{"id":77112,"date":"2026-06-22T23:06:04","date_gmt":"2026-06-22T23:06:04","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=77112"},"modified":"2026-06-22T23:06:05","modified_gmt":"2026-06-22T23:06:05","slug":"moving-from-compliance-pentesting-to-risk-based-pentesting","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/moving-from-compliance-pentesting-to-risk-based-pentesting\/","title":{"rendered":"Moving from compliance pentesting to risk-based pentesting"},"content":{"rendered":"\n

In IBM\u2019s 2024 Cost of a Data Breach Report, the global average cost of a breach reached USD 4.88 million, and the United States recorded the highest average at USD 9.36 million. IBM says the research was conducted independently by Ponemon Institute across 604 organizations in 16 countries and regions, so these figures carry weight beyond vendor opinion. If you\u2019re already investing in pentesting, with help from an internal team, an external partner or XBOW<\/a>, because a framework, insurer or customer expects it, the more useful question is where that effort should start.<\/p>\n\n\n\n

For security leaders, IT teams and compliance owners, risk-based pentesting answers that question more directly. It starts with the systems that carry the most operational and commercial weight, then works outward. That gives you a clearer route from testing to action.<\/p>\n\n\n\n

Audit boxes are nice. Priorities are better<\/h2>\n\n\n\n

A test can satisfy a requirement and still leave your most sensitive systems waiting their turn.<\/p>\n\n\n\n

IBM found that 70% of organizations experienced significant or very significant business disruption after a breach, and 63% said they planned to raise the price of goods or services afterward. Seen from that angle, pentesting is a business issue as much as a technical one. It affects revenue, customer experience and the pressure on your team when something goes wrong.<\/p>\n\n\n\n

That is why a risk-based approach tends to serve US organizations better in day-to-day practice. Instead of spreading effort evenly across whatever landed inside a compliance scope, you start with the assets that would hurt most if they failed or were exposed, such as customer logins, payment flows, remote access and public-facing applications.<\/p>\n\n\n\n

This keeps the first hours of testing focused on where the business has the most to lose.<\/p>\n\n\n\n

Test where it hurts and not where it\u2019s tidy<\/h2>\n\n\n\n

Verizon\u2019s 2025 Data Breach Investigations Report analyzed more than 22,000 security incidents, including 12,195 confirmed data breaches. In that report, exploitation of vulnerabilities rose 34% and accounted for 20% of breaches, while third-party involvement in breaches doubled to 30%.<\/p>\n\n\n\n

That should shape scope. Attackers are not interested in whether your environment looks neat on an audit spreadsheet. They follow reachable systems, weak links between vendors and platforms and the paths that lead to useful data or account access.<\/p>\n\n\n\n

A risk-based pentest works better when it follows the same logic and asks a simpler first question: where would compromise spread fastest, cost most or interrupt customers soonest?<\/p>\n\n\n\n

A good way to set those priorities is to start with customer-facing systems, because a weakness in a login flow, portal, checkout or public application can create direct disruption and trust issues quickly. Then look at the business systems your staff rely on for access, support, fulfillment or internal communication, because those tools can amplify the operational cost of an incident. Keep internet-reachable entry points in scope throughout, especially where third parties connect.<\/p>\n\n\n\n

If you want a practical reference for what attackers are actively exploiting, CISA\u2019s Known Exploited Vulnerabilities Catalog<\/a> can help inform what deserves earlier attention.<\/p>\n\n\n\n

IBM adds another useful detail here. Stolen or compromised credentials were the most common initial attack vector in its 2024 study, at 16% of breaches, and those incidents took 292 days on average to identify and contain. That is a long time for a problem that can begin with something as ordinary as a login system or remote access path.<\/p>\n\n\n\n

The system that looks routine on a diagram can still be the one that drags your team into the longest cleanup.<\/p>\n\n\n\n

Fewer findings and better decisions<\/h2>\n\n\n\n

IBM found that 53% of organizations in the study faced high levels of security staffing shortages. Those organizations saw an average breach cost of USD 5.74 million, compared with USD 3.98 million for organizations with low-level staffing shortages.<\/p>\n\n\n\n

For lean security teams, that changes what useful pentesting looks like. The goal is not a larger pile of findings. It is findings in the right order, shaped by business impact, exposure and likely attacker interest.<\/p>\n\n\n\n

Speed plays a role too<\/a>. IBM reported that breaches with a lifecycle longer than 200 days cost USD 5.46 million on average. The same report found that organizations using security AI and automation extensively had an average breach cost of USD 3.84 million, compared with USD 5.72 million for organizations not using them.<\/p>\n\n\n\n

Those numbers point to the same lesson. Clear prioritization helps teams respond earlier, fix the issues with the heaviest consequences and avoid losing weeks in a queue of equally labeled problems.<\/p>\n\n\n\n

If your team can only close a handful of issues this month, those issues need to be the ones most likely to reduce real exposure.<\/p>\n\n\n\n

From proof of testing to proof of value<\/h2>\n\n\n\n

Good pentesting still supports compliance. It still helps you show diligence, satisfy customers and meet formal expectations. But it becomes more useful when testing also reflects how your business works, where your exposure sits and which systems carry the most weight day to day.<\/p>\n\n\n\n

The research points in one clear direction. Breaches are expensive, disruptive and often tied to exploitable weaknesses, credential abuse and delayed detection.<\/p>\n\n\n\n

So the better move is to test with sharper focus, then use the results to guide decisions your team can act on with confidence. That is the value in moving from compliance pentesting to risk-based pentesting. You keep the discipline and get more practical value from the same budget.<\/p>\n","protected":false},"excerpt":{"rendered":"

In IBM\u2019s 2024 Cost of a Data Breach Report, the global average cost of a breach reached USD 4.88 million, and the United States recorded the highest… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-77112","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=77112"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77112\/revisions"}],"predecessor-version":[{"id":77113,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77112\/revisions\/77113"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=77112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=77112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=77112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}