The Edgescan Platform eliminates the need for tool configuration, deployment, and management.
By providing vulnerability intelligence and remediation information along with human guidance and vulnerability verification, we help our customers prevent security breaches, safeguarding their data and IT assets.
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets for businesses large and small in a wide variety of industries across the globe.
The Edgescan Platform eliminates the need for tool configuration, deployment, and management.
By providing vulnerability intelligence and remediation information along with human guidance and vulnerability verification, we help our customers prevent security breaches, safeguarding their data and IT assets.
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets for businesses large and small in a wide variety of industries across the globe.
The Edgescan Platform eliminates the need for tool configuration, deployment, and management.
By providing vulnerability intelligence and remediation information along with human guidance and vulnerability verification, we help our customers prevent security breaches, safeguarding their data and IT assets.
Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets for businesses large and small in a wide variety of industries across the globe.
Edgescan was founded in 2017 by Eoin Keary, who currently serves as its CEO. With over 20 years of experience in leadership and development, Eoin is a visionary and thought leader for the company. He draws on his extensive experience in leading software development and security teams to drive Edgescan's success.
Inside the 2025 Verizon DBIR: Edgescan’s Critical Insights on Web Application Security
The 2025 Verizon Data Breach Impact Report paints a stark picture of web application security, and as someone who contributes hundreds of thousands of vulnerabilities yearly to this report, I see the truth daily at Edgescan. We’re proud to be a data source for this year’s DBIR again – Verizon’s annual report is crucial for industry understanding. Here’s what’s really happening in the web application layer, straight from our continuous scanning of APIs and web apps across thousands of domains.
Basic Web Application Attacks Are Back in Style
The “get in, get the data, get out” attacks are alarmingly common. With 1,701 incidents and 1,387 confirmed data compromises, these aren’t isolated events. What worries me most? Every single breach came from external actors. No insider threats here – it’s the bad guys coming at you from outside your walls.
But here’s the twist: espionage now drives 61% of these attacks. That’s a major shift from financial motives dominating previous years. The data they’re after? Mostly “other” data (65%), but personal information (36%) and credentials (35%) are right behind.
The Credential Crisis Gets Worse
The numbers don’t lie. Stolen credentials power 88% of web application breaches. Where are attackers finding these credentials? Web applications (39%), development environments and CI/CD pipelines (66%), and cloud infrastructure (43%). That’s right – your development secrets are more exposed than your web apps.
The credential ecosystem is sophisticated:
Infostealers grab passwords and cookies
Marketplaces sell them
Premium channels offer exclusive access
Live logs give real-time access to breached data
And remember – 54% of ransomware victims had their domains in infostealer logs. The connection is clear.
What Our Vulnerability Data Shows
Our 2025 Vulnerability Statistics Report digs deeper into what automated scanners miss. Here’s what you need to know:
Over 33% of vulnerabilities found across the stack are critical or high severity
SQL Injection (CWE-89) is still the top web vulnerability – it’s been that way since 2022
Web apps take longer to fix: 74.3 days vs 54.8 days for network issues
Larger companies are worse at patching: 45.4% of their vulnerabilities remain unfixed after 12 months
The numbers are staggering: 40,009 new CVEs in 2024. CISA added 185 to their Known Exploited list. And 768 CVEs saw real-world attacks – that’s 20% more than 2023.
Different Industries, Different Problems
Software companies fix things faster (63 days average). Construction firms? Not so much (104 days). The gap shows how industry matters in security response.
But here’s something troubling: the complex vulnerabilities that automated tools miss? You need human expertise to find them. And those are often the ones that matter most.
The Attack Methods Keep Working
The basics still work:
Brute force attacks haven’t gone away
VPN and edge device exploits jumped from 3% to 22%
42% of exploits hit web applications
Once in, attackers use backdoors to maintain access
What Really Needs to Change
Based on what we see daily:
MFA Implementation: Multi-factor authentication should be mandatory and not optional for both Externally Exposed Applications and for Remote Network Access.
Scrutinize Logins: Implement additional protection around cookies and session keys.
Passphrase Management: Encourage long passwords and secure configurations.
OS Hardening: Secure configurations for endpoint systems and domain controllers.
Continuous Vulnerability Management: Establish and maintain a vulnerability management process
Establish and Maintain a Remediation Process: Prioritize vulnerabilities which matter
The stats don’t lie. Web applications remain a prime target, credentials are too easy to steal, and most organizations aren’t patching fast enough. The threat actors are organized, motivated, and successful.
Download our full Vulnerability Statistics Report for the complete data: https://www.edgescan.com/stats-report/
The trend is clear. Are you ready for what’s coming?
Most organisations have the policies, the frameworks and the remediation requirements documented. The hard part has always been knowing whether any of it is true in practice. …