When we set out to analyze five years of pentesting data for the 2026 State of Pentesting Report—drawing on more than 16,500 pentests across thousands of organizations—we expected to find performance differences between strong and struggling security programs. We did not expect the gap to be 25x.
That's not a typo. The top 10% of organizations in our dataset resolve their high-risk findings with a half-life of just 10 days. The bottom 10% take 249 days—eight extra months of exposure on the same class of vulnerability. Same risk profile at the starting line. Wildly different outcomes at the finish.
The natural assumption is that the gap reflects budget, headcount, or industry. The data says otherwise. We see well-funded enterprises stuck in the bottom decile and lean teams sitting at the top. What separates them isn't resources. It's how they've structured their offensive security program.
To make that pattern visible, we built something new this year: the Offensive Security Leaders Quadrant.
The Offensive Security Leaders Quadrant
In addition to the data from thousands of pentests, we mapped organizations along two axes using data from our survey of 450 security leaders and professionals:
- Pentesting strategy maturity: Compliance-driven and reactive on the low end, programmatic and integrated with the SDLC on the high end.
- SLA performance: Low achievement at the bottom, fast remediation at the top.
Four groups emerged.
Strategic Leaders sit in the top-right. They've moved to continuous PTaaS integration, 51% set aggressive three-day critical SLAs, and 45% actually resolve critical findings within that window.
Programmatic Ascendants are on the right but lower. They've adopted a programmatic strategy—75% are using PTaaS—but their remediation workflows are still maturing. They have the foundation; they're still building the muscle.
Compliance Accelerators. Compliance-driven strategy. Just 15% have a three-day critical SLA, while only 10% hit that target.
Tactical Teams are in the bottom-left. Ad hoc testing, infrequent cadence, and the lowest SLA achievement of any group—only 6% hit a three-day critical SLA. This is where the highest exposure risk lives.
The quadrant is not a judgment; it's a map. Most CISOs, when they see it, recognize their own program in one of the four boxes — and the question becomes which direction they're moving, and how fast.
What separates Strategic Leaders from everyone else
When we isolated what Strategic Leaders do differently, one factor dominated: a programmatic approach to offensive security. Organizations with a programmatic strategy are 4.5x more likely to hit a three-day critical SLA compared to those operating under a compliance-driven or ad hoc model.
That 4.5x multiplier shows up in three operational practices that we see consistently across leaders and rarely across laggards.
Integrated Testing
Pentest findings have to land in the workflow of the people who fix them—same tool, same context, same prioritization framework. The teams losing this race are the ones still emailing PDF reports and re-keying findings into Jira by hand. Every handoff is friction, and friction is measured in days of MTTR.
Strategic Leaders integrate findings directly into developer and IT workflows. When a high-risk vulnerability surfaces, it appears as a ticket in their Jira, ServiceNow ticketing systems, with reproduction steps, severity, and ownership already attached. The engineer doesn't need to interpret a PDF; they need to ship a fix. That's the difference between a 10-day MTTR organization and a 100-day organization.
Continuous Testing
The annual pentest model is a predictor of poor performance in our data. By the time the report lands, your codebase has moved on, the threat landscape has shifted, and half of what was tested no longer exists in production.
Continuous testing—what most leaders deliver through Pentesting as a Service (PTaaS)—flips the cadence. Instead of a single annual snapshot, you get a rolling assessment that keeps pace with how your applications actually evolve. Findings surface as code ships, not six months later. Depending on code velocity and expanse of delta, a broad scope, narrow scope, or dynamic assessment allows a timely and right-sized assessment of the attack surface. That's how a Strategic Leader catches a high-risk vulnerability in week one rather than discovering it during next year's compliance audit.
This is especially urgent for AI applications. Our pentest data shows AI and LLM systems harbor high-risk findings at 2.7x the rate of traditional software—and they have the lowest resolution rate of any asset class we test at just 38%. An annual cadence isn't enough for assets evolving that fast.
Autonomous and AI-Powered Testing
The next evolution is already here. Human-led pentesting is—and will remain—the gold standard for surfacing novel attack chains and business logic flaws. But human pentesters are most valuable when they're augmented, not bottlenecked. AI-powered tooling now handles a meaningful share of reconnaissance, vulnerability triage, and regression validation, freeing human experts to focus on the work only they can do: chained exploits, lateral movement, and the creative attacker reasoning that no model has yet replicated.
The leaders in our dataset aren't choosing between human-led and AI-powered. They're combining both. That's how a team gets the depth of human expertise with the scale and speed of automation—and how they keep pace with attackers who are themselves using AI to accelerate their tradecraft.
The Strategic Choice
The single most important sentence in this year's State of Pentesting Report is this: the 25x remediation gap is a strategic choice, not a resource constraint.
Strategic Leaders aren't smarter, better funded, or operating in easier industries. They've simply made different decisions about how their offensive security program is structured. They've moved from periodic to continuous. From siloed to integrated. From human-only to human-led and AI-powered.
The encouraging part of that finding is that the levers are available to everyone. If your program is currently in the Tactical Teams quadrant, the path forward isn't a budget request—it's a structural change. Move to a continuous cadence. Integrate findings into your existing dev and IT workflows. Augment your human pentesters with AI-powered tooling. Set SLAs you'll actually be measured against, and treat your pentest output as a live risk register rather than a periodic deliverable.
In an era where AI applications are introducing risk at nearly three times the historical rate, and where attackers are leveraging AI to compress their own timelines, the gap between the leaders and everyone else is going to widen—not narrow—for organizations that don't make the shift.
The 2026 State of Pentesting Report tells you where you stand. The Offensive Security Leaders Quadrant tells you where to go. Download the report today.
