Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
94% of security leaders agree that pentesting is foundational to security.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive security
69% of the highest-risk (serious) vulnerabilities are resolved.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability managementVulnerability remediation
Median time to resolve issues of all criticalities stretches to 67 days.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability managementVulnerability remediation
81% of organisations believe their security posture is strong.
CobaltState of Pentesting Report 2025·Apr 14, 2025
Security posture
Financial companies have a lower rate of serious findings (11%) in pentests.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
Less than half (48%) of vulnerabilities are remediated.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability managementVulnerability remediation
46% of companies commit to fix critical vulnerabilities within just three days.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability managementVulnerability remediation
98% of organisations are incorporating generative AI technologies into their products.
CobaltState of Pentesting Report 2025·Apr 14, 2025
AIGen AI
Large organisations resolve only 60% of serious pentest findings.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested.
CobaltState of Pentesting Report 2025·Apr 14, 2025
LLMPen testingOffensive securitySecurity asessmentVulnerabilities
Since 2017, the median time to resolve serious vulnerabilities has decreased dramatically—from 112 days down to 37 days last year.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability remediationVulnerability management
Most companies set ambitious service-level agreements (SLA) requiring vulnerabilities to be fixed within 14 days.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesSLAs
The rate for serious findings in pentests being resolved in each calendar year remains stuck at just 55%.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
15% of organisations resolve 10% or less of their serious findings in pentests.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
Only 66% of organisations are conducting regular security assessments like pentesting on their AI products.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity asessmentAI
Only 21% of serious vulnerabilities discovered in LLM tests are being resolved.
CobaltState of Pentesting Report 2025·Apr 14, 2025
LLMPen testingOffensive securitySecurity asessmentVulnerabilities
This represents a cut of 75 days, or two-thirds.
CobaltState of Pentesting Report 2025·Apr 14, 2025
VulnerabilitiesVulnerability remediationVulnerability management
The proportion of serious findings in pentests has also declined by about half (from 20% to 11%) over 10 years.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessment
Small companies lead with 81% of serious findings in pentests resolved.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
57% of organisations resolve at least 90% of their serious findings in pentests.
CobaltState of Pentesting Report 2025·Apr 14, 2025
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation
AI and LLM security has emerged as the top concern among security professionals (72%).
CobaltState of Pentesting Report 2025·Apr 14, 2025
AILLM