Organizations Fix Less Than Half of All Exploitable Vulnerabilities, With Just 21% of GenAI App Flaws Resolved

SAN FRANCISCO--(BUSINESS WIRE)--Cobalt, the pioneer of penetration testing as a service (PTaaS) and leading provider of offensive security services, today announced its seventh annual State of Pentesting Report 2025, revealing that organizations are fixing less than half of all exploitable vulnerabilities, with just 21% of genAI app flaws being resolved.

The Cobalt State of Pentesting Report aims to explore the landscape of vulnerabilities organizations battle today and identifies how security leaders' understanding of their security posture can be contradicted by the number of unremediated threats in their organization. Based on an analysis of pentests carried out by Cobalt, combined with the results of surveyed security leaders, Cobalt found crucial discrepancies exist between how “safe” security leaders believe their organizations are versus the reality.

Key findings include:

• Over-confidence: 81% of security leaders are “confident” in their firm’s security posture, despite 31% of the serious findings discovered having not been resolved.
• Too many findings left unresolved: Overall, firms are remediating just 48% of all pentest results, however, this number significantly improves (69%) for findings labeled serious (vulnerabilities rated high and critical severity).
• GenAI vulnerabilities are most vulnerable: Organizations are particularly struggling with vulnerabilities within their genAI Large Language Model (LLM) web apps. Most (95%) firms have performed pentesting on these apps in the last year with a third (32%) of tests finding vulnerabilities warranting a serious rating.
  • Of those findings, a mere 21% of vulnerabilities were fixed, with risks including prompt injection, model manipulation, and data leakage.
  • 72% ranked AI attacks as their number one concern–ahead of risks associated with third-party software, exploited vulnerabilities, insider threats, and nation state actors.
  • Only 64% say they are “well equipped to address all security implications of genAI.”
• Speed over security: More than half of security leaders (52%) say they are getting pressure to support speed at the cost of security.
• Lack in software security assurance: Just half (50%) fully trust that they can identify and prevent a vulnerability from their software suppliers–a particular concern given that 82% are required by customers/regulators to provide software security assurance.

“Regular pentesting has never been so important, particularly given the breakneck speed of AI adoption and the vulnerabilities that are introduced into an organization’s security posture,” said Gunter Ollman, CTO, Cobalt. “It’s a concern that 31% of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk. Organizations that do take an offensive security approach are taking a huge step to strengthening defenses against cybercriminals who typically attack opportunistically. In doing so they’re getting ahead of any compliance requirements and reassuring their customers that they’re safe to do business with.”

Methodology

The report analyzes two different datasets. The majority of analysis is based on data collected during Cobalt pentests. This is supplemented by insights collected via a survey by a third-party research firm, Emerald Research. All penetration testing data analyzed in this report was collected through Cobalt pentests. This spans more than 2,700 organizations. Metadata from these pentests was exported from the Cobalt Offensive Security Platform, sanitized to remove client-identifying and other sensitive details, and provided to Cyentia Institute for independent analysis.

Additional Resources:

• Read the State of Pentesting Report
• Read the State of Pentesting Report blog
• Register for the State of Pentesting Report webinar