Pentesters are now a CISOs best friend as critical vulnerabilities skyrocket
Attack surfaces are expanding rapidly, but pentesters are here to save the day
Often underestimated by CISOs, hardware and network vulnerabilities are on the rise as IoT proliferates and AI creates increasingly larger attack surfaces.
That’s according to an analysis by Bugcrowd, which found the last year has seen a massive 88% increase in hardware vulnerabilities and a doubling in network flaws.
In a new report, Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World, the firm said that 81% of security researchers had encountered new hardware vulnerabilities in the past 12 months.
Bugcrowd pointed to a 40% rise in broken access control vulnerabilities as a key factor behind rising threats. Meanwhile, sensitive data exposure was another problem area, with a 42% increase in critical vulnerabilities tied to personal information like names, addresses, and account details.
"We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex," said Nick McKenzie, Bugcrowd CISO. "Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs."
The good news is that the number of critical vulnerabilities has gone down slightly year-over-year. The number of critical flaws in API targets fell by about 25%, for example, while vulnerabilities in website targets decreased by 30%.
There was a slight rise in critical vulnerabilities for Android, hardware, iOS, and network targets. Of these, broken access control is now the top category at 36%.
However, there's also been a 42% increase in sensitive data exposure and a 10% increase in API vulnerabilities as attack surfaces expand. Network vulnerabilities doubled, according to the report.
Pentesters are having a field day
This increasingly perilous threat landscape has sparked a boom time for ethical hackers and pentesters, the report noted. Across 2024, there was a 32% increase in average bug bounty payouts for critical vulnerabilities.
Bugcrowd said enterprises are focusing on critical vulnerability payouts, paying more for P1 vulnerabilities and less for P3, P4, and P5 vulnerabilities.
Despite this helping hand, CISOs are still contending with heavy workloads and growing challenges. With applications going through multiple development cycles and teams under immense pressure to release features quickly, this is creating a frantic environment where mistakes are made.
New attack vectors and often forgotten targets like APIs and hardware typically among those overlooked.
With this in mind, Bugcrowd said organizations should consider adding APIs and hardware to the scope of their offensive security testing programs.
They should also adopt an integrated approach to attack surface intelligence - which, the firm noted, would help to secure budgets by showing measurable improvements in security efficiency.
Naturally, the company urged enterprises to make better use of ethical hackers, pentesters, and red teamers for offensive security training.
“By using adversarial testing and objective measurement, security leaders can shift from reactive firefighting to building true resilience, " said Trey Ford, chief strategy and trust officer at Bugcrowd.
"Ultimately, this enables CISOs to confidently articulate their security story and secure resources necessary to protect their organizations.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- This DeepSeek-powered pen testing tool could be a Cobalt Strike successor
- Everything you need to know about penetration testing
- Businesses are taking their eye off the ball with vulnerability patching
-
I couldn’t escape the iPhone 17 Pro this year – and it’s about time we redefined business phonesOpinion ITPro is back on smartphone reviews, as they grow more and more intertwined with our work-life balance
-
When everything connects, everything’s at riskIndustry Insights Growing IoT complexity demands dynamic, automated security for visibility, compliance, and resilience
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
