A quarter of critical vulnerabilities exposed during penetration tests are not being remediated by businesses

Oliver Pinson-Roxburgh Headshot
Written by Oliver Pinson-Roxburgh
CEO & Co-Founder

Stevenage, 15th February - Today, new research from cyber security specialist Bulletproof found the extent to which businesses are leaving themselves open to cyber attack. The research found that when tested, 28% of businesses had critical vulnerabilities - vulnerabilities that could be immediately exploited by cyber attacks. A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.

The research, taken from the 2022 edition of Bulletproof's Annual Cyber Security Industry Report analysed data from over 3,800 days' worth of penetration testing services delivered via the business' Defense.com platform over the course of 2021. These tests are a means of identifying vulnerabilities within an organisation's security systems by simulating how malicious actors would seek to exploit such shortcomings. The top three critical issues found in Bulletproof's research included:

  • Outdated & vulnerable components [37 %]
  • Broken access control [11%]
  • SQL injection [7%]

With the government's renewed ambition to tackle cyber resilience across the supply chain and MSPs facing fines in the millions if they cannot adhere to new regulations, the need for a more comprehensive approach towards cyber security is a high priority. Many vulnerabilities that are not addressed within the first year are never remediated, and more stringent regulation means businesses must begin to address these historic vulnerabilities if they are to avoid sanctions and remain secure.

Oliver Pinson-Roxburgh, CEO at Bulletproof, said: “Our research found that even when alerted to critical vulnerabilities which could be exploited by attackers, a quarter of businesses chose to leave them and hope for the best. In reality this proportion is likely to be much higher, considering that our research was only from companies who actually had a retest. This complacency has contributed to the huge growth industry that is cybercrime today.

“Most businesses we work with do tackle the highest priority threats, but they are faced with limited time and resources. The problem we see is that almost every business is expanding its digital capabilities now, and this has led to an explosion of critical vulnerabilities as the attack surface grows. Most security teams I speak to are struggling to keep on top of even high-priority patches.

“The solution is a defence in depth approach, layering multiple cyber resilience tools and tactics to thwart potential attackers and protect critical business functions. With the looming threat of new regulation for non-compliant MSPs on the horizon, it will be interesting to see how far security teams can go in addressing these vulnerabilities over the next 12 months.”

Notes to editor: 3,825 days' worth of penetration testing services were delivered over the 12-month period.


For more information, please contact bulletproof@resonancecrowd.com or call 0208 819 3170.

About Bulletproof

Bulletproof is a trusted provider of innovative cyber security and people-powered solutions. Our cyber security services are the best way to stay ahead of the hackers, take control of infrastructure and protect business-critical data.

With our own in-house UK Security Operations Centre (SOC) and years of industry experience, we help to protect our customers from current and emerging security threats. We provide a full spectrum of cyber security services including CREST-certified penetration testing, 24/7 threat monitoring, compliance support and security training to help organisations protect against today's evolving threat landscape.


Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.