mandatory in March 2025. Finance, healthcare, and critical infrastructure can no longer treat testing as optional.

02

The vulnerability landscape is getting more severe.

Critical vulnerabilities in web applications increased 150% in 2024 versus the prior year. Broken access control remains the #1 finding for the third consecutive OWASP cycle, and cloud misconfiguration underlies 99% of cloud-related breaches.

03

The PTaaS model is winning.

Over 70% of organizations have adopted some form of Penetration Testing as a Service. PTaaS is growing at 29.1% CAGR - more than double the overall market - by delivering real-time visibility, continuous coverage, and platform integrations point-in-time assessments cannot.

04

AI is both an emerging threat category and a testing accelerator.

AI and LLM deployments have created a new attack surface most testing programs do not cover. Simultaneously, AI-augmented tools enable faster reconnaissance and more consistent coverage - when deployed responsibly alongside qualified testers.

05

The talent shortage is structural and worsening.

AI-augmented tooling partially offsets the availability gap, but the same capabilities are available to attackers. Providers who have not integrated AI meaningfully into their methodology risk falling behind the threat actors their clients are defending against.

Lion Security · Annual Report 2025–2602
01 · Market Overview
01
Market Overview

Beyond the compliance checkbox

The penetration testing market has moved beyond its niche origins as a compliance checkbox and into mainstream security strategy. Sustained double-digit growth, the emergence of dedicated PTaaS platforms, and increasing board-level visibility have transformed the market in a short period of time.

Market size & growth trajectory
Estimated global market, USD billions · 2023 → 2033 (proj.)
$2.19B
2023
$2.45B
2024
$2.74B
2025
$3.09B
2026e
$6.8B
2033e
Historical Current (2025) Projected · CAGR 12.5–18%

Sources: Fortune Business Insights; Grand View Research; Cognitive Market Research. 2033 bar shown at the $6.25–7.41B blended midpoint.

35–39%
North America's share of the global market
22.1%
Asia-Pacific CAGR through 2030 - fastest region
12%
Blended year-over-year market growth, 2024–25
Lion Security · Annual Report 2025–2603
01 · Market Overview

The rise of PTaaS

Penetration Testing as a Service has emerged as the fastest-growing segment in the market, with a projected 29.1% CAGR through 2029 - more than double the rate of traditional project-based testing. PTaaS platforms grew from approximately $118M in 2024 to an anticipated $301M by 2029 as organizations increasingly demand the real-time visibility, platform integrations, and continuous coverage that legacy engagements cannot provide.

70%+
Of organizations have adopted PTaaS in some form
20.5%
CAGR for cloud-based pen-test subscriptions
14%
Additional organizations planning PTaaS adoption

Regional market share

North America
37%
Europe
26%
Asia-Pacific
22%
Rest of world
15%

Illustrative split of global market share. North America leads on regulated-industry density; Asia-Pacific carries the highest growth rate; European growth is accelerating directly from DORA and NIS2 enforcement.

Lion Security Perspective

The shift to PTaaS is not just a delivery preference - it reflects a fundamental change in how security teams want to consume testing. Buyers increasingly expect findings to surface in real time, integrate with existing ticketing and CI/CD workflows, and persist as tracked items rather than static PDFs. Providers who cannot meet these expectations will struggle to compete for the enterprise segment.

Lion Security · Annual Report 2025–2604
02 · Regulatory Pressure
02
Regulatory Pressure

Testing is no longer optional

The single most significant near-term demand driver for penetration testing is regulatory enforcement. Three major frameworks reached critical milestones in 2025, and their combined effect is compelling organizations that historically treated testing as discretionary to embed it as a permanent operational requirement.

FrameworkApplies toPen-testing requirementStatus
DORAEU financial entities & ICT third partiesMandatory Threat-Led Penetration Testing (TLPT) every 3 years; third parties participate on requestIn force · Jan 25
NIS2EU critical & important sectors (18 categories)Annual testing recommended for critical systems; incidents reported within 24–72 hoursActive · H2 25
PCI DSS v4.0Any org. processing card paymentsExpanded scope; authenticated scanning and targeted risk analysis now mandatoryMandatory · Mar 25
SEC Cyber RulesUS public companiesMaterial incidents disclosed within 4 business days; annual risk-management disclosureActive · 24–25
HIPAA / HITECHUS healthcare covered entitiesTechnical-safeguard controls require periodic evaluation; OCR emphasizes pen testingOngoing
FedRAMP Rev 5US federal contractorsNIST 800-53 Rev 5 controls include annual testing aligned to system categorizationActive

Sources: European Banking Authority DORA Technical Standards; ENISA NIS2 Guidance; PCI SSC v4.0 Summary of Changes; U.S. SEC Final Rule on Cybersecurity Risk Management.

