summing up the annual results of testing of client companies

Maximum severity level of vulnerabilities identified during internal pentesting
(share of total number of projects)

Although there are not many critical vulnerabilities (6%) related to insecure configuration, a combination of several vulnerabilities with a lower risk level from this category can lead to obtaining maximum privileges in the Active Directory domain. Having secured such privileges, the attacker gains full control over the organization's IT infrastructure: he or she gains access to business process management, confidential data, and accounts.

What's the bottom line?

Penetration testing traditionally shows a fairly low level of security of organizations. During this work, our researchers help identify insecure places in key and target systems, thereby informing companies about the possibility of an unacceptable event being carried out by real attackers. As in 2022, the share of companies vulnerable to an external intruder remained the same – 96%. In those organizations where access to the internal network was obtained, it was possible to establish full control over domain resources in 100% of cases. In 2022, this figure was also maximum.

It should be noted that those organizations that regularly conduct pentests and take appropriate security measures based on their results ultimately achieve a higher level of security.

The full version of the study, as well as recommendations for protection, can be found in the article on the website.

If you liked the article, want to share your opinion, argue with the above or learn more about the specifics of the work of an information security analyst, write in the comments below the publication. Until new data!