.png)
Every organization running a security program has a theory about how exposed they are to risk. But at Cobalt, we believe security confidence must be grounded in data, rather than assumptions. That is the driving force behind the 2026 State of Pentesting Report, our eighth edition, built on the foundation of our pentesting data from over 1,500 customers.
This year’s research draws from a massive dataset of thousands of pentests over five years, and a qualitative survey of 450 security leaders and practitioners.
What the data reveals is a stark divide between organizations that treat offensive security as a periodic compliance chore and those that have built it into their operational DNA. As we navigate a landscape redefined by machine-speed threats, here is the blueprint of what you need to know.
1. The Remediation Gap Is Your Greatest Liability
To understand the performance gap, you first have to understand half-life. While mean time to resolution (MTTR) only tracks how fast you fix a subset of issues, half-life accounts for speed and the completeness of remediation—including the findings you haven't resolved yet. Therefore, we believe half-life is the single best measure of remediation performance because it accounts for speed, thoroughness, and real risk reduction.
The report exposes a massive performance chasm: a 25x difference in half-life between the leaders and low-performing organizations in our data set. Top-performing leaders achieve a high-risk finding half-life of just 10 days. Meanwhile, the bottom 10% of organizations allow these same vulnerabilities to languish for 249 days. This creates an additional eight-month window of risk exposure for laggards—a timeframe that simply cannot exist in a world of machine-speed exploitation.
2. AI Security is Falling Further Behind
As organizations sprint to adopt generative AI, a dangerous security blind spot has emerged. High-risk findings in LLM applications are surfacing at 2.7x the rate of traditional software. Despite this more than doubling of risk, AI vulnerabilities show a resolution rate of only 38%—the lowest among the testing types in our dataset.
Perhaps most telling is the human element: security professionals' confidence in their ability to keep up with AI adoption has plummeted, dropping from 64% in 2025 to just 51% this year. At the same time, 61% of practitioners are calling for a "strategic pause" to reinforce defenses. AI-enabled organizations are innovating faster than they are securing, and the teams on the front lines are sounding the alarm.
3. The C-Suite Perception Disconnect
One of the report’s most instructive moments is the discovery of a profound disconnect between leadership and practitioners. A majority of C-suite executives (57%) believe their organizations consistently meet remediation SLAs. However, only 15% of security practitioners—the ones actually performing the work—agree. This gap underscores the reality of engineering bottlenecks and resource constraints that leadership may not be seeing from the board level.
4. The Programmatic Advantage
For the first time in our research history, we see a tipping point: 53% of organizations now take a programmatic approach to pentesting (continuous, integrated, and risk-driven), exceeding the 40% who test primarily for compliance.
The data proves this isn't just a preference—it’s a performance driver. Organizations with a programmatic model are 4.5x more likely to resolve critical findings in three days or less compared to ad-hoc teams. When offensive security is integrated into the SDLC, it transforms from a reactive burden into a business enabler that builds customer trust.
5. Mapping Your Maturity: The Leaders Quadrant
To help organizations navigate this shift, we introduced the Offensive Security Leaders Quadrant. This framework demonstrates that strategy and performance are intricately linked.
The distinction is clear: strategic leaders set aggressive three-day SLAs and have the operational maturity to actually hit them nearly half the time (45%). In contrast, tactical teams operating in ad-hoc cycles only achieve that same three-day target 6% of the time.
I invite every CISO to use this report as a mirror. Map where you sit today and consider the operational shifts required to move your team from a tactical laggard to a strategic leader.
Conclusion: Take the Next Step
The 2026 State of Pentesting Report is more than just a collection of statistics; it is a roadmap for building a more resilient future. Security excellence is not a destination, but a continuous cycle of discovery and resolution.
The findings above are just scratching the surface of the breadth of data and depth of analysis in this report. Download the full report to get into the top vulnerability findings, including performance by industry, and survey results shedding light on the perspectives of security leaders and practitioners.