Lion Security · Annual Report 2025–2605
02 · Regulatory Pressure

Budget impact of regulatory drivers

The regulatory wave is translating directly into budget growth. 85% of organizations increased their penetration testing budgets in 2024, and 87% of CISOs plan to maintain or grow investment through 2025. U.S. enterprises spend approximately $187,000 annually on penetration testing, with large enterprises (10,000+ employees) averaging $216,000.

However, budget pressure is also intensifying: 44% of CISOs cited budget constraints as a key limiting factor in 2025, nearly double the 24% who said the same in 2024. This creates a bifurcating market - organizations are spending more overall but increasingly scrutinising provider value and efficiency. CISOs are looking for providers who can demonstrate clear ROI through remediation tracking, trend data, and continuous coverage, not just an annual report.

87%
Of CISOs maintaining or growing testing budgets through 2025
$216K
Average annual spend at enterprises of 10,000+ employees
44%
Cite budget as a limiting factor - up from 24% in 2024
Lion Security Perspective

DORA is the most prescriptive penetration testing mandate the financial sector has ever faced. It doesn't just require testing - it specifies threat-led methodology (TLPT), mandates third-party tester accreditation, and requires regulators to be involved in scoping for significant institutions. CISOs in scope should verify their chosen providers meet DORA's tester independence and qualification requirements before engagement.

Lion Security · Annual Report 2025–2606
03 · Vulnerability Landscape
03
What Testers Are Finding

The vulnerability landscape

Well-known vulnerability classes persist at alarming rates while cloud and AI-related exposures introduce new risk vectors many programs are not yet configured to address. The top findings of 2024–2025:

#Finding categoryPrevalenceSeverity
01Broken Access Control#1 OWASP - 3rd consecutive cycleCritical
02Server / Cloud Misconfiguration28.4% of web & API engagementsCritical
03Cryptographic & TLS Failures#2 OWASP - encryption weaknessesHigh
04Injection (SQLi, CMDi, XXE)#5 OWASP - 38 associated CWEsCritical
05Broken Authentication / Session#7 OWASP - weak tokens, MFA gapsHigh
06API: BOLA / Excessive Data Exposure29% of API-focused engagementsHigh
07Overly Permissive IAM / Cloud Identity82% of cloud breaches: human IAM errorCritical
08Unpatched & Vulnerable Components#6 OWASP - dependency-chain exposureHigh
09Security Logging & Monitoring Failures#9 OWASP - detection blind spotsMedium
10Insecure Direct Object ReferencesCommon in custom web applicationsHigh

Sources: OWASP Top 10:2025; Deepstrike Penetration Testing Statistics 2025; Appsecure Cloud Security Statistics 2025; Fidelis Security threat research.

Lion Security · Annual Report 2025–2607
03 · Vulnerability Landscape

The severity-escalation problem

+150%
Increase in critical web-app vulnerabilities (2024 vs 2023)
+60%
Increase in high-severity findings year over year
87%
Of critical/high findings concentrated at orgs under 200 employees

The sharp increase in critical and high-severity findings is not simply a reflection of better testing - it indicates that attack surfaces are genuinely expanding faster than defenses. The concentration of severe findings in smaller organizations is particularly notable: mid-market and growth-stage companies carry disproportionate risk relative to their security investment, making them attractive targets for financially motivated threat actors.

Cloud misconfiguration: the persistent root cause

An estimated 99% of cloud security failures involve misconfiguration, with 82% attributed to human error in IAM policy design, storage-bucket permissions, or network-security-group rules. For security leaders, this means cloud security assessment should be a standard component of any program - not an optional add-on. Testers should explicitly evaluate IAM posture, storage exposure, workload security, and network configuration across AWS, Azure, and GCP, not just scan for known CVEs.

