As technologies like edge computing, quantum, and AI, become more popular, they are becoming poised to change our view of cybersecurity and how it works. Of these, Artificial Intelligence, most notably LLM and generative AI, are the most concerning. Today, pentesters have to be aware of risks of deep-fakes, generated spear-phishing attacks, and threat actors who don’t behave in predictable ways because they have no idea what they are doing. That concept which was already a problem 10 years ago, with threat actors simply buying malware, has now escalated and is part of the 700% increase in attacks against major organizations over the last year. Cybersecurity trends are actively changing not just the types of threats we’re looking at but also their severity, frequency, and likelihood.
Some of these trends matter now and to external pentest teams. Others are more of a concern for internal cybersecurity teams. After all, you can’t pentest cybersecurity gaps like people, who are facing increasing difficulty telling spear phishing from real emails and calls. At the same time, there are plenty of trends that directly translate into pentesting best practices for next gen threats.
We talked with Cyver CEO Luis Abreu about how pentesting is responding to next gen threats.
Step Away from One-Touch Pentesting
Organizations increasingly have to prepare for an onslaught of attacks, all the time. That means having firewalls and good security settings. It also means improving cybersecurity to keep up with continuous development. Today, VAPT has evolved into continuous pentesting, OSaaS, pentest-as-a-service, and CTEM. That brings the best of both worlds, of automation for near-real-time alerts and manual reviews with human expertise.
Nowhere is that need more present than in cases like Amazon, which saw a 7x increase in attacks per day. That’s driven by AI attacks, new threat actors using GenAI created malware, and new leverage of tools by threat actors. When attacks are continuous, defense has to be as well.
“The traditional pentest has been you get one assessment a year, normally in alignment with compliance needs, and receive a 100+ page report. Internally, companies then have to break that down, distribute it out, and make sure vulnerabilities turn into work tasks and remediation. That kind of one-touch pentesting is rapidly becoming a thing of the past.” says Luis, “When we founded Cyver Core, we had one real competitor. Now, a few short years later, we have 7+. The market for continuous pentesting and pentest-as-a-service is growing, because pentesters have to deliver ongoing security. It’s not enough to look at vulnerabilities once a year anymore, you need real-time scans paired with manual review and assessment, delivered in a format that allows client teams to easily pick up the work and make the fixes”.
Look at AI as an Attack Surface
Everyone is implementing AI. That’s not just organizations with agentic AI and chatbots but also their people. Shadow AI is the concept that organizations are going to have a lot of AI implementations that they simply aren’t aware of. Those implementations are going to be on personal devices, mobile devices, etc., and they are going to have access to company data. That attack surface is unknown and it’s important to pentest for it.
“When more and more people start relying on AI, they install their own. That leads to increased attack surface, increased risk of data leakage, and of course, increased opportunities for prompt injection. Pentesting will have to take this attack surface into account to keep organizations safe”
Assess Zero-Trust Architecture and Capabilities
As Ai, deepfakes, spearphishing, and prompt injection make it harder and harder to tell what or who is real on the internet, multi-authentication and zero trust become more and more important. Testing for MFA or passkey usage and application should become the norm for many pentesters. That’s especially true in finance, where deepfakes put funds at risk. The case in point, a $25 million payout following what a finance worker believed as a real video call with their CFO, could have been prevented by having multiple persons involved in authenticating the payment. That does mean assessing not just whether MFA capabilities are present but also whether they are being used.
“If you can’t trust someone is who they say they are, the solution is to validate that trust with device-based passkeys and prompts. Not every organization will have the means to create these kinds of controls but they should be increasingly common and required in finance, data governance, and other regulated roles.”
Pentest Supply Chains
Supply chain vulnerabilities are nothing new. But, with cloud and edge computing add more and more complexities to supply chains, organizations may find they have vulnerabilities 1,2,6 steps back in the supply chain. That’s why it’s important to involve vendors in pentesting and cybersecurity.
“We expect it to become more and more normal to see large organizations asking for rights to pentest suppliers. At the least, organizations should be mapping and understanding risks there, which may fall on the pentester.”
Look for Futureproofing Where It’s Relevant
Quantum is on everyone’s lips. That’s important because it will break encryption standards and in the near future. Most experts currently predict that as 5-10 years. This means most organizations don’t have to worry about it yet and you should only be looking at these kinds of prospective vulnerabilities for very large and high-risk organizations.
“Quantum will break our encryption at some point – but not today and not tomorrow. We have to move towards quantum safe encryption algorithms, but for the moment, that’s only relevant for large organizations and nation states. For the rest of us, it may be better to wait for that technology to become more accessible and then be ready to implement when it is.”
Put the Focus on Remediation
Eventually, cybersecurity is not about pentesting. It doesn’t matter how good your pentest report is if your client looks at it, tucks it away, and next year you deliver 125 pages of report instead of 100. Cybersecurity trends means attacks are faster, better, and more automated than ever before. It’s critical that vulnerabilities be fixed. That’s why organizations like Gartner point to the trend towards CTEM (Continuous Threat Exposure Management) and pentest portals, where pentesters can deliver pentest results directly to stakeholders. Platforms like Cyver Core mean stakeholders get notifications as vulnerabilities come in, can discuss those results with the pentester, and then track remediation. Plus, with options to validate remediations, it puts stakeholders in control of their cybersecurity.
“Cybersecurity has to be more about remediation. Pentest reporting isn’t enough. The client has to make tickets, fix issues, and then check that they’re resolved. That will require more than best practices from the point of the pentester, it means that organizations have to shift their approach and mindset when it comes to cybersecurity. Still, providing those opportunities means organizations will have a better chance at defending themselves from an unending barrage of AI-driven attacks.”