Penetration testing is undergoing its most significant transformation in a decade. Regulatory mandates are hardening testing requirements across every major sector. Artificial intelligence is reshaping both the attack surface organizations must defend and the tools testers use to find vulnerabilities. And the traditional once-a-year assessment model is giving way to continuous, integrated security programs.
This inaugural Lion Security Annual Report synthesizes current market data, emerging threat trends, regulatory drivers, and buying pattern shifts to help security leaders make more informed decisions about how - and from whom - they procure penetration testing services.
Sources: Fortune Business Insights, Pentera State of Pentesting 2025, Deepstrike Research 2025. All figures are from independent third-party research and are cited throughout this report.
Executive Summary
The global penetration testing market reached an estimated $2.74 billion in 2025 and is on a trajectory toward $6-7 billion by 2033, driven by regulatory pressure, expanding attack surfaces, and a fundamental shift in how organizations think about security assurance. This report examines the forces shaping that growth and what they mean for security leaders evaluating their testing programs.
Five Findings Security Leaders Should Act On
01 — Regulatory mandates have moved from advisory to mandatory.
DORA is fully in force as of January 2025, NIS2 implementation is accelerating, and PCI DSS v4.0's expanded testing requirements became mandatory in March 2025. Organizations in finance, healthcare, and critical infrastructure can no longer treat penetration testing as optional.
02 — The vulnerability landscape is getting more severe.
Critical vulnerabilities in web applications increased 150% in 2024 compared to the prior year. Broken access control remains the #1 finding for the third consecutive OWASP cycle. Cloud misconfiguration underlies 99% of cloud-related breaches.
03 — The PTaaS model is winning.
Over 70% of organizations have adopted some form of Penetration Testing as a Service. PTaaS is growing at 29.1% CAGR - more than double the rate of the overall market - because it delivers real-time visibility, continuous coverage, and platform integrations that point-in-time assessments cannot.
04 — AI is both an emerging threat category and a testing accelerator.
AI and large language model deployments have created a new attack surface that most existing testing programs do not cover. Simultaneously, AI-augmented testing tools are enabling faster reconnaissance and more consistent coverage - when deployed responsibly alongside qualified testers.
05 — The talent shortage is structural and worsening.
Generative AI and large language models will reshape the talent challenge, though the direction is not straightforward. AI-augmented tooling can accelerate reconnaissance, automate repetitive testing tasks, and help smaller teams cover more ground, partially offsetting the availability gap. But the same capabilities are available to attackers. Threat actors are already using AI to discover vulnerabilities faster, generate exploit variants, and scale attacks that previously required significant human expertise. Whatever delivery model an organization chooses, providers who have not integrated AI meaningfully into their testing methodology risk falling behind the threat actors their clients are defending against.
Market Overview
The penetration testing market has moved beyond its niche origins as a compliance checkbox and into mainstream security strategy. Sustained double-digit growth, the emergence of dedicated PTaaS platforms, and increasing board-level visibility have transformed the market in a short period of time.
Market Size & Growth Trajectory
| Year | Est. Market Size | YoY Growth | Key Driver |
|---|---|---|---|
| 2023 | $2.19 billion | — | Compliance baseline |
| 2024 | $2.45 billion | ~12% | Cloud security, ransomware response |
| 2025 | $2.74 billion | ~12% | DORA / NIS2 / PCI DSS v4 |
| 2026 (proj.) | $3.09 billion | ~13% | AI-driven attack surface expansion |
| 2033 (proj.) | $6.25–7.41 billion | CAGR 12.5–18% | Continuous testing mainstream |
Sources: Fortune Business Insights, Grand View Research, Cognitive Market Research. Figures represent blended estimates from multiple analyst forecasts.
The Rise of PTaaS
Penetration Testing as a Service has emerged as the fastest-growing segment in the market, with a projected CAGR of 29.1% through 2029 - more than double the rate of traditional project-based testing. PTaaS platforms grew from approximately $118 million in 2024 to an anticipated $301 million by 2029, as organizations increasingly demand the real-time visibility, platform integrations, and continuous coverage that legacy engagements cannot provide.
Lion Security Perspective
The shift to PTaaS is not just a delivery preference - it reflects a fundamental change in how security teams want to consume testing. Buyers increasingly expect findings to surface in real time, integrate with their existing ticketing and CI/CD workflows, and persist as tracked items rather than static PDFs. Providers who cannot meet these expectations will struggle to compete for the enterprise segment.