Lion Security Perspective

We consistently see organizations that conduct thorough application and network testing but have never had their cloud environment professionally assessed. Cloud misconfigurations are often invisible to internal teams precisely because they are legitimate configurations - just wrong ones. A qualified cloud security assessment is one of the highest-ROI tests an organization can commission.

Lion Security · Annual Report 2025–2608
04 · Emerging Testing Frontiers
04
From Niche to Mainstream

Emerging testing frontiers

AI & Large Language Model (LLM) Security Testing

Developing

Every organization deploying AI applications has introduced a new attack surface traditional testing is not designed to evaluate. The OWASP Top 10 for LLM Applications defines ten AI-specific risks - prompt injection, insecure output handling, training-data poisoning, model extraction. It requires testers with hands-on model-architecture and inference experience, not general-purpose testers applying web techniques to an AI endpoint.

Assumed Breach Testing

Maturing

Testers begin from a post-compromise position rather than attempting initial access, answering a question traditional testing often cannot: what can an attacker do once already inside? Starting from a compromised workstation or valid credentials, they evaluate lateral movement, privilege escalation, and the effectiveness of detection and response controls.

Purple Team Exercises

Maturing

Red-team operators execute attack scenarios while the client's SOC observes, attempts detection, and tunes alerting in real time. The deliverable is not a list of findings - it is measurable improvement in detection coverage, validated SIEM rules, and defender skill development.

Breach & Attack Simulation (BAS)

Maturing

BAS platforms automate attacker TTPs against live defensive tooling to validate whether SIEM, EDR, and SOAR controls detect and respond correctly. Not a replacement for manual testing, but a meaningful continuous-validation layer between manual engagements.

Continuous Penetration Testing

Maturing

The annual test is giving way to continuous, program-based models aligned with modern software delivery. 40% growth in continuous-testing adoption was recorded in 2024. For organizations running agile development or frequent cloud changes, point-in-time testing is structurally insufficient.

Lion Security Perspective · The Underserved Supply-Chain Gap

Supply-chain attacks rose 22% in 2025 and now represent 30% of all security incidents - yet very few testing programs include explicit third-party dependency analysis or simulated supply-chain exploitation. Security leaders should ask prospective providers how they approach supply-chain risk during scoping.

Lion Security · Annual Report 2025–2609
05 · How Organizations Buy
05
Procurement Models

How organizations buy testing

01

Project-Based

$10K–$35K per engagement. Best for compliance audits, point-in-time assurance, and new-technology assessments. Flat to declining as a share of new contracts.

02

Retainer / Credits

Pre-purchased day-banks at reduced rates. Best for predictable but variable testing needs across multiple assets. Steady growth - preferred by mid-market.

03

PTaaS Subscription

Platform + tester access on an annual contract. Best for DevSecOps and high-change environments. 29.1% CAGR - fastest-growing segment.

Choosing a model

The right procurement model depends on testing frequency, environment volatility, and how findings need to integrate with existing workflows. The table below summarises where each model fits.

ModelTypical costBest fitTrajectory
Project-Based$10K–$35K / testCompliance audits, point-in-time assurance, new-technology assessmentsFlat to declining
Retainer / CreditsPre-paid day-bankPredictable but variable needs across multiple assets; mid-market programsSteady growth
PTaaS SubscriptionAnnual contractDevSecOps, high-change and cloud environments requiring continuous coverage29.1% CAGR - fastest

Sources: GigaOm Radar for PTaaS v4 (2025); Deepstrike - Penetration Testing Cost 2026; Pentera - Global State of Pentesting 2025.

Lion Security · Annual Report 2025–2610
05 · How Organizations Buy

The gap between intent and reality

There is a significant gap between how frequently organizations want to test and how frequently they actually do. Historically, annual testing was standard; leading organizations have moved to quarterly assessments aligned with major releases; and early adopters of continuous models now test daily or with every release.

The limiting factors are consistent: 48% of organizations report testing less frequently than desired due to tester-availability constraints; 44% cite budget; and a significant portion simply lack the internal program-management capacity to run frequent engagements. PTaaS platforms address all three barriers - on-demand access, predictable subscription costs, and workflow automation that reduces the operational overhead of frequent engagements.

$187K
Average annual pen-test spend - U.S. enterprises
48%
Test less often than they want due to tester availability
44%
Of CISOs cite budget as a limiting factor - up from 24%
Lion Security Perspective

Buyers should align their procurement model to operational reality, not to habit. An organization shipping code weekly but testing annually is accepting a 51-week exposure window between assessments. The right question is not "how much does a pen test cost?" but "what is the cost of the gap between our tests?"

