In cybersecurity, there is the security posture you think you have, and then there is the one an attacker actually sees. Most teams operate on a comfortable theory—believing their defenses are a seamless shield—until a real-world test proves otherwise.
This report shows what’s actually happening behind the curtains, with real data and insights to back it up.
Across thousands of real-world pentests and a survey of 450 security leaders, one thing becomes clear: the gap between perception of security and actual security is wider than most organizations expect. When you look closer, the real story isn’t just about vulnerability discovery, but what happens next.
To help cut through this vast volume of data to find the signal, we’ve pulled together the 15 most important statistics from the 2026 State of Pentesting Report—each one offering a clearer view into how modern security programs are actually performing.
The Remediation Gap: A 25x Performance Divide
Perhaps the most striking finding in the report is the stark difference in how organizations handle their security findings.
- The "Half-Life" Metric: At Cobalt, we use the "half-life" of high-risk findings—a measure of both speed and completeness—to track remediation performance.
- The Gap: Top-performing organizations achieve a high-risk finding half-life of just 10 days, while the bottom tier of organizations languishes for 249 days.
- The Impact: This 25x remediation gap results in eight extra months of risk exposure for the bottom tier.
- Resolution Rates: While the typical organization resolves 86% of its high-risk findings, the total resolution rate across the five-year dataset remains stuck at 52%.
The AI Security Dilemma
Artificial intelligence is transforming the threat landscape, yet security practices are struggling to keep pace.
- Elevated Risk: AI/LLM applications are harboring high-risk findings at a rate nearly 2.7 times higher than the overall dataset of all of our pentests (32% vs. 12%).
- Low Resolution: Despite their elevated risk, AI/LLM high-risk findings have the lowest resolution rates of any testing category, at just 38%.
- Waning Confidence: Security professionals' confidence in their ability to handle AI security has plummeted, dropping from 64% in 2025 to 51% in 2026.
- Incidents: Nearly 1 in 5 (19%) organizations have already experienced an AI- or LLM-related security incident. That doesn’t even count those who said “not sure” (18%) or “prefer not to answer” (19%).
- Top Causes: The primary nature of these incidents includes Shadow AI (44%), Improper output handling (41%), Data and model poisoning (41%), Supply chain issues (35%), and Prompt injection (34%).
Perceptions vs. Reality: The C-Suite Disconnect
The report reveals a significant misalignment between leadership and the security practitioners who perform the day-to-day work.
- SLA Confidence: 57% of C-suite executives believe their organization consistently meets remediation SLAs, while only 15% of security practitioners agree.
- SLA Struggles: 77% of practitioners report that meeting SLAs is a genuine struggle, compared to just 37% of executives.
- The Result: The median organization takes 39 days to resolve high-risk findings, failing to meet the aggressive SLA targets—often set at 7 days—that many organizations aim for.
Maturing the Program: The Path Forward
The data makes it clear: the difference between top-performing teams and those who fall behind is rarely about resources; it is about strategy.
- Programmatic Advantage: Organizations that adopt a programmatic approach—continuous, integrated, and risk-driven—are 4.5 times more likely to resolve critical findings in three days or less, compared to those using compliance-driven or ad hoc models.
- Adoption Rates: For the first time, the share of organizations taking a programmatic approach (53%) exceeds the share testing primarily for compliance (40%).
- Executive Support: 8 in 10 organizations reported that their offensive security budgets grew in the past year—a positive sign for organizations attempting to become programmatic leaders.
The Bottom Line: Execution Is What Sets Teams Apart
These findings point to a larger shift happening in security. The data shows that even as organizations invest more in security and adopt new technologies like AI, many are still struggling with the fundamentals: aligning teams, meeting SLAs, and consistently resolving the issues they already know about.
The organizations pulling ahead aren’t necessarily doing more. They're simply operating differently to meet the reality that we live in today, moving from one-time testing to continuous programs, from static reports to integrated workflows, and from assumptions to measurable outcomes.
It’s one thing to run a security program, but it's another to know how it actually compares to your industry peers. The 2026 State of Pentesting Report gives you that benchmark—across remediation speed, resolution rates, AI risk, and program maturity.
No organization wants to be a victim of a security breach, although the risk is broadly shared. But you don’t have to be a victim if you're continuously improving your posture. If you want to understand where your team stands and what it takes to close the gap, this is where to start.
