The new OWASP Top 10 2025 has been released, and as always, it’s a foundational moment for our industry. As a security researcher, I live and breathe this list. It’s the standard we use to train pentesters, build test methodologies, and help organizations prioritize risk. And this year, the list signals a major, important evolution.
The 2025 edition shows a clear shift away from individual code-level bugs and toward broad, systemic risks. But at Cobalt, our data from thousands of 2025 pentests reveals a critical gap between this new strategic focus and the tactical reality our pentesters find every day. To build a truly effective security program, you need to understand both.
The Big Shift: OWASP Becomes a C-Suite Guide
First, let's look at what's new. The 2025 list is less a "Top 10 Vulnerabilities" and more a "Top 10 Critical Risks." The most telling change is the inclusion of two new categories: A03: Software Supply Chain Failures (an expansion of the former A06:2021 category, Vulnerable and Outdated Components), and A10: Mishandling of Exceptional Conditions.
What’s fascinating about A03: Software Supply Chain Failures is that OWASP notes it was “overwhelmingly voted a top concern” by a community survey. This aligns perfectly with what we see at Cobalt. Our 2025 CISO Perspectives Report found that 68% of security leaders are concerned about third-party software.
This shows that OWASP is correctly identifying risks that keep CISOs up at night, even if they aren't easily found in a standard pentest. It also shows that at Cobalt, we’re not just performing tactical tests; we are advisors who understand the strategic risk landscape our clients are navigating.
Supply chain failures, combined with the jump of A02: Security Misconfiguration from number five to number two, proves OWASP is rightly focusing on how we build and deploy software, not just the flaws in the code. This is a clear message to the C-suite for what to prioritize when building a long-term, resilient security program.
The Reality Gap: What Our 2025 Pentest Data Shows
While OWASP’s list looks at the horizon, our Cobalt pentest data shows what’s right in front of us. This is the ground truth of what our pentesters are actually finding in the wild, right now.
And this is where we see a bit of a divergence.
- Injection Disconnect
The biggest difference is Injection. OWASP demoted the broad injection category to number five on the list, suggesting it's a less critical risk. Our data tells a very different story. Cross-site scripting (XSS) remains our number one most frequent finding, accounting for 18.4% of all web vulnerabilities. SQL injection is our number four finding at 10.6%.
Combined, these two classic vulnerabilities make up 29% of all web pentest findings. While the industry may be talking about supply chain risk, organizations are still overwhelmingly struggling with foundational hygiene like input validation and output encoding.
- Access Agreement
But the lists don't only diverge. There is one area where the strategic risk and the tactical reality are in perfect, alarming agreement: access control. It’s a complex, high-impact flaw that we are still failing to solve at scale.
OWASP lists A01: Broken Access Control as the number one most critical risk. In our pentests, improper access control is the third-most frequent finding (11.8%). This is the one place where everyone, from the C-suite to the developer, is facing the same massive, unsolved problem. However, a vulnerability scanner alone can’t detect broken access control, because it is business logic—for that you need a human pentester.
How Security and Dev Teams Should Use OWASP and Cobalt to Win
This is where we get practical. It's not that one list is right and the other is wrong. It's that they are two different tools for two different jobs.
- Use the OWASP Top 10 as your strategic plan.
The OWASP Top 10 is your "what to plan for" guide. It’s the document you take to leadership to justify budget and build your long-term program. When you need to get buy-in for a threat modeling program, point to A06: Insecure Design. When you need to invest in securing your CI/CD pipeline, you now have A03: Software Supply Chain Failures to back you up. - Use the Cobalt Top 10 as your "tactical to-do list."
The Cobalt data is your "what to fix now" list. It shows the high-frequency flaws that your team is actually missing and that attackers are actively exploiting. If 29% of real-world findings are still Injection flaws, your developers need training on them today. It’s a reminder that while you must plan for tomorrow's systemic risks, you can't get breached by yesterday's simple vulnerabilities.
A mature security program must be able to walk and chew gum at the same time. The 2025 OWASP list tells us where security risk is going. Our Cobalt data tells us where the biggest weaknesses are right now. You need to understand and address both.
Our Commitment to Community
Understanding this gap between strategic risk and tactical reality is at the core of what we do. We see ourselves as more than just pentesters; we are advisors to our clients and partners in the security community.
That’s why we share our pentest findings and research—to help all security and development teams make better decisions. We are also implementing changes to normalize our findings data using CWEs (Common Weakness Enumerations). This will not only improve our data structure but will soon allow us to share our data directly with OWASP, contributing to the industry-wide effort.
Furthermore, we have a process in place to update our pentest methodologies to incorporate the new OWASP Top 10 2025, ensuring our offering remains the gold standard in pentesting as a service.
This is the power of the Cobalt approach. The richness and breadth of our data—from thousands of pentests and in-depth research, such as our State of Pentesting Report—is what allows us to see the full picture, not just a list of common vulnerabilities. It’s the unique insights we gain from 5,000 annual pentests that will power our AI-assisted tools, empowering our human pentesters to be more creative, find the most critical risks, and help you build a truly resilient security program.