North America & Asia-Pacific Lead Growth
North America commands 35-39% of global market share, underpinned by the density of regulated industries, mature cyber-insurance frameworks, and high concentration of enterprise technology firms. Asia-Pacific is the fastest-growing region at an estimated 22.1% CAGR through 2030, driven by rapid cloud adoption, expanding digital infrastructure, and increasingly stringent national cybersecurity frameworks. European growth is accelerating directly as a result of DORA and NIS2 enforcement timelines.
Regulatory Pressure: Testing Is No Longer Optional
The single most significant near-term demand driver for penetration testing is regulatory enforcement. Three major frameworks reached critical milestones in 2025, and their combined effect is compelling organizations that have historically treated testing as discretionary to embed it as a permanent operational requirement.
| Framework | Applies To | Penetration Testing Requirement | Status |
|---|---|---|---|
| DORA | EU financial entities & ICT third-party providers | Mandatory Threat-Led Penetration Testing (TLPT) every 3 years; ICT third-party providers must participate on request | In Force Jan 2025 |
| NIS2 | EU critical & important sectors (18 categories) | Annual penetration testing recommended for critical systems; significant security incidents must be reported within 24-72 hours | Active H2 2025 |
| PCI DSS v4.0 | Any org. processing card payments | Expanded pen test scope; future-dated requirements now mandatory including authenticated scanning and targeted risk analysis | Mandatory Mar 2025 |
| SEC Cyber Rules | US public companies | Material cybersecurity incidents must be disclosed within 4 business days; annual disclosure of cybersecurity risk management processes | Active 2024-25 |
| HIPAA / HITECH | US healthcare covered entities | Technical safeguard controls require periodic evaluation; HHS OCR guidance emphasizes pen testing as an evaluation method | Ongoing |
| FedRAMP Rev 5 | US federal contractors | NIST 800-53 Rev 5 controls include annual pen testing requirements aligned to system categorization | Active |
Sources: European Banking Authority DORA Technical Standards; ENISA NIS2 Guidance; PCI Security Standards Council v4.0 Summary of Changes; U.S. SEC Final Rule on Cybersecurity Risk Management.
Lion Security Perspective
DORA is the most prescriptive penetration testing mandate the financial sector has ever faced. It doesn't just require testing - it specifies threat-led methodology (TLPT), mandates third-party tester accreditation, and requires regulators to be involved in scoping for significant institutions. CISOs in scope should verify their chosen providers meet DORA's tester independence and qualification requirements before engagement.
Budget Impact of Regulatory Drivers
The regulatory wave is translating directly into budget growth. 85% of organizations increased their penetration testing budgets in 2024, and 87% of CISOs plan to maintain or grow investment through 2025. U.S. enterprises spend approximately $187,000 annually on penetration testing, with large enterprises (10,000+ employees) averaging $216,000.
However, budget pressure is also intensifying: 44% of CISOs cited budget constraints as a key limiting factor in 2025, nearly double the 24% who said the same in 2024. This creates a bifurcating market where organizations are spending more overall but are increasingly scrutinising provider value and efficiency. CISOs are looking for providers who can demonstrate clear ROI through remediation tracking, trend data, and continuous coverage - not just an annual report.
The Vulnerability Landscape: What Testers Are Finding
Understanding what penetration testers consistently discover across organisations is essential for prioritising testing scope and remediation investment. The findings picture in 2024-2025 reflects a landscape where well-known vulnerability classes persist at alarming rates, while cloud and AI-related exposures are introducing new risk vectors that many testing programs are not yet configured to address.
Top Penetration Testing Findings: 2024-2025
| # | Finding Category | Prevalence | Severity |
|---|---|---|---|
| 01 | Broken Access Control | #1 OWASP Top 10 - 3rd consecutive cycle | Critical |
| 02 | Server / Cloud Misconfiguration | 28.4% of web & API engagements | Critical |
| 03 | Cryptographic & TLS Failures | #2 OWASP - encryption weaknesses | High |
| 04 | Injection Vulnerabilities (SQLi, CMDi, XXE) | #5 OWASP - 38 associated CWEs | Critical |
| 05 | Broken Authentication & Session Management | #7 OWASP - weak tokens, MFA gaps | High |
| 06 | API Security: BOLA / Excessive Data Exposure | 29% of API-focused engagements | High |
| 07 | Overly Permissive IAM / Cloud Identity | 82% of cloud breaches: human IAM error | Critical |
| 08 | Unpatched & Vulnerable Components | #6 OWASP - dependency chain exposure | High |
| 09 | Security Logging & Monitoring Failures | #9 OWASP - detection blind spots | Medium |
| 10 | Insecure Direct Object References (IDOR) | Common in custom web applications | High |
Sources: OWASP Top 10:2025; Deepstrike Penetration Testing Statistics 2025; Appsecure Cloud Security Statistics 2025; Fidelis Security threat research.
