Cobalt

Server security misconfigurations: 34.9% in the financial services industry (versus 27.9% average in other industries).

Sensitive data exposure: 10.5% in the financial services industry (versus 8.0% average in other industries).

Components with known vulnerabilities: 6.1% in the financial services industry (versus 5.5% average in other industries).

Approximately one-third of serious issues are never resolved by the organizations in the financial services industry, contributing to backlog and systemic risk.

Financial services firms demonstrate strengths in avoiding common, code-level flaws due to mature security programs and automated scanning (SAST/DAST). However, they struggle with vulnerabilities that require human-led testing.

Business logic flaws: 2.9% in the financial services industry (versus 2.3% average in other industries).

Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).

68% of financial services leaders highlight GenAI-related risks as a top concern.

46% of financial services leaders highlight insider threats as a top concern.

The Median Time to Remediation (MTTR) for serious findings is 61 days in the financial services industry. This ranks financial services 11th of 13 industries measured.

78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, indicating they narrowly meet strict internal SLA requirements.

70% of financial services firms report that delays in scheduling pentests sometimes impact compliance or business timelines.

76% of financial services leaders highlight third-party software vulnerabilities as a top concern.

The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.

Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).

Industries like hospitality resolve serious findings significantly faster than the financial services industry (61 days vs 20 days).

The financial services industry resolves about two-thirds (66.7%) of serious findings. This ranks the industry 10 out of the 13 industries Cobalt researched.

Healthcare resolved only 57.4% of serious pen test findings. This ranks healthcare 11th of 13 industries. By comparison, transportation led with 80.2%.

71% of healthcare leaders cited GenAI as the top risk.

14% of healthcare organizations resolve critical findings in business-critical within eight to 14 days.

68% of healthcare leaders cited third-party software as the top risk.

The 2025 breach at DaVita compromised over 900,000 patients' personal and clinical data.

Just 13.3% of healthcare pentest findings qualify as “serious”. This ranks healthcare 6th-best out of 13 industries.

71% of healthcare leaders cited GenAI as the top risk.

43% of healthcare organizations resolve critical findings in business-critical assets in one to three days.

Healthcare’s half-life for serious pen test findings was 244 days. This ranks healthcare 11th of 13 industries. Transportation had a half-life of 43 days.

Healthcare’s median time to resolve serious pen test findings was 58 days. This ranks healthcare 10th of 13 industries. Hospitality led with 20 days.

Nearly 40% of healthcare SLAs require serious findings in business-critical assets to be fixed within three days. Another 40% require resolution within four to 14 days.

37% of healthcare organizations resolve critical findings in business-critical assets within four to seven days.

68% of healthcare leaders cited third-party software as the top risk.

53% of respondents supplement their efforts with internal testing

73% of security leaders reported receiving at least one notification of a software supply chain vulnerability or incident within the past year.

Nearly nine in 10 security leaders (88%) view penetration testing as an essential component of their overall security programme.

55% of respondents conduct independent code reviews.

46% of security leaders are uneasy about AI-driven features and large language models.

55% of security leaders are constantly worried that a single employee mistake could put their entire organisation at risk.

60% of security leaders believe that attackers are evolving too quickly to maintain a truly resilient security posture.

68% of security leaders are concerned about the risks associated with third-party software tools and components integrated into their tech stacks.

68% of security leaders state that their boards now view the secure deployment of generative AI as a critical priority.

More than half (58%) of respondents require third-party penetration test reports to validate software security.

68% of CISOs consider supply chain risk and generative AI security to be top concerns, viewing them as intertwined challenges that are redefining the attack surface.

45% of cybersecurity practitioners expressed concern about near-term operational genAI risks such as inaccurate outputs.

33% of respondents are still not conducting regular security assessments, including penetration testing, for their Large Language Model (LLM) deployments.

68% of cybersecurity practitioners expressed concern about long-term genAI threats like adversarial attacks.

32% of LLM pentest findings are serious

Overall, 69% of serious findings across all pentest categories are resolved.

The resolution rate for high-severity vulnerabilities found in LLM pentests falls to just 21%.

48% of security leaders believe a “strategic pause” is needed to recalibrate defenses against genAI-driven threats.

36% of security leaders and practitioners admit that generative AI (genAI) is moving faster than their teams can manage.

72% of security leaders cite genAI-related attacks as their top IT risk.