Year in review: from routine to results in 2025
If 2025 felt busy, you’re not imagining it.
Security teams had to cover more assets, respond to more CVEs, and explain more findings to more people than ever. And not just explain them - defend them. In front of clients. In front of auditors. In front of leadership that wants to know what actually changed since the last in-depth test.
We heard this again and again throughout the year.
As Elpha Secure put it:
Most tools just dump alerts on you. That’s not what helps when you’re accountable for fixing things.
That pressure to separate signal from noise showed up across internal teams, MSPs, and consultants alike.
So when we look back at 2025, we don’t see a year defined by volume alone. We see a year shaped by repetition, scrutiny, and a growing expectation that security tools must make daily work clearer - not heavier.
This is what happened when that reality met Pentest-Tools.com: millions of scans, hundreds of thousands of diverse targets, and workflows that had to hold up under real-world pressure.
Before unpacking them, here’s the backdrop for this year’s action.
Coverage, noise, and what changed in 2025
Alice Teodorescu, Senior Product Marketer
Coverage trumps confidence still rings true as we’re ready to begin a new year and still counting the depth and breadth of scans in Pentest-Tools.com in 2025.
Almost 315k scanned targets and over 6 mil. scans, anyone?
Yet, my favourite highlight, being a growth-focused product marketer, is our (somewhat) brand new Machine Learning Classifier.
2025 was definitely the year our engineering team took Machine Learning for a spin, in an exponential fight against noise fatigue.
The results speak louder than I ever could: a game-changing 50% reduction in fuzzing false positives and a whopping 92% accuracy (up from 75%).
And this is just the beginning of our take on AI and ML capabilities.
Rhythm, trust, and daily security work
Mario Popescu, Product Content Specialist
In 2025, I stopped looking for dashboard spikes and started noticing rhythm. One scan every 5 seconds sounds flashy, but the daily reality is simpler: scan, review, report, repeat. Our customers scanned 315,000 unique targets, ran more than 6 million scans, and sent tens of thousands of reports and exports to clients, teammates, and stakeholders.
From where I sit as a product marketer, that rhythm matters. A lot. It tells a story that release notes rarely capture. Pentest-Tools.com merged with your routine and stayed there.
Millions of scans don’t come from novelty; they come from trust. In product terms, trust is slow, stubborn, and earned the hard way - by being predictable and not wasting your time. It's about producing results that still make sense when you’re tired, slightly irritated, and just want to know what actually matters.
2025 didn’t feel heroic; it felt dependable. Sometimes that looks boring on a chart, but it means we’ve earned our place in your stack by being the partner you can rely on when the pressure is on.
What millions of scans actually mean: the numbers behind the rhythm
Consistency showed up again this year.
In 2025, security professionals ran more than 6 million scans and assessed almost 315,000 unique targets across web, network, and reconnaissance workflows. Those scans identified 4,214,094 unique subdomains and more vulnerabilities than any of us want to see on a report.
If the findings below look familiar it’s because, no matter how diverse offensive security work gets, as a community, we keep running into the same security issues that plague all infras.
Case in point, the top 5 high and critical vulnerabilities you detected this year with the Website Scanner:
Server software vulnerabilities - 38,000
XSS - 2,435
SQLi - 1,485
Extra Nosqli - 797
Extra HTTP1 smuggling - 662.
For many internal teams, this list reinforced the need for continuous scanning and retesting. For MSPs and consultants, it validated why repeatable detection and clean reporting matter more than novelty.
CVEs that demanded immediate validation
When critical vulnerabilities surfaced, speed mattered - but so did confidence.
In 2025, we shipped detection and exploitation support for major CVEs within as little as 24 hours after assignment, allowing our customers to move from detection to validation without delay.
Highlights included:
React2Shell (CVE-2025-55182) with a CVSS score of 10.0
SessionReaper (CVE-2025-54236) in Magento 2
React Native Community CLI development server RCE (CVE-2025-11953)
Next.js Middleware Bypass (CVE-2025-29927).
For consultants and MSPs, this meant faster proof for clients. For internal teams, it meant fewer debates about whether an issue was exploitable.
From quick reaction to confident reporting
What mattered wasn’t just finding vulnerabilities, but what teams did next.
