At Cobalt, we're committed to empowering security leaders with the insights they need to make informed decisions and build stronger defenses. That's why we're excited to share key takeaways from our 7th annual State of Pentesting Report 2025 and introduce a powerful new feature: Benchmarks.
Understanding Your Performance: State of Pentesting Report 2025 Key Security Metrics
The State of Pentesting Report 2025, which analyzed 10 years of pentesting data and a survey of 450 security practitioners, offers critical insights into the offensive security landscape. To truly understand and improve your security posture, it's essential to track three key performance indicators highlighted in the report: the average rate of serious findings, the average resolution rate for serious findings, and Median Time to Resolution (MTTR).
- Average rate of serious findings: Not all security issues uncovered during a pentest carry the same risk for your organization. That’s why we rate the severity of all findings on their likelihood of exploitation and the potential impact on technical and business operations. Tracking this is crucial because these exploitable vulnerabilities pose the highest risk to your organization, and a higher rate can signal gaps in your security development lifecycle or a need for more regular testing.
- Average resolution rate for serious finding: Only 69% of serious pentest findings actually get resolved—and it takes more than a year to reach that high water mark. Since these are the most concerning vulnerabilities, improving this rate directly reduces your overall risk exposure by ensuring critical vulnerabilities are not left unaddressed.
- Median time to resolution (MTTR): MTTR measures how long it takes to fix identified findings. The MTTR for serious findings has significantly improved from 112 days in 2017 to 37 days in 2024. By accelerating your MTTR, you can reduce the window of opportunity for attackers and safeguard your assets.
Introducing: Organization Insights and Benchmarks
This brings us to our exciting new feature designed to address these very challenges: Benchmarks.
The Organization Insights page in our platform helps you understand your current program and build a remediation plan based on your company’s performance. However, we've heard from our customers that they lack an understanding of how their organization's performance compares against their industry peers.
To address this, we've introduced a dedicated "Benchmark" tab on the Organization Insights page where you can now:
- Track your progress: See your own historical security data and trends, giving you a deeper understanding of your performance.
- Benchmark against peers: Compare your organization's performance metrics against industry peers, leveraging the data from our State of Pentesting Report 2025. The average rate of serious findings, average resolution rate for serious findings, and MTTR help you understand your program’s performance relative to peers with similar risk profiles. This guides whether you need more budget to improve your program’s performance or to maintain your current leading performance.
Our extensive pentest data allows us to provide this unique benchmarking capability, empowering you to understand how your organization compares to your peers and track your security posture over time.
Take Action
Download the full State of Pentesting Report 2025 today to delve deeper into these insights, and explore the new Organization Insights and Benchmarks feature in your dashboard to see how you compare!
