Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More
Press release

Despite Growing Cyber-Threats, Less than Half of Organizations Perform Continuous Attack Surface Monitoring, New Survey from ESG and Bugcrowd Shows

Leading organizations in attack surface and vulnerability management embrace ongoing penetration testing and crowdsourced cybersecurity solutions

SAN FRANCISCO, Nov. 18, 2020 Bugcrowd, the crowdsourced cybersecurity platform, today announced the release of the Attack Surface and Vulnerability Management Assessment survey, completed in partnership with analyst firm Enterprise Strategy Group (ESG). The research found that 61% of organizations perform attack surface discovery to offset frequently changing assets in their attack surface and attack surface expansion, yet less than half (40%) of companies perform continuous attack surface management.

Only one out of five organizations surveyed qualified as a “leader” in how they execute attack surface and vulnerability management, while 49% ranked in the second tier as “fast-followers” and 39% ranked in the bottom tier as “emerging organizations.” The survey discovered several key differences between leaders and other respondents in their strategy for attack surface and vulnerability management. Of note, nearly three out of four leaders (72%) perform continuous attack surface management, signaling attack surface discovery frequency as a sign of maturity.

Leading Organizations Augment Security Efforts with Crowdsourced Cybersecurity Solutions

Organizations that qualify as leaders recognize their own limitations and are much more likely to supplement their security efforts with crowdsourced penetration testing and bug bounty programs than the fast-followers and emerging organizations. In fact, 59% of leaders use bug bounty programs to discover previously unknown or undiscovered attack surface, compared to 43% of fast followers and 34% of emerging organizations. Furthermore, 41% of leaders plan to use crowdsourced security platforms for penetration testing over the next 24 to 36 months compared to just 19% of fast followers and 27% of emerging organizations.

“This research demonstrates how COVID-19 spurred many organizations to accelerate their digital transformation efforts, thus increasing the size and complexity associated with managing their attack surface,” said Ashish Gupta, CEO, Bugcrowd. “One factor really separated the more successful organizations from the rest of the pack: the leaders clearly lean more heavily on crowdsourced security solutions to augment their security efforts. This layered approach to security has significantly strengthened their ability to protect their attack surface and mitigate vulnerabilities.”

Routine Penetration Testing and Attack Surface Discovery Distinguishes Leaders from Less Mature Organizations

Fast-followers and emerging organizations are far less proactive in performing attack surface and vulnerability discovery solutions compared to leaders. For example, 72% of leaders conduct attack surface discovery on a continual basis, compared to just 52% of fast-followers and 3% of emerging organizations. Additionally, 59% of leaders perform penetration testing for vulnerability discovery more often than once per month, while only 23% of fast-followers and 3% of emerging organizations do on the same frequency. However, the less mature companies report higher confidence in their attack surface and vulnerability discovery tooling and technologies, demonstrating a lack of awareness of potential risk. 

“There is a stark contrast between what the leaders are doing and what everyone else is doing, and the latter group should take note of the difference,” said Jon Oltsik, Senior Principal Analyst and Fellow, ESG. “Leading organizations use a diverse combination of tools, automated processes, and integrated workflows to constantly look for problems in their attack surface and vulnerability management. They unify efforts across their organization and are proactive in taking necessary actions to mitigate any risks they discover. Perhaps most important, leaders are aware of their limitations and are much more likely to use bug bounties, crowdsourced penetration testing and other external services.” 

To uncover security blind spots and stay ahead of rapidly evolving cybersecurity threats, organizations across all security maturity levels can embrace crowdsourced cybersecurity to protect their attack surface and remedy vulnerabilities before they can be exploited. For more information, download the full report, Attack Surface and Vulnerability Management Assessment

To learn how Bugcrowd customers enhance their attack surface and vulnerability management strategy and maximize the impact of their existing security investments, please visit Why Bugcrowd

About Bugcrowd

Bugcrowd is the #1 crowdsourced security company. Top Fortune 500 organizations trust Bugcrowd to manage their Bug Bounty, Vulnerability Disclosure, Next Gen Pen Test, and Attack Surface Management programs. Bugcrowd’s award-winning platform combines actionable, contextual intelligence with the skill and experience of the world’s most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers, and make the digitally connected world a safer place. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at

“Bugcrowd” is a trademark of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.


Allison Arvanitis
Lumina Communications for Bugcrowd