Right now, the media and regulators are hyper-focused on frontier models being pulled back by the government for being "too dangerous"—despite heavy debate over whether their extreme guardrails actually rendered them useless in the first place. But while the world is distracted by theoretical doomsday scenarios of super-intelligent models escaping the lab, Cobalt pentesting data in 2026 reveals the actual, immediate danger is already inside your network: well-meaning developers rushing to bolt standard LLMs onto legacy architectures.
We are officially living in the era of ubiquitous AI. The relentless pressure from the board to adopt LLMs and autonomous agents has created a fascinating—and slightly terrifying—new attack surface. We are moving incredibly fast, and things are absolutely breaking.
Looking at the empirical data from the Cobalt State of Pentesting Report 2026 and the dedicated survey data in the Cobalt AI and Pentesting Pulse Report, one thing is abundantly clear: AI is fundamentally shattering our traditional security metrics. Organizations are expanding their attack surfaces, and the gap between AI security risk and our security response is widening and hard to close.
Let's dive into the hard numbers driving this massive paradigm shift.
The Executive Reality Check: The 2.7x Multiplier
For security directors and management teams trying to sleep at night, the most jarring statistic from the latest State of Pentesting Report isn't just the sheer volume of vulnerabilities we are finding. It's the alarming density of critical risks.
In traditional software releases, we’ve grown accustomed to a certain baseline. We generally expect about 12% of identified vulnerabilities to be classified as high or critical severity, as the pentest data shows over the past few years. It’s manageable. But when we pivot to AI and LLM environments, that number absolutely skyrockets to 32% classified as the highest risk.
That is a 2.7x increase in the concentration of high-severity risks, a ratio that has held stubbornly steady for two consecutive years.
This consistency is a massive flashing signal. It proves this isn't just a first-year artifact of novelty or inexperience. The attack surface is maturing significantly faster than the security practices built around it. Crucially, AI applications do not replace the vulnerabilities of conventional software—they just layer complex new ones on top. A slick new web app with an LLM integration is still fully susceptible to good old-fashioned SQL injection; it is simply also susceptible to prompt injection. The risk profile here is additive, not substitutive. You are inheriting the sins of the past while inventing the flaws of the future.
The Remediation Paradox: Why Slower Actually Means Better
What’s even more troublesome is this—the remediation pipeline for these AI and LLM vulnerabilities is severely bottlenecked. While the AI/LLM resolution rate saw a respectable 17-point improvement this year, it still sits in dead last across all asset classes at 38.4%. (For context, APIs are sitting pretty at 77.3%).
That means we are operating with a 2-to-1 resolution deficit: for every single high-risk AI vulnerability an organization successfully remediates, two remain unpatched, rotting in production and open to exploitation.
Interestingly, the median time to resolve (MTTR) for high-risk AI findings actually increased from 19 days in 2025 to 36 days in 2026. If you are an executive looking at a dashboard, this looks like a regression. But if you are a practitioner, you know it's actually the MTTR Paradox. Back in 2025, teams were only fixing the easy wins—the low-hanging fruit. As the resolution rate climbed to 38% in 2026, teams finally rolled up their sleeves and began tackling a much harder class of vulnerabilities. These are the bugs that require deep architectural changes, vendor coordination, and retraining models, rather than simple software patches.
The rising MTTR reflects expanding ambition and maturity, not declining performance.
Deconstructing the Data: A Cobalt Risk Prioritization Score Quadrant
To understand what is actually breaking under the hood, we need to look at the incredibly detailed AI and pentesting Pulse Report data, powered by Cobalt pentests. By mapping the Cobalt 2026 dataset on a scatter plot measuring frequency against severity, we get a clear, mathematical picture of the threat landscape that we can call the CRPS (Cobalt Risk Prioritization Score).
Here is exactly how the vulnerabilities shake out in each of the four quadrants:
1. The Danger Zone (Frequent and Severe)
- Prompt Injection (37.6% Freq | 34.4% Sev): The undisputed heavyweight champion of LLM vulnerabilities. It’s everywhere, and it hits hard. There is no silver-bullet patch for this. Both direct (user-input) and indirect (hidden in RAG-ingested files) prompt injections allow attackers to entirely subvert model guidelines. You can't just sanitize this input like XSS because the model needs to understand context.
- Sensitive Info Disclosure (6.2% Freq | 28% Sev): LLMs are eager to please. If you don't build incredibly strict guardrails, they are more than happy to leak your proprietary training data, internal system prompts, and customer PII to anyone who asks nicely.
