Report by Cobalt

State of Pentesting Report 2025

22 FINDINGSPublished Apr 14, 2025
View Original Report →

Key Findings

Larger organisations take over a month longer (61 days) than smaller ones (27 days) to resolve serious findings in pentests.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

94% of security leaders agree that pentesting is foundational to security.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive security

69% of the highest-risk (serious) vulnerabilities are resolved.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability managementVulnerability remediation

Median time to resolve issues of all criticalities stretches to 67 days.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability managementVulnerability remediation

81% of organisations believe their security posture is strong.

CobaltState of Pentesting Report 2025·1y ago
Security posture

Financial companies have a lower rate of serious findings (11%) in pentests.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

Less than half (48%) of vulnerabilities are remediated.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability managementVulnerability remediation

46% of companies commit to fix critical vulnerabilities within just three days.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability managementVulnerability remediation

98% of organisations are incorporating generative AI technologies into their products.

CobaltState of Pentesting Report 2025·1y ago
AIGen AI

Large organisations resolve only 60% of serious pentest findings.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

LLM pentests yield the highest proportion of serious vulnerabilities (32%) than any other asset type tested.

CobaltState of Pentesting Report 2025·1y ago
LLMPen testingOffensive securitySecurity asessmentVulnerabilities

Since 2017, the median time to resolve serious vulnerabilities has decreased dramatically—from 112 days down to 37 days last year.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability remediationVulnerability management

Most companies set ambitious service-level agreements (SLA) requiring vulnerabilities to be fixed within 14 days.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesSLAs

The rate for serious findings in pentests being resolved in each calendar year remains stuck at just 55%.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

15% of organisations resolve 10% or less of their serious findings in pentests.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

Only 66% of organisations are conducting regular security assessments like pentesting on their AI products.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity asessmentAI

Only 21% of serious vulnerabilities discovered in LLM tests are being resolved.

CobaltState of Pentesting Report 2025·1y ago
LLMPen testingOffensive securitySecurity asessmentVulnerabilities

This represents a cut of 75 days, or two-thirds.

CobaltState of Pentesting Report 2025·1y ago
VulnerabilitiesVulnerability remediationVulnerability management

The proportion of serious findings in pentests has also declined by about half (from 20% to 11%) over 10 years.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessment

Small companies lead with 81% of serious findings in pentests resolved.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

57% of organisations resolve at least 90% of their serious findings in pentests.

CobaltState of Pentesting Report 2025·1y ago
TestingPen testingOffensive securitySecurity assessmentVulnerability remediation

AI and LLM security has emerged as the top concern among security professionals (72%).

CobaltState of Pentesting Report 2025·1y ago
AILLM