Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In October 2025, a critical zero-day vulnerability was disclosed in Oracle E-Business Suite (EBS), tracked as CVE202561882, which allows unauthenticated remote code execution (RCE). This vulneraility affects versions 12.2.3 through 12.2.14 and has already been actively exploited in the wild by the Cl0p ransomware group and potentially other threat actors.

The financial sector has always been a prime target for attackers, but the scale and sophistication of threats have grown exponentially. In just the first half of 2025, over 742 million attacks were recorded across more than 600 global banking and financial services (BFS) sites, averaging 1.2 million attacks per site, a 51% increase compared to the same period in 2024.

Cybercriminals are not waiting around; they are exploiting vulnerabilities faster than ever. According to the 2025 Verizon Data Breach Investigations Report (DBIR), vulnerability exploitation accounted for 20% of breaches, marking a 34% jump from last year. This sharp rise highlights a hard truth: leaving security gaps unaddressed is an open invitation to attackers.

SaaS companies face a 20% yearly likelihood of a significant DDoS attack, according to the Indusface State of Application Security H1 2025, underlining the risks to uninterrupted operations. Even brief downtime can have severe consequences. On average, a DDoS attack requires 12 hours for monitoring, analysis, and mitigation, translating to roughly 2.4 hours of annual downtime per SaaS application. This can disrupt workflows, breach SLAs, and erode customer trust.

In the first half of 2025 alone, AppTrana blocked over 64 million bot attacks across industries, a number that highlights how automated abuse has become a daily battle for digital businesses. With 30,000+ SaaS providers powering the workflows of 14 billion users worldwide, SaaS sits at the core of digital transformation, making it a prime target for credential stuffing, account takeover, API abuse, and other bot-driven exploits.

Running a penetration test is only half the battle. The real challenge is translating complex technical findings into insights that leadership can act on. The right metrics do not just highlight vulnerabilities; they tell a story about risk, resilience, and readiness. In this guide, we explore the penetration testing metrics that truly matter and how to present them in a way that resonates with decision-makers.

In the first half of 2025, more than 742 million attacks were recorded across 600+ financial sites, according to the Indusface State of Application Security Report: Banking and Financial Services, underscoring a 51% year-over-year surge in threats. Bots were the most persistent threat, detected on 95% of applications, where they powered campaigns to crack credentials, scrape sensitive data, and exploit payment systems.

Web Application Firewalls (WAFs) and Web Application & API Protection (WAAP) platforms are designed to stop attacks before they reach your applications. Yet many organizations fall into a dangerous comfort zone. They deploy a WAF, leave it in monitor mode for months, or configure environments in ways that allow attackers to bypass the WAF entirely and reach origin servers directly.