How ethical hacking and pentesting is changing in 2022
Cybersecurity and information technology are constantly changing, so it’s no surprise that ethical hacking and pentesting are evolving with it.
CompTIA recently performed a job task analysis for its PenTest+ certification, and organizations are seeing changes in the job role. It's also an industry that's seeing tremendous growth as more organizations continue to invest in web applications and other technology that can potentially be exploited by malicious actors.
According to Patrick Lane, CompTIA’s director of certification product management, the global pentesting market size is on a growth trajectory from $1.6 billion to $3 billion by 2026, a 13.8% growth rate.
“The market is going to double over the next five years as far as funds go. Opportunities, cloud pentesting is growing rapidly,” Lane said in a recent Infosec Edge Webcast. “We’ve got to train more people to do these jobs.”
3 ways penetration testing is changing
Infosec’s principal security researcher, Keatron Evans, mentioned in a recent webcast on penetration testing that cloud components to pentesting are on the rise, which is something Lane echoed.
He said there is a new trend and emphasis on cloud pentesting, a focus on segmentation testing, and pentesting containers and APIs.
1. Emphasis on cloud pentesting
“My company’s done about 17 large pentests this year, 2021, and every single one of them had a cloud component to it. That’s the first time that’s happened,” Evans said. “And most of them had more than 50 percent cloud involvement. You want to make sure you’re properly marrying your understanding and master of cloud technologies to your building up of your pentest skills.”
Lane echoes these sentiments. “Cloud pentesting is growing rapidly,” he said. “If more of these systems are in the cloud vs. on-premises, you need to learn how to do cloud penetration testing because you’re going to be pentesting hybrid environments — which are partially in the ground and partially in the cloud.”
2. Focus on segmentation testing and zero trust
Segmentation testing is also becoming more popular, said Keatron.
“I’ve always done a lot of penetration testing for companies in the financial sector,” Keatron said.
These companies have regulations, need to segment credit card data and more.
However, the focus on zero trust is expanding the focus on segmentation testing to organizations outside the financial sector, Keatron said. By its nature, zero trust requires an understanding of where those segments in an organization are and where you should or should not be trusting.
“I’m seeing an uptick in organizations asking us to help them find out where those segmentation points are so they can actually start to build a zero-trust framework within their environments,” Keatron said.
3. Pentesting containers and APIs
Keatron said a lot of the things he’s testing now aren’t real servers or virtual machines, but rather things like containers or other services. For example, Keatron said his team is testing a lot of APIs vs full-fledged applications.
“A lot of times the website that you’re testing doesn’t even exist until, for example, an API triggers some function and makes that website exist. And it might exist different from me than it would for you because the APIs decided you need to see the website a certain way.”
In short, these new, more complex mechanics and architectures that are happening with cloud and containers and APIs need to be tested for security.
“If you’re coming into the industry or are already in it and want to beef up your skills you need to focus on that,” Keatron said.
Future of penetration testing careers
“We have to deal with the rise in regulation and compliance that mandate pentesting,” Lane said. “Most regulations only require a few pentests per year, maybe two. We should probably be doing more pentests than that annually, and more vulnerability assessments. And so we’ve got to train more people to do these jobs.”
Pentesting, like the cybersecurity industry at large, has a lack of skilled professionals to work in the field. Lane said a lack of pentesting and red teaming skills rank in the top 10 when it comes to the biggest skills shortage in cybersecurity. Another challenge it has is the ability of security teams to communicate with the business side. You need to be able to report issues like data breaches and phishing attacks.
With this evolution and the continual threat of bad actors, pentesting is here to stay as an important part of cybersecurity.
“We’re going to be battling bad actors for the foreseeable future,” Lane said.
In this Series
- How ethical hacking and pentesting is changing in 2022
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
- Exploiting NFS share [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness
Penetration testing