Sneak Peek: NetSPI 2023 Offensive Security Vision Report

In cybersecurity, the discovery of assets and vulnerabilities is table stakes. What makes offensive security valuable today is its ability to prioritize remediation of issues that matter most to a business.  

Modern security and development teams are inundated with challenges that demand their attention, leading to higher pressure in an already stressful role. What’s needed most is risk-based prioritization of vulnerabilities to help direct remediation efforts. NetSPI’s inaugural Offensive Security Vision Report delivers on this with data-backed prioritization of attack surfaces, vulnerabilities, and more.  

We worked hard to uncover an anonymous, yet impactful way to share the trends we’ve seen during more than 240,000 hours of annual pentesting — and we can’t wait to share our insights with you!


Our report is based on analysis of over 300,000 anonymized findings from thousands of 2022 pentest engagements. Here’s the approach we took:

  1. We identified the top 30 most prevalent vulnerabilities from our six core focus areas or “attack surfaces” [web, mobile, and thick applications, cloud, and internal and external networks].
    Additional criteria include:
  • Only medium, high, and critical severities were reported.
  • There were multiple instances of the finding across different company environments.
  • The findings were exploitable on multiple occasions.  
  1. Then we asked our in-house offensive security experts to manually identify 3-5 findings that security teams should prioritize based on likelihood and impact.
  2. Lastly, we analyzed data for key trends across attack surface and industry.

The vulnerabilities within are based on likelihood and impact – we recommend any business with these attack surfaces to test for and remediate the security concerns highlighted in our Vision Report. 

State of Remediation 

We also surveyed several cybersecurity leaders from around the world to gauge the current state of remediation. A key narrative throughout our report, and made evident in our survey results, is that a lack of resources and prioritization are the two greatest barriers to timely and effective remediation. Yet, survey data showed security teams have limited plans for hiring in the coming year, especially when it comes to entry-level cybersecurity talent.  

Even though security resources will remain tight, prioritization of efforts is one area security leaders can take action on to help alleviate priorities with parallel weight. Our report analyzed industries, attack surfaces, and vulnerabilities to distill the highest potential of risk for an organization to investigate and remediate. 

Let’s start with industries.

Top 3 industries with the largest percentage of high & critical vulnerabilities:

  • Government & Non-profit 
  • Healthcare 
  • Education 

Top 3 industries with the lowest percentage of high & critical vulnerabilities:

  • Energy & Utilities 
  • Financial Services 
  • Insurance 

On average the highest volume of critical and high severity vulnerabilities was found within government and non-profit industries. On the other hand, insurance and financial services had the lowest volume of the same type of vulnerabilities. We found it interesting that two of the highest regulated industries landed at both ends of the spectrum with this data.  

We also asked survey respondents to share their average SLAs, or remediation due dates for the four severities. In the report, you’ll find data from your peers that can help you revise or benchmark your SLAs.

Vulnerabilities to Prioritize 

Our report analyzed six core areas: web, mobile, and thick applications, cloud, and internal and external networks. As detailed in the methodology, our expert offensive security team manually evaluated the top findings for each and identified the 3-5 vulnerabilities to prioritize discovery and remediation.  

To view a complete list of all vulnerabilities we researched alongside detailed remediation tips from our team.

During the analysis, we also examined overarching trends across the attack surfaces. Two major findings include:  

  • Web applications have a higher prevalence of high and critical vulnerabilities compared to mobile and thick applications. 
  • We also analyzed entry points, or vulnerabilities that were deemed exploitable, finding that internal networks have nearly three times more exploitable vulnerabilities than external networks. 

Dig into the Data for Yourself 

Remember, offensive security is only as valuable as its ability to help prioritize remediation of the issues that matter most to your business. Arm yourself and your team with the insights necessary to add prioritization to your remediation efforts.  

Our Vision Report covers:  

  • Impactful vulnerabilities that are most pervasive across core application, cloud, and network attack surfaces 
  • Which attack surface presents the least/most risk 
  • Industries that hold the lowest/highest risk 
  • Today’s requirements for remediation due dates 
  • The greatest barriers to timely and effective remediation 

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.