Lion Security · Annual Report 2025–2611
06 · The Talent Challenge
06
The Talent Challenge

Quality is determined by people

The quality of a penetration test is determined entirely by the skills of the people conducting it. The global talent shortage is therefore not just a market dynamic - it is a direct risk factor for buyers who do not scrutinise tester qualifications carefully.

4.8M
Global cybersecurity workforce gap
34K+
Open pen-tester roles in the U.S. alone (Jan 2025)
$122K
Average U.S. penetration-tester salary

Certifications that matter

CertificationIssuing bodyEmployer demandFocus
OSCPOffensive Security35% of employers requireHands-on exploitation; live lab-based exam
OSED / OSEP / OSWEOffensive SecurityHigh demand, specialisedAdvanced exploitation, evasion, web attacks
GPEN / GWAPT / GXPNGIAC / SANSStrong - enterprise preferredNetwork, web app, advanced testing
CEHEC-Council30% of employers requestBroad ethical-hacking methodology
CREST CRT / CCTCRESTRequired for UK/EU regulated sectorsAssurance-grade testing standards
Security+CompTIA25% of employers requestFoundational - not sufficient for seniors

Sources: Infosec Institute Top Pentesting Certifications 2025; Research.com Penetration Tester Career Data 2026; Deepstrike Certification Statistics 2025; ISC2 Workforce Study.

Lion Security · Annual Report 2025–2612
06 · The Talent Challenge

What the talent shortage means for buyers

The global cybersecurity workforce gap stands at 4.8 million unfilled positions, with penetration testing among the most acutely affected specialisations. This shortage drives up the cost of quality testing and creates conditions where less rigorous providers field under-qualified testers to meet demand - producing a two-tier market.

Tier-one providers with deep, credentialed teams command premium rates and maintain waitlists; lower-cost providers increasingly rely on automation and junior staff. Buyers focused solely on price risk receiving assessments that miss the business-logic and chained-vulnerability findings that require experienced, creative testers to surface.

The appropriate response is not to simply buy the most expensive option - it is to ask the right qualification questions during procurement: Who specifically will work on my engagement? What certifications do they hold? What is the senior-to-junior ratio on a typical project? How does the provider validate tester quality over time? The Lion Security Marketplace evaluation framework formally assesses these dimensions for every listed provider.

Lion Security Perspective

Generative AI will reshape the talent challenge, though the direction is not straightforward. AI-augmented tooling can accelerate reconnaissance and help smaller teams cover more ground - but the same capabilities are available to attackers, who already use AI to discover vulnerabilities faster and scale attacks. Whatever delivery model an organization chooses, providers who have not integrated AI meaningfully into their methodology risk falling behind the threat actors their clients are defending against.

Lion Security · Annual Report 2025–2613
07 · The Lion Security Standard
07
The Evaluation Standard

A structured criteria framework

Every provider listed on the Lion Security Marketplace is evaluated against a structured framework, giving security leaders confidence that providers meet a defined quality threshold. Criteria are rated Foundational (baseline), Signature (differentiator), or Horizon (forward-looking).

#CategoryWhat we evaluate
01Tester Qualifications & Team ExpertiseCertifications, team depth, senior-tester ratios, vertical experience
02Testing Scope & Service CoverageCore + advanced types: AI/LLM, cloud, IoT, purple team, assumed breach, physical
03Methodology & Standards CompliancePTES/OWASP/NIST alignment, MITRE ATT&CK mapping, PCI/SOC 2/HIPAA/DORA support
04Platform & Technology CapabilitiesClient portal, real-time findings, ASM, AI-assisted testing, CI/CD & SIEM integration
05Reporting & DeliverablesReport quality, attack-path narratives, attestation letters, retests, compliance variants
06Engagement Operations & CommsScoping, critical-finding SLAs, ChatOps, debrief quality, remediation retesting windows
07Business & Operational CriteriaPricing transparency, background screening, data handling, liability insurance, recognition
08Core Competency & Focus AreasDeclared specialisations: continuous, red team, AI/LLM, assumed breach, BAS, purple team
Gold

Highest qualification threshold - deep credentialed teams and broad Signature coverage.

