Guide to Gray Box Penetration Testing

• Predicting threats and vulnerabilities ahead of time. (45%)

• Increasing the scale of security patching. (45%)

• Creating more efficient incident response plans. (42%)

• Threat simulation to mimic a wide range of cyber threats. (39%)

• Managing cybersecurity alert fatigue. (36%)

• Threat simulation to mimic a wide range of cyber threats. (68%)

• Managing cybersecurity alert fatigue. (45%)

• Closing the cybersecurity talent shortage and skills gap. (42%)

• Automating security information and event management systems. (37%)

• Increasing the scale of security patching. (34%)

5. 97% of companies are reporting GenAI security issues and breaches. ⁵⁴

6. 24% of companies believe they can use GenAI technology to make incident response more efficient in the future. ⁴⁵

7. To combat insider threats, many companies are moving away from encouraging awareness towards behavioral adaptation. 53% of companies actively train staff on how to minimize internal risks. ⁶

8. Firms are moving toward identity-first security measures – with more than 86% adopting zero trust models. ⁷

9. By the end of the year, up to 60% of companies on supply chains will be using the risk of cybersecurity as a buying consideration when partnering with others. ⁸

10. Up to 98% of cyberattacks – against businesses and otherwise – involve social engineering, making this a key trend to prepare for across the next year. ⁹

11. Around 76% of security leaders are concerned about cyber threats evolving in sophistication – and 72% believe they are “first adopters” of technology to combat them in the years ahead. ¹⁰

12. Cybercrime costs are expected to escalate worldwide to almost $14 trillion by 2028.¹¹

13. The average cost of a data breach globally is growing to around $4.88 million, a 10% increase year-on-year.¹²

14. The industrial sector is experiencing the highest increase in data breach costs, rising by $830,000 on average year-on-year.^{13 12}

15. Data breach costs are projected to be the highest in the U.S., followed by the Middle East, Benelux, and Germany. ¹⁴

16. All four territories experience costs higher than the global average of $4.88 million, with the U.S. paying almost double this amount. ¹⁴

17. Ransomware costs victims an average of $1.85 million per incident, with attacks rising by 13% over a five-year period. ¹⁵

18. The average cost of ransom imposed by attackers increased by 500% over a year, with payments reaching an average of $2 million. ¹⁶

19. Phishing attacks currently cost companies an average of $4.88 million to bounce back from. ¹⁷

20. Business Email Compromise or BEC attacks are costing companies an average of $4.67 million per attack and account for 8.5% of all data breaches.¹⁸

21. BEC attacks have already cost businesses more than $55 billion over a decade. ¹⁹

22. Claims made on cybersecurity insurance are increasing by around 13% year-on-year. ²⁰

23. Insurance carriers report an average loss of around $100,000 per claim. ²⁰

24. Only 74% of companies have specific cybercrime insurance to cover losses. ²¹

25. Written, direct premiums for cyber insurance are expected to reach $23 billion by the end of the year. ²²

26. Ransomware accounts for 19% of all claims made on cyber insurance. ²⁰

27. On average, small businesses can expect to pay $120,000 to recover from a cyberattack. ²³

28. Only 5% of companies have allocated additional budget to their cyber programs in the past year. ⁵

29. At least six in ten businesses are raising their prices to help recover the costs incurred by cyberattacks. ²⁴

31. The average cost of downtime from a DDoS (Distributed Denial of Service) attack is $6,130 per minute. ²⁶

32. The cost of recovering from a ransomware attack is currently, on average, ten times as much as the amount attackers demand in ransom. ²⁷

33. Business owners view cyber risks as more threatening than any other cause of business loss – at 34% – surpassing natural disasters. ²⁸

34. Firms lose up to 1.3% of their market value in the month following a cyberattack. ²⁹

35. 15% of data breaches involve third parties found along the supply chain, putting several firms at risk without fault. ⁵

36. 49% of companies reported an increase in the frequency of cyberattacks in the last year. ⁵

37. 43% of companies reported an increase in the severity of cyberattacks in the last year. ⁵