The Severity Escalation Problem
The sharp increase in critical and high-severity findings is not simply a reflection of better testing - it indicates that attack surfaces are genuinely expanding faster than defenses. The concentration of severe findings in smaller organizations is particularly notable: mid-market and growth-stage companies carry disproportionate risk relative to their security investment, making them attractive targets for financially motivated threat actors.
Cloud Misconfiguration: The Persistent Root Cause
Cloud misconfiguration continues to dominate as a root cause of breaches, not just a testing finding. An estimated 99% of cloud security failures involve misconfiguration, with 82% attributed to human error in IAM policy design, storage bucket permissions, or network security group rules.
For security leaders, this means cloud security assessment should be a standard component of any penetration testing program - not an optional add-on. Testers should be explicitly evaluating IAM posture, storage exposure, workload security, and network configuration across AWS, Azure, and GCP environments, not just scanning for known CVEs.
Lion Security Perspective
We consistently see organizations that conduct thorough application and network testing but have never had their cloud environment professionally assessed. Cloud misconfigurations are often invisible to internal teams precisely because they are legitimate configurations - just wrong ones. A qualified cloud security assessment is one of the highest-ROI tests an organization can commission.
Emerging Testing Frontiers
Beyond the established categories of network and application testing, several specialised disciplines are rapidly moving from niche to mainstream. Understanding these areas helps security leaders identify gaps in their current programs and ask the right questions of prospective providers.
| AI & Large Language Model (LLM) Security Testing | Developing |
|---|
Every organization deploying AI applications - whether building on top of foundation models or integrating AI into existing workflows - has introduced a new attack surface that traditional penetration testing is not designed to evaluate. The OWASP Top 10 for LLM Applications defines ten risk categories specific to AI systems, including prompt injection, insecure output handling, training data poisoning, and model extraction. OpenAI's own research has highlighted threat actors actively exploring LLM-driven attack capabilities.
AI security testing requires testers with hands-on experience in model architecture, inference behavior, and the specific failure modes of AI pipelines. It cannot be performed by general-purpose testers applying traditional web testing techniques to an AI endpoint.
| Assumed Breach Testing | Maturing |
|---|
Assumed breach testing - in which testers begin from a post-compromise starting position rather than attempting initial access from scratch - is gaining significant traction because it answers a question traditional pen testing often cannot: what can an attacker do once they're already inside? Starting from a compromised workstation, a set of valid credentials, or an established network foothold, testers evaluate lateral movement paths, privilege escalation opportunities, and the effectiveness of detection and response controls. This model is particularly valuable for organizations with mature perimeter defenses who want to stress-test their internal posture and incident response capability.
| Purple Team Exercises | Maturing |
|---|
Where traditional red teaming operates covertly against a defensive team that does not know an engagement is occurring, purple teaming makes the collaboration explicit. Red team operators execute attack scenarios while the client's SOC or blue team observers watch, attempt detection, and tune their alerting and response playbooks in real time. The primary deliverable is not a list of findings - it is measurable improvement in detection coverage, validated SIEM rules, and defender skill development. Organizations with mature security operations programs are finding purple team exercises among the highest-value activities they can commission.
| Breach & Attack Simulation (BAS) | Maturing |
|---|
Breach and Attack Simulation platforms automate the execution of attacker techniques and tactics (TTPs) against live defensive tooling to validate whether SIEM, EDR, and SOAR controls detect and respond correctly. BAS is not a replacement for manual penetration testing - it lacks the creativity, context, and business logic understanding of a skilled human tester - but as a continuous validation layer between manual engagements, it provides meaningful coverage. Forward-looking security programs are beginning to combine manual PTaaS, periodic red teaming, and continuous BAS into a tiered assurance model.
| Continuous Penetration Testing | Maturing |
|---|
The annual penetration test is giving way to continuous or program-based testing models that align with modern software delivery cadences. PTaaS platforms now enable organizations to run scoped tests aligned with release cycles, maintain ongoing retesting of known vulnerabilities, and receive real-time findings as they are discovered rather than waiting for a final report. 40% growth in continuous testing adoption was recorded in 2024, with DevSecOps-integrated testing growing at a comparable rate. For organizations running agile development or frequent cloud infrastructure changes, point-in-time testing is structurally insufficient.
