Pentesters are now a CISOs best friend as critical vulnerabilities skyrocket
Attack surfaces are expanding rapidly, but pentesters are here to save the day
Often underestimated by CISOs, hardware and network vulnerabilities are on the rise as IoT proliferates and AI creates increasingly larger attack surfaces.
That’s according to an analysis by Bugcrowd, which found the last year has seen a massive 88% increase in hardware vulnerabilities and a doubling in network flaws.
In a new report, Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World, the firm said that 81% of security researchers had encountered new hardware vulnerabilities in the past 12 months.
Bugcrowd pointed to a 40% rise in broken access control vulnerabilities as a key factor behind rising threats. Meanwhile, sensitive data exposure was another problem area, with a 42% increase in critical vulnerabilities tied to personal information like names, addresses, and account details.
"We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex," said Nick McKenzie, Bugcrowd CISO. "Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs."
The good news is that the number of critical vulnerabilities has gone down slightly year-over-year. The number of critical flaws in API targets fell by about 25%, for example, while vulnerabilities in website targets decreased by 30%.
There was a slight rise in critical vulnerabilities for Android, hardware, iOS, and network targets. Of these, broken access control is now the top category at 36%.
However, there's also been a 42% increase in sensitive data exposure and a 10% increase in API vulnerabilities as attack surfaces expand. Network vulnerabilities doubled, according to the report.
Pentesters are having a field day
This increasingly perilous threat landscape has sparked a boom time for ethical hackers and pentesters, the report noted. Across 2024, there was a 32% increase in average bug bounty payouts for critical vulnerabilities.
Bugcrowd said enterprises are focusing on critical vulnerability payouts, paying more for P1 vulnerabilities and less for P3, P4, and P5 vulnerabilities.
Despite this helping hand, CISOs are still contending with heavy workloads and growing challenges. With applications going through multiple development cycles and teams under immense pressure to release features quickly, this is creating a frantic environment where mistakes are made.
New attack vectors and often forgotten targets like APIs and hardware typically among those overlooked.
With this in mind, Bugcrowd said organizations should consider adding APIs and hardware to the scope of their offensive security testing programs.
They should also adopt an integrated approach to attack surface intelligence - which, the firm noted, would help to secure budgets by showing measurable improvements in security efficiency.
Naturally, the company urged enterprises to make better use of ethical hackers, pentesters, and red teamers for offensive security training.
“By using adversarial testing and objective measurement, security leaders can shift from reactive firefighting to building true resilience, " said Trey Ford, chief strategy and trust officer at Bugcrowd.
"Ultimately, this enables CISOs to confidently articulate their security story and secure resources necessary to protect their organizations.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- This DeepSeek-powered pen testing tool could be a Cobalt Strike successor
- Everything you need to know about penetration testing
- Businesses are taking their eye off the ball with vulnerability patching
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