Scan results turned into 57,851 data exports (in JSON, CSV, and XLSX) and nearly 87,000 reports (in PDF, DOCX, and HTML). These reports supported very different conversations: with pentesting clients, in internal engineering teams, with compliance stakeholders, and executive audiences.
Different teams, same underlying need: results they could explain and act on.
More detection depth with manual research as fuel
Behind the scenes, we expanded the Network Vulnerability Scanner with:
1,950 new detection modules
530 new critical detections
In parallel, Sniper: Auto-Exploiter continued to focus on one goal: validating real risk.
Our team manually researched, built, tested, and automated 24 new exploits, including ASP.NET Core Request Smuggling, Magento & Adobe Commerce - Account Takeover, Wordpress TemplateInvaders - Arbitrary File Upload, SMB - Anonymous Write Access. Seventeen of these exploitation modules covered remote code execution paths.
This work mattered most to teams who needed proof, not assumptions.
Your top 5 favourite tools in 2025 - free and paid
Trust showed up as repetition this year.
Users with a Free Edition account ran roughly 3X more scans than visitors using individual free tools. That pattern repeated across the year.
Teams explored first, then settled into capabilities that support replicable scanning and validation flows.
Top free tools on Pentest-Tools.com:
Subdomain Finder - 461499 scans
Port Scanner - 389440 scans
Website Scanner - 281372 scans
URL Fuzzer - 138893 scans
Network Scanner - 42828 scans
Top tools in the Free Edition:
Website Scanner - 792298 scans
Port Scanner - 726451 scans
Network Scanner - 722862 scans
Subdomain Finder - 528843 scans
URL Fuzzer - 167952 scans
Top tools in our fully-fledged product:
The pattern was clear. Recon opened the door. Repeatable scanning kept teams coming back.
What customers told us
Across very different environments, teams described surprisingly similar pressures.
Chill IT from Australia shared that they often use Pentest-Tools.com before a full engagement even begins.
We actually use it to evaluate prospects before we engage fully. It helps us understand their security maturity early, their team explained.
For consultants, early clarity saved time and avoided misaligned expectations.
From their HQ in Switzerland, Arco IT highlighted a different constraint: scale. As their client base grew, local setups became a bottleneck.
They needed “cloud-native scanning that was reliable, fast, and insightful,” without adding operational overhead. Repeatable scans mattered more than custom setups.
For US-based Elpha Secure, volume only mattered when it led to understanding.
Most tools just dump alerts on you, their engineers said. Pentest-Tools highlights what actually matters, and explains why.
That explanation step was critical when teams had to justify priorities internally.
These weren’t edge cases. They reflected how modern security teams manage time, expectations, and proof.
Product launches that shaped daily workflows
Removing friction from the security workflows you rely on every day is what kept us going in 2025 as well. Proving progress to your clients and companies (and yourself!) is what we’re here to help you accomplish - easier, better, and in a more rewarding way.
The Machine Learning Classifier: accuracy is the product
False positives don’t slow you down because they exist. They slow you down because they show up late, look serious, and demand attention.
We introduced the Machine Learning Classifier to deal with exactly that.
And the outcome spoke for itself: a 50% reduction in fuzzing false positives and an accuracy rate of 92%, up from 75%. Less time spent second-guessing results. More time spent validating what actually mattered.
This wasn’t about replacing human judgment. It was about making sure you spent human effort in the right place.
The Vanta integration: automatic, rich evidence for compliance continuity
Compliance work rarely fails because of missing data. It fails when evidence is fragmented or outdated.
Our full integration with Vanta, released in September, addressed that gap by allowing findings from Pentest-Tools.com to sync directly into compliance workflows.
For teams working toward SOC 2 and similar frameworks, this meant fewer manual exports and a clearer audit trail, without changing how scans ran.
The Burp Suite integration: fewer context switches, faster reporting
Everybody knows human-led web app pentesting rarely happens in a single tool.
So we built the Burp Suite extension to acknowledge that reality. Instead of forcing you to copy findings or manually reconcile results, it allowed Pentest-Tools.com scans to slot into workflows many web pentesters already use daily.
In practice, this means faster handoffs, fewer context switches, and less duplicated effort - especially for consultants and internal teams juggling multiple targets at once.