Lion Security Perspective: Supply Chain - The Underserved Testing Gap
Supply chain attacks rose 22% in 2025 and now represent 30% of all security incidents. Yet very few penetration testing programs include explicit third-party dependency analysis or simulated supply chain exploitation scenarios. Security leaders should ask prospective providers how they approach supply chain risk as part of scoping conversations.
How Organizations Are Buying Penetration Testing
The procurement model for penetration testing is shifting as rapidly as the threat landscape. Understanding the dominant buying patterns, and their trade-offs, helps security leaders align their purchasing approach to their actual operational needs.
Three Dominant Procurement Models
| Model | Typical Cost | Best For | Growth Trend |
|---|---|---|---|
| Project-Based (Traditional) | $10,000–$35,000 per engagement | Compliance audits; point-in-time assurance; new technology assessments | Flat to declining as share of new contracts |
| Retainer / Credits | Pre-purchased day-banks at reduced rates | Organizations with predictable but variable testing needs across multiple assets | Steady growth - preferred by mid-market |
| PTaaS Subscription | Platform + tester access; annual contract | DevSecOps teams; continuous delivery organizations; high-change environments | 29.1% CAGR - fastest growing segment |
Testing Frequency: The Gap Between Intent and Reality
There is a significant gap between how frequently organizations want to test and how frequently they actually do. Historically, annual testing was considered standard; leading organizations have moved to quarterly assessments aligned with major releases or infrastructure changes; and early adopters of continuous models are now testing daily or with every software release.
The limiting factors are consistent: 48% of organizations report testing less frequently than desired due to tester availability constraints; 44% cite budget; and a significant portion simply lack the internal program management capacity to run frequent engagements effectively. PTaaS platforms address all three barriers by providing on-demand access, predictable subscription costs, and workflow automation that reduces the operational overhead of running frequent engagements.
The Talent Challenge
The quality of a penetration test is determined entirely by the skills of the people conducting it. The global penetration testing talent shortage is therefore not just a market dynamic - it is a direct risk factor for buyers who do not scrutinise tester qualifications carefully.
Generative AI and large language models will reshape the talent challenge, though the direction is not straightforward. AI-augmented tooling can accelerate reconnaissance, automate repetitive testing tasks, and help smaller teams cover more ground, partially offsetting the availability gap. But the same capabilities are available to attackers. Threat actors are already using AI to discover vulnerabilities faster, generate exploit variants, and scale attacks that previously required significant human expertise. Whatever delivery model an organization chooses, providers who have not integrated AI meaningfully into their testing methodology risk falling behind the threat actors their clients are defending against.
Workforce Gap at Scale
The global cybersecurity workforce gap stands at 4.8 million unfilled positions, with penetration testing among the most acutely affected specialisations. In the United States alone, over 34,000 penetration testing positions were open as of January 2025. This shortage has two important implications for buyers: it drives up the cost of quality testing, and it creates conditions where less rigorous providers field under-qualified testers to meet demand.
Certifications That Matter
| Certification | Issuing Body | Employer Demand | Focus |
|---|---|---|---|
| OSCP | Offensive Security | 35% of employers require | Hands-on exploitation; real-world lab-based exam |
| OSED / OSEP / OSWE | Offensive Security | High demand, specialised | Advanced exploitation, evasion, web attacks |
| GPEN / GWAPT / GXPN | GIAC / SANS | Strong - enterprise preferred | Network, web app, advanced pen testing |
| CEH | EC-Council | 30% of employers request | Broad ethical hacking methodology |
| CREST CRT / CCT | CREST | Required for UK/EU regulated sectors | Assurance-grade testing standards |
| Security+ | CompTIA | 25% of employers request | Foundational - not sufficient for senior testers |
Sources: Infosec Institute Top Pentesting Certifications 2025; Research.com Penetration Tester Career Data 2026; Deepstrike Certification Statistics 2025.
