94% of firms say pentesting is essential, but few are doing it right
Organizations are fixing less than half of all exploitable vulnerabilities, with just 21% of GenAI app flaws being resolved, according to Cobalt.
Big firms take longer to fix pentest issues
94% of firms view pentesting as essential to their program. This captures the assurance role of pentesting and reflects the reality that most breaches don’t occur because the victim had no defenses. Rather, the defenses they had weren’t as solid as they thought.
It’s probably no surprise to learn that 91% of respondents chose compliance as a major reason why they do pentests. What may surprise some is that 92% say pentests are important to their organization’s strategy and senior leadership.
In 2017, only 27% of serious pentest findings were resolved. That proportion doubled in 2021 to 55%, but has hovered at that level ever since. In 2024, serious findings were fixed in one-third of the time it took back in 2017 (37 versus 112 days). That’s shaving 75 days off the exposure window!
The largest organizations take over a month longer to resolve serious findings than the smallest firms (61 versus 27 days).
Three-quarters of organizations have set SLAs (service-level agreement) specifying that pentest findings should be fixed in two weeks or less. Few meet this goal. The median time to resolve (MTTR) stands at 67 days for all pentest findings. That’s five times longer than the two-week SLA set by most organizations.
81% of security leaders are “confident” in their firm’s security posture, despite 31% of the serious findings discovered having not been resolved. Overall, firms are remediating just 48% of all pentest results, however, this number significantly improves (69%) for findings labeled serious (vulnerabilities rated high and critical severity).
Vulnerabilities in GenAI LLM web apps
Organizations are particularly struggling with vulnerabilities within their GenAI LLM web apps. 95% firms have performed pentesting on these apps in the last year with 32% of tests finding vulnerabilities warranting a serious rating. Of those findings, a mere 21% of vulnerabilities were fixed, with risks including prompt injection, model manipulation, and data leakage.
72% ranked AI attacks as their number one concern–ahead of risks associated with third-party software, exploited vulnerabilities, insider threats, and nation state actors. Only 64% say they are well equipped to address all security implications of GenAI.
OWASP understands this and updated the 2025 edition of the Top 10 for LLM and GenAI to expand on DoS and other availability issues. The new category is called Unbounded Consumption, and includes threats like Denial of Wallet (DoW), which attackers can use to exploit the cost-per-use model of AI services.
Security leaders under pressure to sacrifice security for speed
The survival clock starts once issues are identified (Day 0) and keeps on ticking until the last finding is fixed (which never happens). After one month, approximately 85% of findings remain alive (unfixed). The survival rate drops to about 60% at the one-year mark. And even after five years, 45% of issues haven’t yet been fixed.
52% of security leaders say they are getting pressure to support speed at the cost of security. 50% fully trust that they can identify and prevent a vulnerability from their software suppliers–a particular concern given that 82% are required by customers/regulators to provide software security assurance.
“Regular pentesting has never been so important, particularly given the breakneck speed of AI adoption and the vulnerabilities that are introduced into an organization’s security posture,” said Gunter Ollman, CTO, Cobalt.
“It’s a concern that 31% of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk. Organizations that do take an offensive security approach are taking a huge step to strengthening defenses against cybercriminals who typically attack opportunistically. In doing so they’re getting ahead of any compliance requirements and reassuring their customers that they’re safe to do business with,” concluded Ollman.