WEBINAR
Learn how tech company HeyJobs achieves a comprehensive AppSec testing program on a tight budget.
WEBINAR
Learn how tech company HeyJobs achieves a comprehensive AppSec testing program on a tight budget.

State of Pentesting 2025: Your Questions Answered

Our recent webinar, "State of Pentesting 2025 Report: What 10 Years of Data Tells Us About Real Risk," offered a valuable opportunity to dissect key industry trends. Joined by our CTO, Gunter Ollmann, and Wade Baker, co-founder of the Cyentia Institute, we shared compelling insights from our latest State of Pentesting 2025 report. The engagement from the audience was a definite highlight, with questions posed that cut to the heart of modern offensive security and risk management.

This post explores the questions asked during the webinar, providing more detailed answers based on our report, the live conversation, and my own ten years of experience in offensive security. For those who couldn't join us live or would like a refresher, the full webinar recording is available here. Now, let's get to those questions.

Your Questions Answered: Insights from the State of Pentesting 2025 Discussion

The questions have been grouped by theme for clarity and comprehensive responses.

How does Cyentia continue to be the best data scientists in the cybersecurity field by such a wide margin?

We are proud to partner with the team at Cyentia. They are not only great at what they do, but great people! Cyentia specializes in cybersecurity data. Which means they can provide a sophisticated understanding of our industry’s nuances in addition to the technical analysis of a wide array of datasets. I personally have appreciated their commitment to ensuring data is analyzed appropriately and transparently. Our collaboration with Cyentia on the State of Pentesting Report demonstrates their ability to transform complex data into clear, actionable intelligence.

Is the use of “impact rating” meant to be based on impact to the business? Is the “likelihood of exploitation” based on ease of exploitation e.g., publicly available exploits?

During the webinar, we discussed how Cobalt uses the OWASP Risk Rating Methodology. “Impact rating” first maps to the vulnerable asset being assessed. The risk is then the measure of the potential business consequences such as loss of confidentiality, data integrity issues, reduced availability, reputational damage, and financial loss. While “Likelihood” assesses the probability of an attacker exploiting a vulnerability, it is influenced by factors such as the skill level required, opportunity, discoverability, and, as mentioned, the availability of public exploits. In the State of Pentesting Report, "serious findings" were those where both likelihood and impact were high or very high, as survey data indicated criticality is the primary driver for prioritization. 

More specific details on how Cobalt defines severity level definitions here.

What does the data say about exploit prediction considerations? Thinking about how EPSS could inform prioritization.

Exploit Prediction Scoring System (EPSS) provides a probability score for known CVEs being exploited. However, many comprehensive pentest findings, especially for custom applications or unique misconfigurations, won't have CVEs. The State of Pentesting 2025 report reflects this, as a comprehensive pentest delivers insights beyond mere CVE identification. While EPSS scores may not apply to every pentest finding, the underlying principles—like considering exploit code maturity and ease of exploitation—are factors experienced pentesters systematically evaluate. Incorporating more explicit data points for non-CVE vulnerabilities is an area for ongoing research. The report data identifies many "Serious Findings" which, even without CVEs, represent clear risks based on expert assessment.

Do any of these datasets and /or analyses have data that says if the systems these findings are on are desktop v. mobile v. server? Operating systems versus application? Application type? Application function?

Yes, the State of Pentesting Report breaks down findings across various asset types. While the live session focused on broader trends, the full report goes into these specifics like top findings on web, mobile, and AI/LLM applications. Understanding these differences is crucial for tailoring effective security testing and remediation.

Would the Time to Resolve be tied to the fact that Smaller Orgs are more likely to rely on hosted services for their more critical/complex functions. (think patching On Prem Exchange verses Microsoft patching Azure hosted).

Resolution Rate by Company Size (Figure 21 from State of Pentesting Report 2025)

unnamed (5)

Absolutely—here’s the refined response with those critical nuances emphasized:

The State of Pentesting 2025 report noted a somewhat counterintuitive trend: smaller firms often demonstrate better performance than large enterprises in resolving pentest findings. We speculate that this is not because they have more resources, but perhaps because they carry less technical baggage. Their systems are usually newer, less complex, and more modular. Without sprawling legacy infrastructure or deeply entangled interdependencies, they can identify, prioritize, and remediate vulnerabilities more directly. This streamlined architecture drastically reduces the friction that bogs down remediation efforts in larger enterprises.

While it's true that many smaller organizations rely on cloud or third-party platforms, that relationship can be a double-edged sword. Fixes dependent on external vendors might actually take longer to implement. However, smaller companies could offset this by being able to quickly implement their own mitigating controls, such as configuration changes or access restrictions, to reduce exposure until a permanent fix is deployed. The key difference lies in the agility and decisivenessthat  smaller teams can apply when the scope is tight and systems are simpler.
In contrast, large enterprises frequently wrestle with legacy systems, change control processes, and cross-functional coordination. These factors inflate MTTR regardless of the number of available hands, because risk and remediation must be threaded through a maze of governance and interdependent technologies. So while the scale is different, these smaller companies benefit from architectural clarity, and that often means faster action.

It would be beneficial to view these results through a risk quantification lens. For instance, what percentage of top vulnerabilities for critical risk scenarios are addressed within specific timeframes, and how does that remediation reduce financial impact?

Love it! This is absolutely a direction we’ve been considering for future reports. Translating technical vulnerabilities into tangible business risk, often in financial terms, is crucial for articulating their significance to leadership and justifying security investments. While the State of Pentesting report provides insights into vulnerability types, severity, and remediation timelines, risk quantification would add another critical layer. 

Do you find value on pentest that only exploit CVEs?

Vulnerability scans are important, but we expect more from a real pentest. As discussed earlier, many vulnerabilities uncovered during a pentest will not have an assigned CVE because they are in customized software. A security assessment focused solely on known CVEs is more akin to an authenticated vulnerability scan. Vulnerability scanners are essential for hygiene against common, documented threats.

However, a comprehensive penetration test extends well beyond CVEs. As Ollmann stated, "Pentesting moves us from assumption to evidence... It provides clarity that automated tools can’t." A thorough pentest uncovers business logic flaws, custom code vulnerabilities (which often lack CVEs), vulnerabilities arising from chained exploits, and risks from misconfigurations. Pentesters employ creativity, critical thinking, and an understanding of business context—human intelligence that automated tools can't replicate. Crucially, pentesting validates the actual effectiveness of defensive controls against realistic attack methodologies. While addressing CVEs is necessary, the deeper value of pentesting lies in uncovering unknown vulnerabilities and providing a realistic evaluation of resilience against thinking adversaries.

Take the Next Step: Dive Deeper into the Data

This Q&A discussion provides a glimpse into the broader findings and ongoing conversations in our field. The State of Pentesting 2025 report offers far more extensive data, in-depth analysis, and crucial insights into vulnerability trends, resolution benchmarks, industry comparisons, and the ever-evolving threat landscape.
We encourage you to:

Back to Blog
About Anne Nielsen
Anne L. Nielsen is the Executive Director of Product Marketing at Cobalt. With over 15 years of experience, Anne has a strong record in scaling strategic products and building effective, customer-focused teams. She is also an advocate for diversity and innovation, having initiated employee-led D&I and Hackathon programs to foster an inclusive and creative workplace. More By Anne Nielsen