OSCP remains the gold standard for demonstrating hands-on exploitation competency because it requires candidates to successfully compromise machines in a live environment under time pressure - not pass a multiple choice exam. When evaluating providers, ask specifically for the OSCP and advanced Offensive Security credential counts on the team that would be assigned to your engagement, not just company-wide certification totals.
Lion Security Perspective
Generative AI and large language models will reshape the talent challenge, though the direction is not straightforward. AI-augmented tooling can accelerate reconnaissance, automate repetitive testing tasks, and help smaller teams cover more ground, partially offsetting the availability gap. But the same capabilities are available to attackers. Threat actors are already using AI to discover vulnerabilities faster, generate exploit variants, and scale attacks that previously required significant human expertise. Whatever delivery model an organization chooses, providers who have not integrated AI meaningfully into their testing methodology risk falling behind the threat actors their clients are defending against.
What the Talent Shortage Means for Buyers
The talent shortage has created a two-tier market. Tier-one providers with deep, credentialed teams command premium rates and maintain waitlists; lower-cost providers increasingly rely on automation and junior staff to fill demand. Buyers focused solely on price risk receiving assessments that miss the business-logic and chained-vulnerability findings that require experienced, creative testers to surface.
The appropriate response is not to simply buy the most expensive option - it is to ask the right qualification questions during procurement: Who specifically will work on my engagement? What certifications do they hold? What is the ratio of senior to junior testers on a typical project? How does the provider validate tester quality over time? The Lion Security Marketplace evaluation framework formally assesses these dimensions for every listed provider.
The Lion Security Evaluation Standard
Every provider listed on the Lion Security Marketplace has been evaluated against a structured criteria framework built specifically for the Lion Security Marketplace. The framework is designed to give security leaders confidence that marketplace providers meet a defined quality threshold - and to surface the differentiators that matter for specific use cases.
The framework organises evaluation across eight categories, each subdivided into specific criteria rated as Foundational (baseline for listing), Signature (positive differentiator), or Horizon (forward-looking capability).
| # | Category | What We Evaluate |
|---|---|---|
| 01 | Tester Qualifications & Team Expertise | Certifications (OSCP, GPEN, CREST), team depth, senior tester ratios, industry vertical experience |
| 02 | Testing Scope & Service Coverage | Core and advanced testing types including AI/LLM, cloud, IoT, purple team, assumed breach, and physical security |
| 03 | Methodology & Standards Compliance | PTES/OWASP/NIST alignment, MITRE ATT&CK mapping, compliance framework support (PCI, SOC 2, HIPAA, DORA) |
| 04 | Platform & Technology Capabilities | Client portal, real-time findings, ASM integration, AI-assisted testing, CI/CD and SIEM integrations |
| 05 | Reporting & Deliverables | Report quality, attack path narratives, attestation letters, retest reports, and compliance-mapped variants |
| 06 | Engagement Operations & Communication | Scoping process, critical finding SLAs, ChatOps integration, debrief quality, remediation retesting windows |
| 07 | Business & Operational Criteria | Pricing transparency, tester background screening, data handling, cyber liability insurance, analyst recognition |
| 08 | Core Competency & Focus Areas | Provider-declared specialisations (continuous testing, red team, AI/LLM, assumed breach, BAS, purple team) |
Providers are tiered as Gold (highest qualification threshold), Verified (meets all Foundational criteria with meaningful Signature coverage), or Listed (meets baseline Foundational criteria). Tier placement is reviewed annually and is adjusted based on client feedback, re-evaluation findings, or material capability changes. The full criteria framework is available from Lion Security as a standalone reference document.
Looking Ahead: Key Themes for 2026
The following themes represent the most significant forces that will shape penetration testing programs and provider capabilities over the next 12-18 months.
AI Attack Surface Assessment Becomes Standard
As AI-powered applications proliferate across the enterprise, the OWASP LLM Top 10 will become as familiar to security teams as the web application Top 10. Providers who cannot demonstrate credible AI/LLM testing capability will be disqualified from consideration by organizations with material AI deployments - and that category will encompass most of the enterprise market by end of 2026.
DORA Creates a New Benchmark for Financial Services Testing
DORA's Threat-Led Penetration Testing requirements are specific, auditor-reviewed, and cannot be met with standard commercial pen tests. Financial institutions in scope are rapidly discovering that most of their incumbent providers do not meet the independence, methodology, and documentation requirements. This will drive significant provider switching and consolidation around DORA-credentialed firms.
