Why You Got Hacked – 2025 Super Edition
Jordan has been hanging around the tech industry for 25 years now and was baited hook, line, and sinker by Napster. He’s been part of the Black Hills Information Security team for a decade in various capacities and has been a part of Antisyphon Training’s amazing growth trajectory as an instructor.
Vulnerability Data Summary
This article was written to provide readers with an overview of a selection of our pentest results from the last 15 months. This data was gathered toward the end of September 2025. Shockingly, the data does not differ much from our prior analyses conducted at the end of 2022 or 2023.
Overview of Tests Conducted
- Total Tests Conducted: 853 tests over the last 15 months.
- Total Pages Tested: 56,000 pages across various assessments.
- Average Findings and Reports:
- 1.3 tests per report.
- 1.2 testers per report.
- 95 pages per report.
- 13.5 findings per report.
Total Reports Analyzed by Service Type
| Service Type | Count |
| External Network Pentest | 305 |
| Internal Network Pentest | 200 |
| Web Application Pentest | 190 |
| Assumed Compromise Test | 112 |
| Command & Control Test | 47 |
| Cloud Security Tests | 42 |
Total Findings by Severity
| Severity Level | Number of Findings |
| Critical | 138 |
| High | 1,876 |
| Medium | 2,730 |
| Low | 1,875 |
| Informational | 1,706 |
Critical Findings
- Weak ADCS Configurations: 52 reports
- Unpatched Software: 6 reports
- Missing Authentication and Password Reuse: 5 reports
High Findings
- Unpatched Software: 218 reports
- Unsupported Software: 216 reports
- SMB Signing Not Required: 138 reports
- Password Policy Exceptions: 110 reports
- MFA-Related Findings: 108 reports
Medium Findings
- Weak Password Policy: 171 reports
- Vulnerable and Outdated Components: 163 reports
- Insufficient DLP and Egress Filtering: 123 reports
- Sensitive Data Unencrypted: 117 reports
Insights from Our Latest Pentest Findings
The Landscape of Security Vulnerabilities: Key Insights from Recent Penetration Testing
In the ever-evolving world of cybersecurity, consistent testing is vital for understanding and mitigating risks. Over the past 15 months, our firm has completed 853 penetration tests, scrutinizing 56,000 pages to uncover around 6,619 vulnerabilities that could potentially jeopardize our customers. Here’s a glimpse into the findings that caught our attention, categorized by service type.
Additional Details by Service Type
The data reveals significant risks across various penetration testing services. Notably, External Network Pentests were our most common service offering, with 305 reports. This testing was designed to underline the importance of securing perimeter defenses, as they often present the first line of defense against external threats.
Internal Network Pentests followed with 200 reports, which emphasized the need for robust internal security measures, particularly in a landscape where insider threats and internal vulnerabilities can lead to data breaches.
We completed 190 Web Application Pentests in this timeframe. This area is especially critical as cybercriminals increasingly target web apps to gain unauthorized access to sensitive data.
The Assumed Compromise and C2 Tests are usually combined, and let’s call this about 150 more reports. Remember, here we start off with a domain credential and don’t have to earn it, like most Internal Tests.
Finally, our Cloud Assessments comprised 42 reports, which is a service that has been growing in demand consistently.
Focus Areas for Improvement
Among the critical findings, Weak ADCS configurations topped the list with 52 reports. This vulnerability can allow certificate forgery and privileged access in mere minutes, making it a significant threat that organizations must prioritize.
Another major concern is the prevalence of unpatched and unsupported software, which featured prominently in our findings. With 218 instances of unpatched software and 216 of unsupported software, organizations need to prioritize software hygiene to mitigate these common vulnerabilities.
Moreover, findings related to Multi-Factor Authentication (MFA) highlighted critical gaps. The 108 reports with some type of MFA problem underline the urgent need for comprehensive enforcement across systems. Effective MFA practices can serve as a formidable barrier against unauthorized access attempts.
Conclusion: Time to Take Action
BHIS prides itself on sharing everything we reasonably can. This data collection and our analysis methodology may be imperfect and may contain inherent biases. But, they do align reasonably well with CISA’s claims, Verizon’s data breach summaries, and other related industry standards.
So, preparing for a pentest is a lot like preparing for modern adversaries. Herein lies a selection of the vulnerabilities we exploit consistently. Let’s make the world a better place together. We are here to help. We are here to support your cybersecurity maturity. And, we’re here to challenge the status quo and give it all away, no paywalls, no subscriptions, just the facts.
Thanks for reading! -jd
Want to keep learning from Jordan? Check out his Anti-cast with Kent Ickler airing Wednesday, 11/19, at 12PM EST on this topic:
How You Got Hacked – 2025 Data Deep Dive