38. 40% of cyber team members have personally – or have had someone else on their team - intentionally not report cyber incidents out of fear of losing their jobs. ⁵

39. 33% of companies have been late responding to a cyberattack because they were dealing with a false positive. ⁵

40. 63% of cyber teams spend four (4) or more hours per week dealing with false positives. ⁵

41. 15% of cyber teams spend more than seven (7) hours a week managing false positives. ⁵

42. Around 27% of all malware attacks right now involve ransomware. ¹⁵

43. Ransomware is the most significant contributor to cyberattack costs for small and medium-sized enterprises (SMEs), accounting for around 51% of the average – and this is projected to rise. ¹⁵

44. The financial services industry is experiencing a ransomware increase of 9% year-on-year. ¹⁶

45. Ransomware attacks are more than doubling year-on-year. ³²

46. Projections show that 76% of all organizations suffer at least one ransomware attack per year. ³³

47. 96% of ransomware attacks specifically target backup locations and repositories. ³³

48. In 77% of ransomware incidents, malicious attacks are deployed within 30 days of an initial interaction–and 54% within the initial seven days. ³⁴

49. The median time between hacker access and ransomware launch is 6.11 days for assumed and confirmed attacks. ³⁴

50. Transport for London suffered one of the highest-profile ransomware attacks, resulting in the loss of traveler contact details, Oyster card information, and bank numbers of up to 5,000 people. ³⁶

51. The healthcare industry reports the most expensive breaches at an average of $9.8 million – remaining at the top of industry costs for over a decade. ³⁶

52. More than 630 ransomware attacks affected healthcare bodies in a single year. ³⁷

53. 60% of recipients fall victim to GenAI-driven phishing attacks, comparable to traditional attack numbers. ³⁸

54. It’s estimated that 80% of phishing attacks are AI-generated, with the trend likely to continue. ³⁹

55. Tools such as ChatGPT that are available for free to the public can generate up to 30 phishing email templates every hour. ^{40 41}

56. The use of GenAI in phishing attacks has increased by at least 17% year-on-year, with experts prepared for more significant jumps. ⁴²

57. The FBI’s IC3 department recently reported almost 21,500 complaints regarding BEC attacks in one year, with losses estimating more than $2.9 billion. ⁴³

58. Companies that employ more than 1,000 people have between 83% and 97% chance of receiving BEC scams every week. ⁴⁴

59. Up to 74% of attacks involve spear phishing. ⁴⁵

60. 74% of companies claim insider threats are becoming more frequent. ⁴⁶

61. 74% of all data breaches involve some kind of human element or error. ⁴⁷

62. 44% of companies claim they suffered cloud data breaches due to human error. ⁴⁸

64. 21% of cloud incidents result in data breaches. ⁴⁹

65. 27% of business operators experience public cloud security issues, with 23% of them alone caused by misconfigurations. ⁵⁰

66. Over half of all cloud breaches occur in part due to human error. ⁵¹

67. It’s thought up to 70% of IoT or internet-connected devices are still vulnerable to attack. ⁵²

68. In a study regarding healthcare systems – within the NHS – up to 46% of IoT devices have at least one known but unaddressed risk. ⁵³

69. DDoS (Distributed Denial of Service) attacks are increasing by 20% year-on-year. ⁵⁴

71. Experts recently discovered 612 new, unique common vulnerabilities and exposures (CVEs) in one quarter. ⁵⁶

72. Average monthly CVEs considered critical leaped by 13% in a year. ⁵⁷

73. Experts estimate a 25% rise in CVEs over a year period. ⁵⁸

74. It’s thought that around 1.1% of CVEs have already been exploited and that 2% are weaponized. ⁵⁹

75. Operating systems with the most recorded CVEs include Debian Linux (8,809), Android (7,245), Linux Kernel (6,010), and Fedora (5,122). ⁶⁰

76. In a single year, over 40% of Log4j downloads were still considered vulnerable to hacking. ⁶¹

77. 38% of Log4j users were still using vulnerable versions of the application after threats were revealed and patched. ⁶²

