• 01483 520200

From 2025 Findings to 2026 Risk: What Our Pen Testers Are Seeing Now
Picture of Christian Chislett

Christian Chislett

Executive Summary for C-Level Leaders

Over the past 12 months, MTI’s penetration testing team has seen a consistent and concerning trend across organisations of all sizes and sectors.

Many successful attack paths are not the result of sophisticated zero-day exploits. Rather, they result from preventable weaknesses in configuration, identity management, DevSecOps integration, and API security.

In 2025, we observed: 

  • Cloud environments deployed rapidly but governed inconsistently 
  • Excessive IAM permissions left in place post-deployment 
  • APIs exposing sensitive data due to broken authentication and flawed business logic 
  • Hybrid environments riddled with basic misconfigurations 
  • Security still treated as a checkpoint exercise rather than embedded discipline 

Looking ahead to 2026, the shift is clear: 

  • Attackers are targeting cloud identity and access models over traditional perimeter defences 
  • APIs are becoming a primary breach vector 
  • DevSecOps maturity is separating resilient organisations from reactive ones 
  • The speed of digital transformation is outpacing security governance 

For boards and executive teams, the implication is simple: security debt is accumulating in modern infrastructure at a rate many organisations do not yet fully appreciate. 

The organisations that will perform best in 2026 are those embedding testing into development, tightening identity controls in cloud, and moving from annual assurance to continuous validation. 

2025 in Review: Where Organisations Are Getting Caught Out

Across external infrastructure assessments, cloud reviews, application testing, red teaming, and internal infrastructure engagements, several recurring themes have emerged. 

1. DevSecOps: Security Still Bolted On, Not Built In 

One of the clearest trends in 2025 has been the gap between DevOps maturity and DevSecOps maturity. 

Many organisations have invested heavily in CI/CD pipelines, automation, and rapid release cycles. However, security testing often remains: 

  • A late-stage activity 
  • A compliance-driven checkpoint 
  • A separate exercise from development 

As a result, vulnerabilities that could have been prevented early are being discovered at the end of the lifecycle – when remediation is costly, disruptive, and politically difficult. 

Common issues identified during CI/CD and code reviews include: 

  • Hardcoded secrets in repositories 
  • Insecure pipeline permissions 
  • Inadequate dependency management 
  • Lack of automated security testing within build stages 

The organisations performing best are those integrating penetration testing insights directly into development workflows, allowing remediation to become part of normal engineering practice rather than an emergency fix. 

2026 Trend:

Penetration testing will increasingly integrate into development pipelines as a feedback mechanism  not just a point-in-time validation exercise.

2. Cloud Security: Identity is the New Perimeter

As services continue to migrate to Azure, AWS, Google Cloud, and hybrid private cloud environments, attackers have followed. 

Traditional perimeter-based thinking is fading. In 2025, the most common critical cloud findings we identified were related to identity and access management (IAM). 

Repeated issues include: 

  • Wildcard permissions: granted during development and never removed 
  • Overly permissive service accounts 
  • Poorly structured role-based access models 
  • Privilege escalation paths between workloads 
  • Lack of segregation between testing and production 

In many cases, these permissions were originally granted “temporarily” to accelerate deployment. 

Temporary access rarely gets revoked. 

The result? An attacker who compromises one identity can often pivot rapidly across cloud workloads. 

2026 Trend:

Attackers are deliberately targeting IAM misconfigurations rather than attempting to exploit hardened infrastructure components. Cloud compromise is becoming identity-driven.

3. APIs: The Quietest Breach Vector

APIs continue to be one of the most underestimated risk areas. 

Unlike traditional web applications, APIs often: 

  • Sit behind trusted front-end applications 
  • Lack mature input validation 
  • Expose backend data models directly 
  • Implement flawed business logic 

The most common API finding in 2025? Excessive and unexpected data exposure. 