Continuous Testing Displaces Annual Engagements as the Default
The combination of PTaaS platform maturity, CI/CD integration capability, and growing organizational comfort with ongoing assessments will push continuous or quarterly testing from early-adopter to mainstream in the enterprise segment. Annual-only programs will increasingly be viewed as a compliance-minimum rather than a genuine security assurance posture.
Purple Teaming Graduates from Advanced Practice to Common Program Element
As threat detection investment (SIEM, EDR, SOAR) has grown, the question of whether those investments are actually working has become unavoidable. Purple team exercises directly answer that question. Organizations with mature security operations will integrate purple teaming into their annual assurance calendars alongside traditional red and pen testing.
Provider Consolidation Accelerates
Private equity interest in PTaaS has been significant, and platform capability requirements are raising the cost of competition. Smaller boutique providers will increasingly be acquired or absorbed into larger platforms. Buyers should assess provider stability and roadmap transparency as part of procurement - a provider acquired mid-engagement creates operational risk.
The Human-AI Balance in Testing Will Be Scrutinised
Fully automated pen testing platforms will make aggressive claims about coverage and speed. The market will begin to demand clearer disclosure from all providers about the ratio of human vs. automated testing, which finding categories are validated by humans, and what the false-negative rate of automated-only testing is for complex business logic vulnerabilities.
Methodology & Sources
This report is a secondary research synthesis. All market data, statistics, and findings cited are drawn from independent third-party analyst reports, academic research, and industry studies published between 2024 and early 2026. Figures presented in this report represent the external research landscape, not proprietary Lion Security data.
Future editions of this Annual Report will incorporate Lion Security Marketplace proprietary data including: provider assessment scores across the eight evaluation categories, aggregated engagement outcome data contributed by marketplace clients, buyer satisfaction metrics, and emerging trend signals from the Lion Security provider network. These additions will be clearly distinguished from externally sourced data.
Primary Sources Cited
| Category | Sources |
|---|---|
| Market Sizing | Fortune Business Insights - Penetration Testing Market Report 2025; Grand View Research - Penetration Testing Market; Cognitive Market Research - Penetration Testing Forecast 2025-2033 |
| PTaaS Growth | GigaOm Radar for Penetration Testing as a Service v4 (2025); Omdia - The Penetration Testing Market in 2025 |
| Vulnerability Data | OWASP Top 10:2025; Deepstrike - 86 Penetration Testing Statistics 2025; Appsecure Cloud Security Statistics 2025; Fidelis Security Threat Research |
| Regulatory Frameworks | European Banking Authority DORA Technical Standards; ENISA NIS2 Implementation Guidance; PCI Security Standards Council v4.0 Summary of Changes; U.S. SEC Final Cybersecurity Disclosure Rule |
| Buying Patterns | Pentera - Global State of Pentesting 2025 Survey; Deepstrike - Penetration Testing Cost 2026; Blaze Infosec - Engagement Pricing Analysis 2026 |
| Talent & Certifications | Infosec Institute - Top Pentesting Certifications 2025; Research.com - Penetration Tester Career Data 2026; Deepstrike - Cybersecurity Certification Statistics 2025; ISC2 Cybersecurity Workforce Study |
| AI & Emerging Threats | OWASP Top 10 for LLM Applications; EPAM - LLM and AI Penetration Testing 2025; OpenAI Security Research Report June 2025; MITRE ATLAS Framework |
| Supply Chain | Deepstrike - Supply Chain Attack Statistics 2025; Commvault - Top Cloud Security Threats 2025 |
About Lion Security
Lion Security is an offensive cybersecurity research and advisory firm that helps organisations select, compare, and manage penetration testing vendors and solutions. We're vendor-neutral, data-driven, and built by experts who've seen what works and what doesn't.
The Lion Security Marketplace is being built to bring transparency, rigour, and buyer confidence to the penetration testing procurement process. By establishing a structured, published evaluation standard, and applying it consistently to every listed provider, Lion Security aims to make it easier for security leaders to find the right testing partner for their specific environment, compliance context, and risk profile.
This Annual Report is the first in a planned series intended to inform the security community, share market intelligence with buyers, and raise the bar for what organisations should expect from penetration testing providers.
© 2026 Lion Security. This report is provided for informational purposes. All third-party statistics are attributed to their original sources. Lion Security makes no warranty as to the accuracy of external data cited herein. This document is intended for security leaders and procurement professionals evaluating penetration testing programs.