Each year, the Verizon Data Breach Investigations Report (DBIR) provides a snapshot of how attackers operate. This year's report delivers a particularly important signal for security leaders: attackers are increasingly gaining access through vulnerability exploitation. That's concerning, to say the least.
However, what's even more concerning is that our data suggests organizations aren't keeping pace.
Despite growing security budgets, increased adoption of pentesting, and greater visibility than ever before, many security teams continue to struggle to reduce exposure quickly enough to keep pace with a rapidly expanding attack surface. We know this because we analyzed thousands of pentests in our annual 2026 State of Pentesting Report.
Looking at both reports side by side, one conclusion stands out to me: this is an execution problem, and that problem appears to be getting worse. Most organizations are struggling to reduce exposure quickly enough to keep pace with a rapidly evolving attack surface.
We Don't Have a Visibility Problem. We Have an Exposure Problem
One of the clearest findings from our 2026 State of Pentesting Report is that the biggest difference between leading organizations and everyone else isn't how many vulnerabilities they discover.
It's how quickly they remediate them. Top-performing organizations achieve a high-risk finding half-life of just 10 days. Organizations in the bottom tier take 249 days to reach the same point. That's an eight-month difference in exposure for vulnerabilities both organizations already know exist.
What makes that gap even more concerning is that the economics of vulnerability discovery are changing. Advances in AI are accelerating how quickly vulnerabilities can be identified, validated, and operationalized. Tasks that once took researchers or attackers weeks to complete can increasingly be accomplished in days or even hours. This makes remediation speed exponentially more important and the clearest indicator of security maturity.
The Attack Surface Is Expanding Faster Than Organizations Can Adapt
Organizations are rapidly integrating AI into products and business workflows, often faster than security programs can evolve alongside them. Our pentest data found that LLMs and AI applications contain high-risk findings at nearly 2.7 times the rate of traditional software. Yet despite carrying an elevated risk, the highest-risk findings have the lowest resolution rate of any testing category, with only 38% being remediated.
At the same time, confidence in AI security is moving in the opposite direction. The percentage of organizations that feel well-equipped to address AI security challenges dropped from 64% last year to 51% this year.
AI is amplifying an existing challenge. Security teams were already struggling to keep pace with remediation demands. Now they're being asked to secure technologies that introduce new attack paths, new vulnerabilities, and entirely new operational considerations.
This points to a broader trend: organizations are expanding their attack surfaces fastest in the areas where they have the least operational maturity.
The Biggest Risk Might Be Organizational
Perhaps the most revealing finding in our research wasn't technical at all. While 57% of executives believe their organizations consistently meet remediation SLAs, only 15% of practitioners responsible for the work agree.
That gap suggests many organizations may not fully understand how much risk remains unresolved—or how difficult remediation has become as environments grow more complex.
To me, this may be one of the most important findings in the entire report.
Technology challenges can often be solved with investment, process improvements, or innovation. Organizational blind spots are much harder to address because they can create a false sense of confidence precisely when greater urgency is required.
The result is a dangerous disconnect between leadership expectations and operational reality at precisely the moment when attackers are becoming more effective.
Moving From Visibility to Velocity
What gives me optimism is that we also see a path forward. The organizations pulling ahead are not necessarily the ones spending the most or deploying the most tools. They're the ones building continuous, programmatic security practices with ongoing testing, validated findings, and integrated workflows that ensure rapid remediation and retesting.
The 2026 data sends a loud and clear message: the winners of this race will be those who fix them fastest.
