WEBINAR
Join us to explore what 10 years of data tells us about real risks during the State of Pentesting 2025 webinar.
WEBINAR
Join us to explore what 10 years of data tells us about real risks during the State of Pentesting 2025 webinar.

Key takeaways from the State of Pentesting Report 2025

Apr 14, 2025
Est Read Time: 3 min
Jason Lamar

At Cobalt, we conduct over 5,000 pentests annually, a number that is growing every year, across web, API, LLM, network, and cloud tests. This vast set of data and learnings gives us unique insight that we analyze to produce industry-leading research. The result is our State of Pentesting Report 2025, which we released today.

This is the seventh year we’ve produced this report, and we’ve come a long way since our first State of Pentesting Report in 2019. For the 2025 report we looked back further than the past year to go all the way back to 2015, aggregating 10 years of data, so we could more thoroughly study trends. This year we also surveyed 450 security leaders and practitioners to learn how they think about pentesting, and how they are maturing their offensive security programs.

Taken together–the data collected from thousands of pentests, and the survey results–it appears there are critical gaps between security expectations and reality, particularly as organizations race to adopt AI technologies without adequate protections.

The confidence paradox

Despite widespread recognition that pentesting is foundational to security (94% of security leaders agree), a confidence gap exists between the expectation that pentesting is vital and the persistence of security vulnerabilities over months and years. A striking 81% of organizations believe their security posture is strong, yet the pentesting data reveals that less than half (48%) of vulnerabilities are remediated, while 69% of the highest-risk (serious) vulnerabilities are resolved.

Most companies set ambitious service-level agreements (SLA) requiring vulnerabilities to be fixed within 14 days, with 46% committing to fix critical vulnerabilities within just three days. However, the actual median time to resolve issues of all criticalities stretches to 67 days—nearly five times longer than intended. 

This persistent paradox—pentestesting is essential, but pentesting reveals security vulnerabilities that remain unaddressed—highlights the need for security teams to go beyond seeing pentesting as a box to check off for compliance. Programmatic approaches are needed to close the security gap, and improve programs to use all the tools in the offensive security toolbelt to prevent vulnerabilities from putting the organization at risk.

AI security: racing ahead without a safety net

The report highlights a particularly troubling trend in AI and LLM security, which has emerged as the top concern among security professionals (cited as a top concern by 72%), ahead of risks from third-party software, exploited vulnerabilities, insider threats, and nation-state actors.

The AI adoption-security gap is substantial and growing: 98% of organizations are incorporating generative AI technologies into their products, yet only 66% are conducting regular security assessments like pentesting on their AI products.

Moreover, our LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested. Despite this elevated risk, only 21% of serious vulnerabilities discovered in LLM tests are being resolved—the lowest remediation rate across all test types. 

This data suggests that, while organizations recognize the potential risks of AI, most are not yet able to keep these rapidly deployed technologies secure. As genAI adoption races ahead, to keep up security teams need to partner with organizations with expertise in identifying these risks and pointing out remediation strategies.

Getting better, but slowly

The third major trend we’ve identified in our State of Pentesting Report is meaningful improvement, albeit slow progress. We’ve seen a marked decline in serious vulnerabilities and time to resolve those findings. Since 2017, the median time to resolve serious vulnerabilities has decreased dramatically—from 112 days down to 37 days last year, cutting this time by 75 days, or two-thirds. The proportion of serious findings in pentests has also declined by about half (from 20% to 11%) over 10 years, demonstrating the positive impact of "shift left" security programs.

However, this progress appears to have plateaued. When we look at the rate for serious findings being resolved in each calendar year, it remains stuck at just 55%. And these are not merely theoretical issues, like those picked up in some automated scanning. Our pentesting identifies vulnerabilities that can be exploited. These lingering issues represent significant risk exposure. 

There are some other findings in the report that may point to reasons why serious findings stick around so long despite SLAs and security teams working hard every day at their jobs: the complexity of the job, resource constraints, and lack of alignment between cross-functional teams.

  • Small companies lead with 81% of serious findings resolved, significantly outperforming large organizations, which resolve only 60%.
  • Larger organizations take over a month longer than smaller ones to resolve serious issues (61 days to 27 days).
  • Critical infrastructure sectors including utilities, healthcare, and manufacturing have the highest rates of unresolved findings, and are slowest to address vulnerabilities.
  • Financial companies, despite their lower rate of serious findings (11%), take among the longest to resolve issues (61 days).

From ad hoc testing to programmatic risk reduction

The meaning of these findings is clear: effective security requires moving beyond occasional compliance checks to embrace continuous risk reduction. In fact, there are organizations doing this quite well: 57% of organizations resolve at least 90% of their serious findings (whereas another 15% of orgs resolve 10% or less). Our belief is that organizations that implement structured, programmatic approaches to pentesting can show better results.

As threats continue to evolve—particularly in emerging areas like AI and the software supply chain—we see that knowledge is power. By understanding where security efforts fall short, organizations can build more effective programs that transform security knowledge into the power to truly reduce risk.

For a complete look at the research, more insightful analysis of these trends and others, as well as detailed recommendations, download the full report.

State of Pentesting 2025 CTA banner
Back to Blog
About Jason Lamar
Jason Lamar is an infosec community advocate and SVP of Product at Cobalt. In this role, Jason is responsible for product, product operations, and design teams pioneering Pentest as a Service (PtaaS) and building out the Offensive Security solution portfolio. Jason has made a career of building and launching innovative cybersecurity products. With more than two decades of experience in the cybersecurity industry, Jason has worked with companies of all sizes to provide customers with the technology and knowledge to defend themselves in today’s dynamic risk landscape. More By Jason Lamar

Related readings

Cobalt Recognized as Only 'Leader' in G2's Penetration Testing Grid
It’s official: users love us! G2 named Cobalt the only leader in the Grid® Report for Penetration Testing Winter Report.
NEWS , Modernizing Pentesting
Blog
Jan 7, 2022
Read more
10 Questions with Aditya Raj Singh: Pentester Spotlight
Pentester Stories , Pentester Guides
Blog
Sep 5, 2024
Read more
The Lifecycle of a Pentest Program
Modernizing Pentesting
Blog
Aug 16, 2020
Read more
see more

Never miss a story

Stay updated about Cobalt news as it happens