The State of Pentesting Report 2025 pulls back the curtain on how organizations are really doing when it comes to cybersecurity. The report offers a candid look at the gap between perception and reality, especially around vulnerability management, AI risks, and the growing need for programmatic approaches to pentesting.
The State of Pentesting Report 2025 begins with a telling contradiction. A striking 81% of organizations rate their cybersecurity posture as strong. Yet, real-world pentesting tells a different story—less than half (48%) of all vulnerabilities uncovered during tests are ever resolved. Even when those vulnerabilities are deemed high-risk, only 69% are addressed, leaving several gaps in enterprise defenses.
What’s more, while three-quarters of companies claim to have service-level agreements (SLAs) in place mandating that vulnerabilities be resolved within 14 days, the median time to resolve all pentest findings is a whopping 67 days—almost five times the target. This issue isn’t just theoretical; these are actionable vulnerabilities that could be exploited by attackers, and the lag in resolution leaves systems exposed.
AI Adoption Is Surging—But Security Is Struggling to Keep Up
One of the most urgent issues outlined in this year’s pentest report is the rapid integration of generative AI into products and workflows, without a proportional increase in security oversight. While 98% of companies are incorporating genAI technologies, only 66% are actively assessing their security, including through pentesting.
This oversight is particularly troubling because large language models (LLMs) showed the highest rate of serious vulnerabilities across all asset types tested. In fact, 32% of LLM-related pentest findings were labeled as high-risk—more than double the average rate of 13%. Even more alarming is that only 21% of these serious LLM vulnerabilities are being remediated, reflecting the growing AI security gap.
“AI is moving faster than our ability to secure it,” the report notes, summarizing a concern echoed by 72% of cybersecurity professionals who now view genAI threats as more pressing than risks from third-party software, insider threats, or even nation-state actors.
A Long Road Toward Programmatic Pentesting
Despite widespread acknowledgment of pentesting’s importance—94% of firms view it as essential to their cybersecurity strategy—the data reveals a persistent lack of follow-through. The report emphasizes that while ad hoc testing may satisfy compliance checks, it falls short of driving continuous risk reduction.
In 2017, only 27% of serious pentest findings were resolved. That number eventually doubled to 55%, but progress has stalled since then. The same percentage of serious vulnerabilities were fixed in 2024, suggesting a plateau in effectiveness. Encouragingly, the time it takes to resolve those issues has improved—falling from 112 days in 2017 to just 37 days in 2024, a 75-day reduction. However, this improvement in speed hasn’t translated into higher resolution rates.
Some organizations are leading the charge. The State of Pentesting Report 2025 by Cobalt found that 57% of companies resolve at least 90% of their serious findings, while 15% resolve 10% or less. The clear takeaway? Structured, programmatic pentesting strategies are far more effective than sporadic efforts.
Size Matters: Why Bigger Isn’t Always Better in Cybersecurity
Another insight from the pentest report is the impact of organizational size on vulnerability management. Small businesses outperformed their larger counterparts, resolving 81% of serious findings compared to just 60% for large enterprises. Moreover, big companies take more than twice as long—61 days versus 27 days—to resolve serious issues.
This may be due to complexity, stretched resources, and cross-functional misalignment. As organizations grow, so too does the challenge of managing risk, emphasizing the need for scalable, integrated security practices.
Sector Struggles and Infrastructure Risks
The report also shines a light on critical sectors like utilities, healthcare, and manufacturing, which are lagging behind in vulnerability resolution. These industries face heightened exposure due to slow response times and a high number of unresolved findings.
Financial services firms, while encountering fewer serious vulnerabilities (11%), still struggle with remediation timelines, taking an average of 61 days to resolve issues. This trend highlights that even mature security environments are not immune to the remediation gap.
Bridging the Confidence Gap
Ultimately, the State of Pentesting Report 2025 makes one message clear: pentesting is not just a box to check—it’s a vital tool that requires strategic, continuous application. The confidence many organizations have in their cybersecurity defenses doesn’t align with the outcomes revealed in pentesting data. Until more companies adopt programmatic approaches, these gaps will persist.
For organizations racing to adopt AI and digital transformation, the need to secure systems proactively is more urgent than ever. Pentesting offers a critical lens into hidden risks—but only if the insights are acted upon. Cybersecurity leaders must close the gap between detection and resolution to ensure real risk reduction, not just perceived protection.