78. Vulnerabilities within the MoveIt framework exposed more than 93 million sensitive records. ⁶³

79. Industries most affected by MoveIt vulnerabilities included education, health, and finance. ⁶⁴

80. High-profile data breaches arising recently include Ticketmaster, which saw 560 million people’s details compromised and up for sale online. ⁶⁵

81. On average, cross-industry, it takes companies 204 days to spot a data breach and 73 days to contain it. ⁶⁶

82. Financial companies take an average of 177 days to identify breaches, and 56 days to contain them. ⁶⁷

83. 9% of publicly traded U.S. companies reported data breaches in a year’s period, impacting 143 million people. ⁶⁷

84. The use of stolen credentials appears in up to 31% of data breaches. ⁶⁹

85. Across a decade, the number of U.S. data compromises per year increased from 614 to 3,205. ⁷⁰

86. Data breaches increased by 72% over two years. ⁷¹

87. U.S. data breaches impacted an estimated 353 million individuals in one year alone. ⁷⁰

88. The cost per capita of a data breach is increasing by around 1 USD per year. ¹²

89. Companies that find and contain data breaches within 200 days are saving $1 million more than those that don’t. ⁷²

90. Using AI helps companies find data breaches 108 days faster than those that don’t. ⁷²

91. It takes companies in the healthcare industry longer than any other to contain breaches. ⁷³

92. However, it takes entertainment businesses up to 287 days on average to detect a data breach compared to healthcare businesses’ average of 255 days. ⁷³

93. The healthcare industry is the third-most attacked worldwide. ⁷⁴

94. Ransomware attacks, in particular, are growing in number across the healthcare industry – growing by at least 25%. ⁷⁴

95. 68% of healthcare officials claim to have witnessed an average of two attacks a year. ⁷⁵

96. More than 70% of U.S. hospitals surveyed by the HHS are following NIST cybersecurity protocols to fight back against attacks ⁷⁶

97. Costs incurred by data breaches in healthcare are falling by 10.6% yearly. ⁷⁷

98. The overall cost of healthcare data breaches has increased by 53% since the start of the COVID-19 pandemic. ⁷⁸

99. The average cost of a data breach in healthcare was $9.77 million in 2024.⁷⁸

100. API and web application attacks on financial services companies increased by 65% over a year. ⁷⁹

101. Financial services are the third-most attacked industry based on phishing alone.⁷⁹

102. Malicious bot requests spiked by up to 69% year-on-year in the financial sector. ⁷⁹

103. Data breach costs in the finance industry increased by around 2.3% year-on-year. ¹²

104. The average financial services firm pays $5.9 million per data breach. ⁸¹

105. The average cost of a data breach in financial services ranges from $5.86 to $6.08 million. ⁸²

106. On average, up to 44% of all computers used in manufacturing are affected by ransomware, and around 62% of ransomware victims in manufacturing pay the ransom demanded of them. ⁸³

107. The average cost of a data breach in the manufacturing industry in 2024 was $5.56 million. ⁸⁰

108. Around 62% of ransomware victims in manufacturing paid the ransom demanded of them. ⁸³

109. Backdoor attacks account for 28% of malicious actions against the manufacturing industry. ⁸⁴

110. 97% of U.S. top retailers have experienced third-party data breaches in the past year. ⁸⁵

111. The average cost of security breaches in the retail industry rose by 18% year-on-year. ⁸⁶

112. The retail industry accounts for 6% of all global data breaches annually. ⁸⁷

113. The average data breach cost in the retail industry is $3.48 million. ²⁴

114. There has been a 92% spike in attacks on K-12 educational establishments. ⁸⁸

115. Educational businesses saw 265 attacks in the space of a year, an overall increase of 70%.⁸⁸

116. The U.S. accounted for 80% of known ransomware attacks during this period. ⁸⁸

117. 95% of ransomware attackers targeting higher-ed bodies attempt to access data backups. ⁸⁹

118. 95% of higher-ed bodies that report ransomware suggest they experience significant revenue loss. ⁸⁹

119. Each day of downtime costs schools up to $550,000. ⁹⁰

120. The average cost of a data breach for higher-ed bodies is around $3.65 million. ⁹¹

121. Data breaches through ransomware cost the education sector more than $53 billion in downtime over a five-year period. ⁹²