Your top 3 most-used integrations of 2025
We added many integrations in 2025. What mattered wasn’t how many existed, but which ones teams relied on when work got repetitive and time-sensitive.
Three integrations stood out because they became part of the daily flow, not because they were “nice to have”:
Slack was the most used integration by a wide margin. Its role, simple and effective: bringing scan results closer to the people who needed to see them, without forcing another dashboard login. For many teams, this meant faster awareness and quicker follow-up, especially when scans were scheduled or run frequently.
Microsoft Teams followed closely. For organizations standardized on Teams, this integration served the same purpose as Slack: keeping security signals visible in day-to-day collaboration spaces, rather than siloed in tooling.
While Slack and Teams surfaced activity, Vanta became part of a daily routine, as we hinted earlier. Vanta stood out as the integration most closely tied to continuous compliance work. Its usage pattern reflects a shift away from one-off evidence gathering toward ongoing, automated alignment between security testing and compliance requirements.
Why teams kept using Pentest-Tools.com in 2025
Teams didn’t just come back in 2025 because they wanted more findings. They came back because they needed findings they could act on and defend.
The pressure was real. With 62% of teams saying they had too many vulnerabilities to fix, and 76% still backlogged with issues older than a year, heading full speed towards validation, prioritization, and clarity was a no-brainer.
We saw this shift play out across everything teams did:
Internal teams leaned on recurring scans, validation, and executive-ready reports to reduce manual overhead and explain risk clearly.
MSPs were more intent on scaling vulnerability management for which they used branded reports and exploitation tools to demonstrate real impact.
Consultants used pre-built pentesting robots to remove repetitive work and focus their time on exploitation and analysis that replicates how attackers think.
The result wasn’t just faster assessments. It was cleaner ones. Proof over speculation. Accuracy over volume.
Benchmarks reinforced that trust. In a 26-app test (including Microsoft Exchange, WordPress, and Joomla), our Password Auditor identified valid credentials in 84% of realistic cases, compared to 15% for Hydra, and reached 100% accuracy when tested with mixed valid and invalid credentials.
Compliance added another layer of pressure. Auditors expect proof of remediation, control mapping, and repeatable testing. Raw scanner output rarely meets that bar, and rewriting it costs time teams don’t have.
That’s why teams leaned into scheduled scans, diffs, retests, and reports that include artefacts like screenshots and request/response traces. As shown in our SOC 2 automation webinar, validated findings - not raw output - are what turn security work into audit-ready evidence.
2025 events: what we learned by listening to the community
In 2025, our connection to the offensive security community showed up through conversations that went beyond surface-level feedback.
Across events in Europe and beyond, fellow practitioners shared what actually slowed them down, what they trusted, and where tools either helped or got in the way.
At Infosecurity Europe, teams spoke openly about trust - not trust in tooling claims, but trust in results. Many described the pressure of reporting upward and the need for findings they could clearly explain, justify, and stand behind.
At GISEC Global, scale dominated the discussion. Large organizations and service providers talked about keeping scanning consistent across expanding environments without overwhelming teams with alerts that lead nowhere.
IT-SA brought sharp feedback from European teams operating under strict compliance requirements. They focused on structured reporting, integrations, and showing measurable progress over time, not just point-in-time results.
ALLNET ICT Solution Day grounded the conversation in partner realities. MSPs and resellers discussed client onboarding, recurring assessments, and the constant trade-off between speed, clarity, and limited resources.
DefCamp tied everything together. Beyond the conversations, our colleagues took the stage to share hands-on talks rooted in real offensive security research and practical exploitation experience. These sessions reinforced an important reminder: offensive security remains a craft you can only learn by doing. Tools support the work, but understanding attacker behavior still makes the difference.
Across all these events, one theme kept resurfacing. Teams face increasing scrutiny, and they succeed not by scanning more, but by explaining results with confidence. That insight directly influenced our focus on reporting clarity, evidence validation, and workflow integrations throughout 2025 - and it continues to guide where we’re heading next.
Looking ahead, it’s not the trends that matter
2025 showed that dependable tools earn their place quietly. By fitting into routines. By reducing friction. By helping teams explain what matters.
We’re going to keep walking that road into 2026 to give you fewer assumptions, better findings, and results you and your team can stand behind.
From our team to yours, have an excellent year ahead!
