Approach Cyber has released its 2025 Annual Pentest Report. In this fifth edition, we uncover a significant and concerning increase in critical vulnerabilities across web applications, APIs, and infrastructure systems. Based on over 100 real-world penetration tests carried out across 13 sectors in 2024, the report provides a stark, data-driven assessment of today’s digital threat landscape.
The findings reveal that nearly 2 out of 5 identified vulnerabilities pose high to critical risks. Many of which result from broken access controls, misconfigured authentication, and weak patch management practices. Infrastructure security remains a weak link. Nearly 60% of flaws rated high or critical, primarily due to outdated systems and ineffective privilege controls.
Worryingly, the report confirms that automated scanners alone are not enough. Many of the most dangerous vulnerabilities uncovered were missed by tools and only identified through expert manual testing. Real-world case studies included in the report illustrate how ethical hackers were able to chain minor flaws into full domain compromises. Hereby demonstrating the same tactics leveraged in ransomware campaigns and major breaches worldwide.
The report also highlights growing regulatory pressure, especially under NIS2 and DORA. It warns that many organisations remain unprepared for the operational and reputational risks that compliance gaps may pose in 2025.
Encouragingly, organisations that invest in regular testing and remediation efforts see significantly fewer high-risk findings. With up to 70% fewer than first-time test clients.
To support decision-makers, CISOs, and security leaders, Approach Cyber provides tailored recommendations on secure design, vulnerability management, and privilege enforcement, measures that can greatly reduce exposure in a fast-evolving threat environment.