2. The Nuisances (Frequent and Lower Severity)
- Insecure Output Handling (10.2% Freq | 24.4% Sev): A classic "old meets new" vulnerability. It’s highly frequent because developers implicitly trust the LLM’s output way too much. They take unsterilized model responses and pass them directly to downstream parsers. Hackers love this because it's a trivial pivot into classic XSS or Server-Side Request Forgery (SSRF) via the LLM pipeline.
3. The Sleepers (Rare and Severe)
- Insecure Plugin Design and Model Theft (0.5% Freq | 50% Sev): Incredibly rare, but catastrophic when they land. If an attacker steals your fine-tuned model weights, your intellectual property is gone.
- Excessive Agency (4% Freq | 37.5% Sev): This is the ticking time bomb of the autonomous agent era. Giving models read/write access to internal APIs, databases, or email clients means a single successful prompt injection instantly turns into Remote Code Execution by proxy.
The Flight from Full Automation
With all these existential threats, you might assume security teams are leaning heavily on AI to secure their AI. The data shows the exact opposite, per a Cobalt survey of 450 security leaders and practitioners, published in the aforementioned AI and Pentesting Pulse Report. The survey says: We are witnessing a massive retreat.
Openness to purely autonomous pentesting plummeted 20 points year-over-year, dropping to just 9%.
Why the sudden loss of faith? Hard operational reality. 78% of security teams reported experiencing critical false negatives from purely automated scanning tools.
Automated scanners are brilliant at finding known, signature-based vulnerabilities. But they fail miserably at AI security. Prompt injection exploits and excessive agency flaws require creative, multi-turn interaction chains. They require adversarial psychology. These logic flaws are entirely invisible to tools that test using single-shot automated queries.
As a result, the market has learned a painful lesson: expansive coverage is not the same as true security assurance. We are seeing a massive, necessary pivot to a hybrid testing model: 47% of teams now explicitly prefer using automation for coverage and frequency on their non-critical assets, while strictly anchoring their critical systems and AI applications with expert, human-led testing.
Shadow AI and the Practitioner Disconnect
Beneath the technical vulnerabilities lies a massive, messy human element.
While 19% of organizations confirmed experiencing an AI security incident, a staggering 44% of those incidents were caused by shadow AI—unapproved, rogue employee use. Think of the well-meaning marketing manager pasting your proprietary financial data into a public LLM to generate a quick summary. You cannot secure an attack surface you don't know exists.
This lack of visibility is eroding internal confidence. The share of organizations that feel "well-equipped" to address AI threats fell 13 points (to just 51%). Meanwhile, 61% of security teams are now desperately calling for a "strategic pause" to recalibrate their defenses against AI-driven threats.
This leads us to the single most consequential finding in the entire 2026 dataset: The divided perspective of leaders and practitioners on how well they are meeting SLAs.
- 57% of security leaders believe their organization consistently meets remediation SLAs.
- Only 15% of the security practitioners doing the actual work agree.
That 42-point gap isn't a rounding error; it's a massive governance failure. Practitioners carry the operational risk—and 78% of them say the security team will take the internal blame if an AI incident occurs—while leadership substantially underestimates the engineering bottlenecks required to fix complex LLM architecture.
Deep Dive Take and Summary
When you look at all of this data holistically, the story is clear: the AI attack surface is additive, highly critical, and stubbornly resistant to quick fixes. We are watching the industry rapidly mature from the "deploy everywhere" honeymoon phase into the painful "how do we actually secure this?" reality.
The drop in reliance on fully automated pentesting is actually a healthy sign. It proves that practitioners are seeing through the vendor hype and demanding actual assurance rather than just coverage. But the divide between what leadership thinks is happening (SLAs being met) and what practitioners are actually experiencing (a 2-to-1 resolution deficit and rising MTTRs) is a crisis waiting to happen.
To close the massive 25x execution gap—where top-performing organizations fix high-risk findings in 10 days while laggards take 249 days—we have to stop treating AI pentesting like a compliance checklist. The organizations winning this battle have abandoned reactive testing in favor of continuous, programmatic offensive security. They are 4.5 times more likely to resolve critical findings within aggressive 3-day SLAs.
Key Takeaways
- The Threat is Inside, Not Sci-Fi: Forget the government pullbacks of theoretical super-models; the real danger is a 2.7x critical vulnerability rate in the LLMs you are deploying today.
- Expect Slower Fixes (and That's OK): A rising MTTR (from 19 to 36 days) isn't inherently bad if it means your team is finally fixing complex architectural flaws rather than just low-hanging fruit.
- Hybrid Testing is Mandatory: With 78% of teams catching false negatives in purely automated tools, you must anchor critical AI testing with human-led adversarial psychology. Automation is for coverage; humans are for assurance.
- Bridge the Perception Gap: If your leadership thinks SLAs are being met. Still, your engineers are drowning in unresolved AI findings, and you have a governance failure that will eventually result in a breach.
