866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Schellman's Year in Penetration Testing: Key Statistics Revealed Blog Feature
Tim Campbell

By: Tim Campbell

Print/Save as PDF

Schellman's Year in Penetration Testing: Key Statistics Revealed

FedRAMP | Penetration Testing

Published: Apr 9, 2025

It's been an exciting past few years for the Schellman penetration testing team. Throughout 2024, our team worked with over 150 clients to support their efforts in securing their businesses. As a lead assessor in the FedRAMP marketplace, Schellman prides ourselves in being able to assess our clients’ systems and helping to identify the vulnerabilities they may have.  

In this article, we'll share an overview of the past year and the security vulnerabilities we found in an attempt to help our clients, both present and future, be more aware of the possible vulnerabilities that could be looming within their environments. 

The Scope 

Depending on the type of assessment, Schellman reviews attack vectors which each focus on one portion of our clients' boundaries. Schellman performs penetration tests for our clients which could include any or all of the following, and may even include vectors outside of these realms, such as wireless or physical testing.  

Let's start by exploring the vectors that the Schellman penetration testing team most often focuses on: 

External  

During an external assessment, the goal is to identify and exploit vulnerabilities as an unauthenticated external threat actor from the open Internet. This is done by using automated network scans and manual testing against open ports that are available to the open Internet.  

Internal  

As part of an internal assessment, we sit on the client's network and attempt to identify lateral movement opportunities depending on what is available. Alternatively, for FedRAMP assessments, an access path walkthrough is reviewed for similar issues. In either case, identified issues include weak permissions, weak access controls, abuse of system services, poor network segmentation, credential compromise scenarios, and poor implementation of security controls. 

Web Applications  

Schellman performs an authenticated, full web application penetration test attempting to identify any security vulnerabilities possible within that application. Our team uses the OWASP Web Security Testing Guide (WSTG) as a guideline for our work, which focuses on several areas of testing, including authentication, authorization, session management, input validation, and business logic flaws. We also attempt to access or modify data from one tenant (Tenant A) that belongs to another (Tenant B), as an authenticated user of the web application.  

Social Engineering  

Our team creates and executes a phishing campaign against our client's specified targets - typically system administrators and managing personnel who may influence system administrators. The goal here is to create a strong enough campaign pretext that the target will input credentials into the phishing page, run a malicious script, or even elicit sensitive information via a phone call.  

Mobile Applications  

The team uses a representative mobile device to emulate a mobile application user attempting to access the target system or management system. This testing includes dynamic and static analysis of the application, review of locally stored information, and analysis of the traffic sent to the server to determine if the mobile application uses the same endpoints as the web application. Once traffic is analyzed, testing is done to identify vulnerabilities as you would in a traditional web application or API penetration test.  

Client-side Application and/or Agents  

In this scenario, the team attempts to access management systems or infrastructure from client-side components, such as software applications, servers, appliances, browser extensions, thick clients, and agents. The primary area of focus with these applications is identifying if any vulnerabilities have been added to the host system, such as privilege escalation vulnerabilities. Additionally, these applications typically interact directly with a backend server of some form, so traffic analysis and modification are also key components. 

The Findings 

Now that you have a better understanding as to how Schellman performs different penetration tests, it's time to explore the number of findings that were identified over the past year. Our hope is to educate our clients, both present and future, as to where we were able to find these vulnerabilities and offer some insight into the most common and critical findings.  

As a bit of additional background, Schellman only reports vulnerabilities which are exploitable and have demonstrable impact, or if there is a specific compliance requirement. Additionally, Schellman classifies its findings into three ratings: low, moderate, and high. The overall rating is based on the impact and likelihood of the finding, taking the lesser of the two.  

For example: if we found a high impact, low likelihood vulnerability, we would classify this as an overall low rating. Schellman only reports those findings that have an impact of low or higher. If an informational finding is identified, it is noted in the report to the client, so they are aware - but it is not an official finding. 

