The cybersecurity market is rapidly changing with new threats, new customer needs, and new ways to deliver pentesting. CETM, continuous pentesting, and generative AI are some big buzzwords of the year.
We sat down with Cyver CEO Luis Abreu to discuss the trends in pentest management for 2025, including what it means for the industry and for the Cyver Core platform.
Continuous
From continuous pentesting to continuous threat exposure management (CTEM), continuous is the big word for 2025. The threat of AI attacks have raised awareness of threats with more and more companies looking for continuous solutions. With pentest management, that means your platform has to integrate scanning and near-time pentesting into DevSecOps for faster identification and remediation of issues.
That can mean using pentest management platforms internally, with your internal cybersecurity team. It can also be a great fit for pentest service providers, who can deliver integrations with ticket tools and offer remediation assistance directly through pentest management platforms like Cyver Core.
“Continuous pentesting, pentest-as-a-service, whatever you want to call it, it’s the big trend. We’re seeing it with pentesting, scanners, with CETM, your pentest platform has to support it.” says Luis, “We’re developing a lot in this area, ensuring that it’s easy to automate ongoing pentests, scans, and even red team exercises and then to blend them together. As you start to look into continuous security models, pentesters need support like automatic booking and scheduling, data retention, and historic overviews of findings. They need to be able to build on what they did yesterday, last week, last year.”
“We’ve also noticed that many testers deliver different services to different clients. The more you’re delivering that on a continuous basis, the more important it is that you have structure set up for exactly that use case, which is why our pentest platform is adding more and more versatile and customizable workflows into the tooling.”
Integration with Regulatory Compliance
Regulatory compliance shifts in the U.S. and EU are driving shifts towards more awareness and more accountability for cybersecurity. NIS2 makes compliance leads personally responsible for cybersecurity. With that in mind, more and more organizations want to see regulatory compliance integrated into vulnerability management solutions like pentest management. That means adding tests for regulatory requirements, using benchmarks for pass-fail marks across requirements, and testing according to those standards.
Organizations need to be able to prioritize vulnerabilities according to their obligations and that needs to be reflected in pentest management platforms.
“The shift here is about being able to remediate, being able to talk to the customer directly, and being able to deliver direct insights to the customer. Cyver’s dashboards and insights already deliver that and over the last year we’ve implemented new retest workflows to help with collaboration to ensure you can get your clients governance ready”, says Luis.
Emphasis on Supply Chain Security
Supply chain vulnerabilities account for a large percentage of breaches from 2024. That’s going to continue to be an issue. As large organizations increasingly harden their own environments, supply chain complexity is going to be the biggest risk. Organizations now have vulnerabilities that can be one, two, three, or even more places back in the supply chain. Introducing ways to assess and manage those vulnerabilities will increasingly become a more and more important part of pentest management. That means getting rights to pentest vendors and then tracking and managing those assets over the long-term. For that, you need a pentest management platform complete with asset management and long-term vulnerability management.
“These kinds of complex scenarios necessitate more complex assessments and that increasingly means red teaming,” says Luis. “We’re introducing better ways to manage and streamline red teaming in Cyver Core, alongside attack chains to simplify reporting.”
OSaaS and CTEM
Offensive Security as a Service or OSaaS leverages multiple offensive strategies under a single umbrella term. It means you can deliver red teaming, scanning, threat simulation, advanced adversary emulation, crown jewel scenarios, etc. If your pentest management platform can handle all of that, you can better meet the needs of the client by delivering everything in one platform.
“Pentesting is a baseline, organizations need more advanced tests. Those advanced exercises take a lot of time to report, which is where Cyver Core’s new attack chains module comes in to save time, so you can streamline that reporting process too,” says Luis.
“The single pane of glass approach, having everything on the same platform, is crucial to enabling cost-effective and valuable cybersecurity. Plus, pentesters can use Cyver to upload findings from scans, pentest those, and use that information for red team exercises. You can use the information on-hand, in your Cyver Core platform, to go deeper every time.”
“That’s also useful for the client, that gets a full 360 overview of vulnerabilities per asset, with different types of assessments included.”
Delivering all of those services, complete with continuous or near-real time threat and vulnerability management means you need tool integrations. All of your tools have to export data to the same place where you can consolidate, add data from your library, and share to the customer, with as minimal manual work as possible.
“Building workflows and integrations has been a priority for us from day one, and now we have a very solid interface where you can link your existing tooling and import, automatically merge library data, and share with the customer immediately.”
Balancing Automation & Human Expertise
AI pentesting, AI defense, AI attacks, AI is the buzzword of 2024-2025. At the same time, you still need human expertise. Pentest platforms will have to increasingly leverage AI in ways that make sense, while managing and scheduling human driven testing alongside automated scans and testing. Pentest platforms like Cyver Core are delivering tools to integrate automated testing alongside manual testing. Plus, with tooling to automate routine overhead like workflows and pentest reports, you also leverage AI for parts of testing that don’t need expertise.
That will become increasingly important for both internal and external pentest teams, especially as AI pentest tools become more prevalent. That, in turn, will help pentesters navigate challenges like skill shortages.
“We want to help pentesters automate the work they don’t want to do. You want to run your own pentests. You don’t want to report, you don’t want to manage timelines and planning, you don’t want to manage clients,” says Luis, “that’s why we’re implementing GenAi, adding automations to workflows, streamlining client and project management. This year, our focus is on adding more features, more selection and rewrite tools, and better ways to build exactly the report you want with our GenAI copilot because it’s not enough to do something instantly, you need to be able to offer expert-driven content. The role of automation is to make it faster.”
Collaboration Between Clients & Cybersecurity Teams
Pentesting is increasingly integrating directly into DevOps and DevSecOps pipelines. With CTEM and vulnerability management, clients are focused on identifying and remediating vulnerabilities. All of that means involving clients in collaboration with pentesters, ensuring that stakeholders have the information to fix and validate fixes. Pentest management platforms bring those teams together, whether internally, externally, or both. That means pentest management needs robust team management, complete with role and access management and tasks to handle the needs of diverse pentesters and stakeholders.
“You need to be able to deliver insights to your client, to help the client remediate, and to validate that fixes work. Cyver Core automatically delivers those insights when you add findings to the portal, meaning the client sees impact, criticality, assets impacted, and other details without any extra work from you.”
“Trends are going to keep changing. That’s why it’s important that we stay on top of the market and what our users need. We always collaborate with our customers to understand their use cases, so they are part of our product development. We validate solutions with clients before launch, and that’s the best way to ensure we’re delivering what customers need. Of course, we also don’t want to go around building faster horses when we could be building cars, we always look at how solutions can deliver the maximum improvement over the long term instead of directly checking the box of a request.”