Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Cloud Offensive Security: 2023 Insights From the Ponemon Institute

Dark purple background wiht turquoise and white title letters. A sample report is on the right side of the design.


In a groundbreaking study conducted with Ponemon Institute, 2023 The State of Offensive Security Creating a Blueprint for Success, we sought to discover and analyze the different types of offensive security testing used by mature security organizations to achieve stronger security postures.

Overall, 52% of respondents reported that offensive security is an important part of hardening defenses, emphasizing the importance of a proactive approach to cybersecurity. But as cloud environments become a necessary part of the technology stack for countless organizations, it was only natural to zero in cloud security as a key component of this study and learn how mature security programs implement offensive security to protect cloud environments.

In this blog, we highlight research findings from all 664 participating IT and security practitioners (as well as a deep dive into the 43% (285 respondents) who actively conduct cloud security testing) to showcase the importance of cloud security testing, the drivers behind it, and how it plays a key role in building mature security programs now and in the future.

Research Findings: Cloud Offensive Security

Many aspects of the threat landscape are driving investments towards offensive security testing, but cloud migration (41%) was second only to new technology adoption, according to survey respondents. 

Reasons organizations invest in offensive security testing
FIGURE 1 - Reasons organizations invest in offensive security testing

In fact, of all the industries that were surveyed, cloud migration was the primary motivation behind offensive security testing in Financial Services (46%) and Technology and Software (45%) industries. Industrial and Manufacturing followed closely with 42% of respondents reporting cloud migration as a driver for offensive security testing. Healthcare and Pharmaceutical was not far behind at a 37% response rate supporting cloud migration for offensive security testing.

Breakdown of the reasons for investing in offensive security by industry
FIGURE 2 - Breakdown of the reasons for investing in offensive security by industry

Furthermore, increased cloud adoption means that cloud vulnerabilities are on the rise with expanded cloud attack surfaces. Mature security programs use offensive security testing to keep pace with modern adversaries targeting their cloud environments. According to the survey results below, cloud vulnerabilities are considered one of the top three threats to enterprises, driving and justifying the spend on offensive security testing.

Types of cyber threats driving offensive security investments
FIGURE 3 - Types of cyber threats driving offensive security investments

While cloud security testing is used less frequently (43%) compared to other types of offensive security testing like Red Teaming (64%), application security testing (54%), and penetration testing of internal and external networks (47%), respondents rated it as the most effective type of offensive security testing strategy for improved resilience with a whopping 57% success rate.

Effectiveness of offensive security testing strategy
FIGURE 4 - Effectiveness of offensive security testing strategy

Now that we are familiar with the influence of cloud security in mature security programs, let’s drill down into the different ways that cloud environments are tested. Penetration testing, a classic offensive security technique, is a clear winner taking a 59% lead, followed by threat analysis (41%), cloud configuration review (38%), and assumed-breach scenarios (27%).

Types of cloud security testing
FIGURE 5 - Types of cloud security testing

Tools like CloudFox (built by Bishop Fox’s Seth Art, Principal, and Carlos Vendramini, former Fox) support cloud penetration testers and offensive security professionals to find exploitable attack paths in cloud infrastructure. And his recently released sandbox, CloudFoxable, takes pen testing to the next level with an intentionally vulnerable AWS environment created specifically to teach the art of cloud hacking using the CloudFox tool.

Watch the video below for insights into how the CloudFox tool works.

Ponemon research demonstrates that cloud security testing is proving to be a valuable ROI for organizations with mature security programs. So, it is not surprising that 60% of respondents reported significant and/or moderate increases for cloud security will be implemented in the next one to two years.

The proactive approach of offensive cloud security testing is a sophisticated action enabling a view of your cloud environment through the lens of an attacker. The most mature security programs are proving that there is no reason to wait for modern adversaries to find exploitable attack paths in cloud environments. Instead, they are taking back control and investing in ways they can outpace attackers on the battlefield.

For information on how cloud penetration testing works, download our helpful guide. We’ve also put together our top 50 questions that all organizations should ask an offensive security provider to help guide you in your investments.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Beth Robinson BF Headshot

About the author, Beth Robinson

Senior Content Writer

Beth Robinson is a Senior Content Writer at Bishop Fox. She joins Bishop Fox with nearly 20 years of experience focused on technical intelligence issues.

More by Beth

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.