122. Global information security spending is set to increase by 15% for the year ahead. ⁹³

123. Research shows yearly spending is estimated at $183.9 billion. ⁹³

124. Investment in security services is expected to grow more than investment in software or network security. ⁹³

125. Cybersecurity budgets are growing by about 8% per year. ⁹⁴

126. The cybersecurity market has an annual growth rate of around 7.92% CAGR to the end of the decade. ⁹⁵

127. Firms could reduce cybersecurity costs by an average of $2.2 million annually when investing in AI and automation tools. ¹²

128. Companies that actively use security automation and AI spend $1.8 million less per year on breaches than those that don’t. ⁹⁶

129. Companies using security automation and AI also save more than $3 million per data breach. ⁹⁷

130. The AI cybersecurity market is set to exceed $133 billion by 2030. ⁹⁸

131. Identity and access management, a type of zero-trust security strategy, is set to exceed market worth of $24.1 billion by the year’s end. ⁹⁹

132. At least 41% of businesses now use zero-trust security architecture. ¹⁰⁰

133. 83% of IT SME professionals require employees to use multi-factor authentication, or MFA. ¹⁰¹

134. The cybersecurity industry has a talent shortage of four million professionals. ¹⁰²

135. 45% of people claim skills shortages pose the biggest challenges to cybersecurity professionals. ¹⁰²

136. Up to 570,000 cybersecurity roles remain unfilled in the U.S. alone. ¹⁰³

137. Texas, Florida, California, Colorado, Illinois, Virginia, Maryland, and New York are the states with the most U.S. cybersecurity openings. ¹⁰⁴

138. Research shows that U.S. cybersecurity jobs are expected to grow 33% by 2033. ¹⁰⁵

139. Up to 17,300 new jobs for IT security analysts are projected to open each year across the next decade. ¹⁰⁵

140. Growth of employment demand for information security analysts is 29% higher than the average demand for all occupations heading to 2033.  ¹⁰⁵

141. “Computer occupations” are expected to grow by 12%, again, 21% lower than information security analyst roles.  ¹⁰⁵

142. 63% of companies are considering implementing new technologies, such as GenAI, to support cybersecurity employment shortages.  ⁵

143. Specifically, 41% of companies already leverage GenAI to address the cybersecurity skills gap.  ⁵

144. It’s predicted GenAI will remove the need for specialized education for up to half of all entry-level roles in cybersecurity by 2028.  ¹⁰⁶

145. Around 40% of C-level executives intend to use GenAI to support critical skills shortages. ¹⁰⁷

146. Proactive management of third-party software risks is vital – at least 29% of all data breaches involve third-party attacks. ¹⁰⁸

147. Hiring talent to address growing threats is also important – and only 10% of firms are increasing their cyber hiring.  ⁵

148. Up to 53% of companies feel they’re unprepared for cybersecurity risks and attack points posed by AI.  ⁵

149. Research suggests companies adopting GenAI to support hyper-personalized training could result in 40% fewer employee-caused security incidents by 2026.  ¹⁰⁶

150. 56% of businesses intend to use AI to help train their cybersecurity professionals.  ¹⁰⁹

151. The worldwide zero trust security market is projected to be worth almost $133 billion by 2032.  ¹¹⁰

152. 33.8% of business owners believe decentralized identity management will continue to be crucial for IAM (identity and access management), with 47.1% supporting passwordless access systems. ¹¹¹

154. 41% of businesses are using AI to manage cyber alert fatigue. 38% use GenAI to support security patching, and 29% use it to automate management systems. ⁵

155. Cyber insurance policy numbers are increasing by around 11.7% yearly after a lull, and annual claims are increasing to more than 33,500. ¹¹²

156. The market size for cybersecurity insurance is set to top $20 billion. ¹¹³

157. Companies spend an average of 12% of IT budgets on measures for cybersecurity. ¹¹⁴

158. Businesses have increased the budget allocated to security by around 8.6% over the last half-decade. ¹¹⁵