With that said, let's dig into the categories and break down what was found in 2024: 

External  

During our external testing, Schellman was able to identify 248 vulnerabilities. Of those findings, there were 13 high, 100 moderate, and 134 low-risk findings. Of note, out of all the external findings, 146 were configuration management issues and 84 of those findings were related to the client not having DMARC records in place, allowing the Schellman team to spoof emails from their domains. This simple misconfiguration gives threat actors the ability to send emails that look like they came from the client domain, creating an even better phishing email. Outside of phishing, eight of the high risk vulnerabilities led to remote code execution (RCE).  

Internal  

Regarding internal findings, Schellman was able to identify 269 vulnerabilities. This broke down to 50 high, 118 moderate, and 100 low risk findings. The internal findings were a wide mix of vulnerabilities which included unauthenticated access to systems, Kerberos misconfigurations, insecure credential storage, and RCEs. Notably, clients who had routine penetration testing done on an annual basis had less findings than those who did not.  

Web Applications  

With web applications being a major part of many businesses, this was a heavily tested area with almost every client of ours requesting it as part of their engagement. As such, Schellman was able to identify 426 vulnerabilities within our client's web applications throughout the year 2024. Breaking down these numbers, Schellman was able to identify 113 high, 108 moderate, and 205 low risk findings.  

Looking at the numbers, Schellman was able to find 99 instances of cross-site scripting (XSS), both reflected and stored, 23 instances of SQL injection, 34 insecure direct object references (IDORs), 14 instances of RCE, and so much more. Many of these findings led to leaked critical data, account takeovers, and privilege escalation.  

Phishing  

Within this attack vector, Schellman had 99 findings, of which 77 were considered to be high risk findings, which means that credentials were entered into the phishing campaign created by the Schellman team. Several of our findings were also related to vishing. Overall, Schellman identified 77 high, eighteen 18 moderate, and seven low findings last year. Ultimately, this attack vector helped our clients understand the importance of continued education for their employees and phishing-resistant multi-factor authentication, as well as how easy it is for threat actors to create tempting and effective phishing campaigns.  

Mobile Applications  

During this testing, Schellman analyzes the mobile application, how it passes data to the server, and how it stores information within the device. Schellman was able to identify three high, one moderate, and 16 low risk findings last year. Of those findings, we were able to find IDORs, stored XSS, insecure storage mechanisms, and weak lockout mechanisms. These findings helped our clients to secure the mobile space for their products by ensuring that malicious applications couldn't affect or leak their client's stored mobile data.  

Client-side Application and/or Agents  

During client-side testing, Schellman was able to identify 40 vulnerabilities. This broke down to four high, 13 moderate, and 23 low risk findings. During the test of these locally installed applications, Schellman was able to find 14 instances of stored XSS, credentials in the source code or memory, a writeable service executable path, and insecure file processing which led to RCE on the host system.  

Strengthening Cybersecurity Through Continuous Testing and Mitigation 

Throughout 2024, the Schellman penetration testing team worked tirelessly to help our clients secure their environments, and the findings outlined in this article highlight both the progress made and the challenges that remain. With vulnerabilities identified across multiple attack vectors, it is clear that continuous security assessments and proactive mitigation strategies are critical to maintaining a strong cybersecurity posture.  

From phishing campaigns to web application flaws and misconfigurations, our findings reinforce the importance of regular testing, employee education, and robust security controls. As we move into the future, Schellman remains committed to assisting organizations in identifying and addressing vulnerabilities to ensure a safer and more resilient digital landscape.  

If you're equally committed, or at least curious about your organization's cybersecurity, Schellman is here to answer all of your penetration testing questions. Fill out our Penetration Testing Scoping Questionnaire and we'll be in touch soon.  

In the meantime, discover additional helpful pen test tips and insights in more of our pen testing articles: 

About Tim Campbell

Tim is a Senior Penetration Tester with Schellman where he performs multiple types of assessments, specializing in web application and external network penetration tests. Tim has over ten years of experience in the offensive and defensive security fields. Prior to joining Schellman in 2022, Tim performed penetration tests against companies within the financial, health, and insurance service industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.