Report by Cobalt

State of Pentesting in Financial Services 2025

17 FINDINGSPublished Sep 30, 2025
View Original Report →

Key Findings

Server security misconfigurations: 34.9% in the financial services industry (versus 27.9% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesMisconfigurationServer side misconfiguration

Sensitive data exposure: 10.5% in the financial services industry (versus 8.0% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesSensitive data exposure

Components with known vulnerabilities: 6.1% in the financial services industry (versus 5.5% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilities

Approximately one-third of serious issues are never resolved by the organizations in the financial services industry, contributing to backlog and systemic risk.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerability resolutionVulnerabilities

Financial services firms demonstrate strengths in avoiding common, code-level flaws due to mature security programs and automated scanning (SAST/DAST). However, they struggle with vulnerabilities that require human-led testing.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesMaturitySAST

Business logic flaws: 2.9% in the financial services industry (versus 2.3% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesBusiness logic flaw

Server-side injection (Web/API): 4.2% in the financial services industry (versus 5.3% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesServer-side injectionWeb

68% of financial services leaders highlight GenAI-related risks as a top concern.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testGenAI

46% of financial services leaders highlight insider threats as a top concern.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testInsider threat

The Median Time to Remediation (MTTR) for serious findings is 61 days in the financial services industry. This ranks financial services 11th of 13 industries measured.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testMTTR

78% of financial services firms report fixing critical vulnerabilities in business-critical assets within 14 days, indicating they narrowly meet strict internal SLA requirements.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesBusiness-critical assetSLA

70% of financial services firms report that delays in scheduling pentests sometimes impact compliance or business timelines.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testCompliance

76% of financial services leaders highlight third-party software vulnerabilities as a top concern.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesThird-party software

The half-life for serious findings is 147 days in the financial services industry. This metric, which accounts for unresolved vulnerabilities, places FS ninth overall out of the thirteen measured industries.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testHalf-lifeVulnerabilitiesVulnerability resolution

Cross-site scripting (Web/API): 5.0% in the financial services industry (versus 9.7% average in other industries).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerabilitiesCross-site scriptingWeb

Industries like hospitality resolve serious findings significantly faster than the financial services industry (61 days vs 20 days).

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testMTTRHospitality

The financial services industry resolves about two-thirds (66.7%) of serious findings. This ranks the industry 10 out of the 13 industries Cobalt researched.

CobaltState of Pentesting in Financial Services 2025 ·Sep 30, 2025
Financial servicesPen testVulnerability resolutionVulnerabilities