Verified

Meets all Foundational criteria with meaningful Signature coverage.

Listed

Meets the baseline Foundational criteria for marketplace listing.

Tier placement is reviewed annually and adjusted on client feedback, re-evaluation, or material capability changes. The full criteria framework is available from Lion Security as a standalone reference.

Lion Security · Annual Report 2025–2614
08 · Looking Ahead
08
Key Themes for 2026

Looking ahead

01

AI attack-surface assessment becomes standard

The OWASP LLM Top 10 will become as familiar as the web-app Top 10. Providers who cannot demonstrate credible AI/LLM testing will be disqualified by organizations with material AI deployments - most of the enterprise market by end of 2026.

02

DORA sets a new benchmark for financial-services testing

TLPT requirements are specific, auditor-reviewed, and cannot be met with standard commercial tests. In-scope institutions are discovering incumbents don't meet independence and documentation requirements - driving provider switching and consolidation around DORA-credentialed firms.

03

Continuous testing displaces annual engagements as the default

PTaaS maturity, CI/CD integration, and growing comfort with ongoing assessments will push continuous or quarterly testing into the mainstream enterprise segment. Annual-only programs become a compliance-minimum, not genuine assurance.

04

Purple teaming graduates to a common program element

As detection investment (SIEM, EDR, SOAR) has grown, whether it actually works has become unavoidable. Mature security-operations teams will fold purple teaming into their annual assurance calendars alongside red and pen testing.

05

Provider consolidation accelerates

Private-equity interest and rising platform-capability requirements raise the cost of competition. Boutique providers will be acquired or absorbed. Buyers should assess provider stability and roadmap transparency - a provider acquired mid-engagement creates operational risk.

06

The human–AI balance in testing will be scrutinised

Automated platforms will make aggressive coverage and speed claims. The market will demand clearer disclosure of the human-vs-automated ratio, which finding categories humans validate, and the false-negative rate of automated-only testing for complex business-logic flaws.

Lion Security · Annual Report 2025–2615
09 · Methodology & Sources
09
Methodology & Sources

A secondary-research synthesis

All market data, statistics, and findings cited are drawn from independent third-party analyst reports, academic research, and industry studies published between 2024 and early 2026. Figures represent the external research landscape, not proprietary Lion Security data. Future editions will incorporate Marketplace proprietary data - provider assessment scores, aggregated engagement outcomes, and buyer-satisfaction metrics - clearly distinguished from externally sourced data.

CategoryPrimary sources cited
Market SizingFortune Business Insights; Grand View Research; Cognitive Market Research - Penetration Testing Forecast 2025–2033
PTaaS GrowthGigaOm Radar for PTaaS v4 (2025); Omdia - The Penetration Testing Market in 2025
Vulnerability DataOWASP Top 10:2025; Deepstrike - 86 Penetration Testing Statistics 2025; Appsecure; Fidelis Security
Regulatory FrameworksEBA DORA Technical Standards; ENISA NIS2 Guidance; PCI SSC v4.0; U.S. SEC Final Cybersecurity Disclosure Rule
Buying PatternsPentera - Global State of Pentesting 2025; Deepstrike - Penetration Testing Cost 2026; Blaze Infosec
Talent & CertsInfosec Institute; Research.com; Deepstrike; ISC2 Cybersecurity Workforce Study
AI & Emerging ThreatsOWASP Top 10 for LLM Applications; EPAM; OpenAI Security Research June 2025; MITRE ATLAS
Supply ChainDeepstrike - Supply Chain Attack Statistics 2025; Commvault - Top Cloud Security Threats 2025

About Lion Security

Lion Security is an offensive cybersecurity research and advisory firm that helps organisations select, compare, and manage penetration testing vendors and solutions. We're vendor-neutral, data-driven, and built by experts who've seen what works and what doesn't. The Lion Security Marketplace brings transparency, rigour, and buyer confidence to procurement - applying a published evaluation standard consistently to every listed provider.

Lion Security · Annual Report 2025–2616

Find the right testing partner for your environment.

The penetration testing market is transforming faster than most procurement processes can keep up with. Lion Security pre-vets providers against a published standard so security leaders can compare on capability, not just price.

info@lionsecurity.io
www.lionsecurity.io
Annual Report · First Edition
© 2026 Lion Security