Penetration testing data is one of the most informative inputs available for understanding the actual security posture of enterprise environments. Not because any individual test is comprehensive, but because aggregate patterns across hundreds of tests reveal what's consistently exploitable — the weaknesses that appear reliably regardless of industry, size, or security budget.
The following analysis draws on penetration test data aggregated across more than 500 enterprise engagements conducted over a three-year period. Organizations ranged from 200 to 50,000 employees across financial services, healthcare, manufacturing, technology, and professional services sectors. All findings are aggregated and anonymized. The patterns are consistent enough to be useful as a benchmark for any security program.
Finding 1: External reconnaissance surfaces untracked assets in 94% of engagements
Before any exploitation attempt, penetration testers perform external reconnaissance — passive OSINT and active enumeration to understand the target's external attack surface. In 94% of engagements, this phase uncovered at least one significant asset not included in the scope provided by the target organization.
The categories of untracked assets follow a consistent pattern:
- Legacy subdomains (average age: 3.2 years) pointing to active services the organization believed were decommissioned
- Cloud-hosted development and staging environments with external accessibility and reduced security controls
- Acquired entity infrastructure not yet integrated into the parent organization's asset management program
- Third-party portals and partner-facing systems provisioned without formal IT involvement
In 41% of cases, one of these untracked assets became the actual initial access vector during the engagement. Organizations that provided narrow scope definitions were most likely to have critical external exposure outside that scope.
Finding 2: Credential-based attacks succeed in 71% of external engagement attempts
The dominant external initial access technique, by a substantial margin, is credential-based attack. This includes password spraying against externally-exposed authentication endpoints, exploitation of credentials obtained from public breach datasets, and phishing campaigns designed to harvest credentials for MFA-protected services.
Of the 71% success rate on credential-based initial access attempts:
- 38% involved credentials that appeared in public breach datasets with no evidence of organizational password reset procedures triggered by the breach
- 24% succeeded through password spraying against VPN or remote access portals with no lockout policy or anomalous authentication alerting
- 17% succeeded against MFA-protected services using real-time phishing proxies that intercept and replay session tokens
The persistence of credential-based attacks as the dominant initial access vector — despite being well-understood for over a decade — reflects the operational gap between knowing that credential hygiene matters and actually implementing and maintaining effective credential controls at scale.
Finding 3: Lateral movement to domain administrator in under 4 hours in 67% of engagements where initial access was achieved
After establishing initial access, testers attempted to escalate privileges and move laterally to the highest-value systems. In 67% of engagements where initial access was achieved, the testing team reached domain administrator or equivalent control within four hours. The median time was 2.3 hours.
The techniques responsible for most of these rapid escalations:
Kerberoasting — requesting Kerberos service tickets for service accounts and cracking them offline — succeeded in 58% of Active Directory environments. The enabling condition is consistently over-privileged service accounts with weak passwords registered for Kerberos services. This is not a new technique; Kerberoasting has been a well-documented attack path since 2014. Its continued success is an operational failure, not a knowledge gap.
Lateral movement via pass-the-hash or pass-the-ticket succeeded in 63% of environments where testers obtained local administrator credentials on a single workstation. Flat network architecture with no east-west traffic controls enabled movement from any compromised endpoint to any other system on the same network segment.
Misconfigured delegation settings in Active Directory enabled privilege escalation in 31% of environments. Unconstrained delegation configurations — particularly on non-domain-controller systems — are routinely overlooked in security reviews despite being directly exploitable by any attacker with access to a delegating system.
Finding 4: Data exfiltration was undetected in 89% of engagements
Testing teams performed simulated data exfiltration in engagements where scope permitted. Across those engagements, 89% completed without generating alerts that were reviewed by the organization's security operations team during the test window. This doesn't mean the data was unlogged — in many cases, events appeared in SIEM logs. It means those events weren't reviewed in a timeframe relevant to incident response.
The exfiltration techniques that consistently evaded detection used protocols and destinations already present in baseline network traffic: HTTPS to cloud storage endpoints, DNS tunneling over legitimate recursive resolvers, and HTTP/S traffic to domains registered to appear consistent with legitimate services used by the organization. Anomaly detection that isn't tuned to the specific organization's baseline consistently misses these techniques.
Finding 5: Remediation from prior-year engagements was complete in 34% of cases
For organizations that had conducted penetration tests in prior years, testers specifically attempted to exploit findings from the previous engagement's report. In 66% of cases, critical or high-severity findings from prior-year reports were either partially remediated or not remediated at all — and remained exploitable.
This is the most operationally significant finding in the dataset. Penetration testing is not a defensive control. It identifies gaps. If those gaps aren't remediated, the test cost delivers no security improvement. The 34% complete-remediation rate suggests that most organizations' penetration testing programs are generating reports that don't drive systematic remediation outcomes.
The root cause is almost always a process gap, not a knowledge gap. Findings from pen test reports need to enter the vulnerability management workflow with prioritization, ownership assignment, and tracked remediation timelines. In organizations where pen test reports are delivered to the CISO and not systematically integrated into existing remediation processes, the gap persists indefinitely.
Implications for security programs
The consistent patterns across these 500 engagements suggest that most enterprise security programs have the same structural weaknesses regardless of the specific tools they've deployed. The weaknesses are operational: incomplete asset inventory, unresolved credential hygiene issues, flat network architecture enabling rapid lateral movement, insufficient detection coverage of exfiltration techniques, and remediation processes that don't close findings from prior assessments.
These are not problems that require additional tool purchases. They require operational discipline — maintaining current asset inventories, ensuring credential controls are actually enforced, segmenting networks, tuning detection to the specific environment, and tracking remediation to completion rather than to report delivery.
Penetration tests are most valuable when they're treated as operational verification exercises rather than compliance checkboxes. What the attacker found is less important than what your detection and response program did — or didn't — do about it.