We repeatedly identified scenarios where: 

  • Authentication was weak or inconsistently enforced 
  • Authorisation checks were missing at object level 
  • Users could enumerate records 
  • Sensitive data was returned beyond what was necessary 

Since APIs often bypass traditional web-layer protections, they are attractive to attackers seeking large-scale data extraction. 

2026 Trend:

As organisations expand mobile applications, partner integrations, and microservices architectures, API attack surface will grow significantly  and attackers know it.

4. General Misconfigurations Are Still Widespread

Perhaps the most sobering observation of 2025 is this: basic misconfigurations are still widespread. 

Across internal and external infrastructure assessments, we continue to find: 

  • Default credentials 
  • Exposed management interfaces 
  • Missing authorisation checks 
  • Legacy protocols enabled 
  • Unnecessary services exposed 
  • Poor segmentation in hybrid environments 

Hybrid estates – combining on-prem infrastructure, cloud workloads, SaaS platforms and legacy systems – are particularly prone to configuration drift. 

Complexity is becoming the enemy of security. 

2026 Trend: 

As estates become more distributed and multi-cloud, configuration management and validation will become critical differentiators between resilient and exposed organisations. 

The Strategic Pattern Emerging

Across all engagements, a broader pattern is clear: Most successful attack paths are multi-stage and combinational. 

An example chain we commonly see: 

  1. Excessive cloud permissions
  2. Weak API authorisation
  3. Lack of internal segmentation 

None of these alone may appear catastrophic. 
Combined, they form a viable compromise path. 

Attackers do not need perfection. They need one workable route. 

Penetration testing continues to demonstrate how small, individually “low-risk” issues can chain into business-critical compromise scenarios. 

What This Means for IT and Security Teams

For technical teams, the message is not to panic – but to prioritise. 

Here’s some key areas to focus on in 2026: 

Embed Security in CI/CD 

  • Integrate automated security scanning 
  • Conduct pipeline permission reviews 
  • Perform secure code reviews early 

Tighten Cloud IAM Governance 

  • Eliminate wildcard permissions 
  • Enforce least privilege 
  • Regularly review service accounts 
  • Segment environments properly 

Treat APIs as Tier-1 Assets 

  • Test for business logic flaws 
  • Enforce object-level authorisation 
  • Validate and minimise data exposure 

Continuously Validate Configuration 

  • Review firewall and network configurations 
  • Conduct Operating System build reviews 
  • Validate backup compromise resilience 
  • Perform external and internal infrastructure testing regularly 

Security cannot rely on annual assurance cycles in dynamic environments.

Final Thoughts: 2026 Will Reward the Prepared

The organisations that will perform strongest in 2026 are not necessarily those with the largest security budgets. 

They are those who: 

  • Integrate security into development 
  • Treat identity as critical infrastructure 
  • Understand their API exposure 
  • Actively validate configuration 
  • Move from reactive testing to continuous assurance 

Attackers are adapting. 
Cloud is accelerating. 
Digital transformation is not slowing down. 

The question is not whether vulnerabilities exist – they do. 

The question is whether they are being discovered by your team… or someone else’s. 

How MTI Helps Without Adding Noise

At MTI, penetration testing is not delivered as a one-off compliance checkbox. 

As an award-winning and CREST-affiliated provider, our focus is on: 

  • Realistic attack path simulation 
  • Clear, prioritised remediation guidance 
  • Executive-ready reporting 
  • Technical depth for IT teams 
  • Alignment with regulatory frameworks (DSPT, PSN ITHC, Cyber Essentials Plus and more) 

Our services span: 

  • Code Review 
  • Cloud Security Assessments 
  • Red Teaming 
  • Social Engineering 
  • Internal & External Infrastructure Testing 
  • API & Application Assessment 
  • CI/CD Assessment 
  • Backup Compromise Assessment 
  • Microsoft / M365 Reviews 
  • SCADA / OT / ICS Testing 
  • Ransomware Readiness Assessment

… and more.

More importantly, we focus on helping organisations reduce systemic risk – not just individual findings. 

To discuss how your organisation can reduce systemic risk in 2026, speak to our penetration testing specialists today.